Seven months ago I began an odyssey through our medical system that ended in December with my last visit to my surgeon's office. Throughout the entire experience, I couldn't help but make mental notes about the security practices I encountered. I want to be clear from the beginning – nothing I saw was egregious or malicious, just caring people trying to get a difficult job done AND navigate the security requirements of computer systems and our laws (e.g., HIPAA). In fact, the most encouraging theme I encountered in all of my interactions and observations was an understanding of the need for the security measures in spite of any inconvenience. But, in practice, real world security is so much more complicated than just good programming practices and deployment configurations. As a software developer, this is a problem I face all of the time, not understanding enough about how the products I build will be used in the real world. For example, a nurse recorded my vitals in the medical software systems, logged out of the program and left my room. Now, I know that the application developers think they did a good job by implementing users, accounts, logins and logouts, probably all logged for accounting and all that. The system admins think they did a good job of installing the computer in my room and getting it on the network and providing AD logins and logout functionality, etc. So far, everyone has done a good job as individuals, but as soon as the nurse left, I could have easily owned that machine and been on the network. I am not a good hacker by a long shot, but what went wrong is that the nurse logged out of the software as she was told to do but left the computers desktop wide open. Presumably, she was never told she needs to lock the computer, too. Without touching the actual computer, I could see that it was logged in to the hospital network and what IP and network config it had among other diagnostic info from a super helpful desktop tray app. Classically violating security too, there was a Post It note with account credentials on the keyboard. Ironically, the physical computer was locked up but all of its connections were accessible, including power network and USB ports. This was a theme in every doctor's office I visited and in the hospital rooms I stayed. Every time my vitals were taken or I sat down in an examination room, the nurse would record some data, log out or lock the application, and leave the computer logged in and accessible. Now, one might say that these are computers that are hard to get to and so are protected by defense in depth but that brings up physical security in the medical world. There were certainly things that were secured – there was no way I could obtain any drugs without encountering serious security but every hospital I have been in, including this one, allowed visitors to come and go completely unsupervised (I wasn't in ICU or maternity). While my daughter and I joked about taking beds and wheelchairs for rides, it would have been trivial for me to walk off with medical equipment and computers with a tiny bit of social engineering (such as dressing like a janitor – if you watch them, they move through the hospital system surrounded by privileged users and have access to most of the same locations and equipment and nobody really notices they are there). I was constantly surprised by how easy it was to get in and out of most of the hospital any time of day or night and, once in, the amount of access that was available. Another anomaly I noted was that the drug dispenser I was attached to for a few days was physically "secured" by a lock that I could have picked the first time I picked up a bobby pin, and, according to the hospital bills, contained several thousands of dollars worth of opioids. Ignoring that bit of trivia, I spent a good part of one sleepless night examining this device and, using its front panel interface, I was able to view all sorts of interesting things in the system with no authentication required. I think I could have doubled my dosage or removed the time limit between dosages (or had those things done to me) or manipulated the device in any number of ways because the developers didn't think it needed to be secured.* It would log all changes for sure, but as who? In fact, I devised a little murder mystery that night – "How to Get Away with Murder in the Hospital" – but I won't be publishing it any time soon. It was also interesting to note, as I examined the devices attached to me, that each device had at least one physical port of some sort on the back for integrating with a computer system and I bet some had wireless access, too. I didn't think of scanning the room in bluetooth or other spectrums (see earlier note about opioids) but I'd be curious to know what kind of security is on those interfaces to the devices. My bet is zero; that the device vendor didn't think there would be any need for someone connecting to the RS232 port to supply credentials – and maybe there isn't, until the computer that connects to the device is connected to a network! I know there are other mitigations in effect that reduce risk of these things happening and that, in general, patients aren't at great risk but it is a hobby of mine to note the security issues I see around me as I go through life. Like I said at the beginning, none of these issues makes me feel like hospitals are unsafe or high risk, but that a hospital is an environment that mixes the need for trust and access with the need for security in very interesting ways. To me, this is a reminder to consider issues outside the scope of the software itself as part of the security picture. It also reminds me that no matter how good the software security is, if it isn't usable and easy, humans will work out how to subvert it, many times in the name of doing good.
*I want to note that I examined the dispenser while still attached to it - I am pretty sure of what I remember of that investigation but I took no notes and didn't try anything - it was not in my interest to mess with the machine if you follow my reasoning. Anyway, if I missed something about this system and am in error, at least I have a good excuse ;) Title image courtesy of ShutterStock
