If there is one thing that unites antivirus researchers it is a determination to enable the most productive use of information technology by beating back the limitations imposed by bad actors. No, we’re not talking about the kind of bad actors you find in straight-to-video movies, but bad people who commit immoral and illegal acts in the selfish pursuit of their own agendas, like infecting your computer with their malicious code.
Clearly, the abuse of technology reduces the productivity gains possible from technology, but does this mean we should delay deployment until all abuses can be ruled out? This is a critical question faced by organizations in many fields, none more so than healthcare, a sector that has seen rapid growth in the deployment of digital systems aimed at delivering better medical care at lower cost. Unfortunately, despite an explicit regimen of rules aimed at safeguarding the privacy and security of patient data in the U.S. the sector is currently rife with security breaches.
If you examine the breaches of unsecured protected health information since late 2009, as reported by the U.S. Department of Health and Human Services, you can see that more than 17,000 records have been exposed every day, on average, for more than three and a half years. No wonder that a Washington Post headline late last year proclaimed: Health-care sector vulnerable to hackers. The article includes a pretty damning quote from Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University:
“I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
One area of healthcare where this security shortfall is apparent is telemedicine, the practice of electronically connecting geographically separate doctors, patients, and other elements of healthcare delivery. Telemedicine is not new, but it’s now growing faster than ever before. Right now, the pressure on telemedicine to deliver both health benefits and cost savings has never been greater. As a result, the global telemedicine market is expected to grow by nearly 20% per year for the next few years, on track to exceed $27 billion by 2016. America probably represents more than a quarter of that market, around $7 billion. Such a rapid pace of technology deployment, particularly one which is partially driven by changes in industry regulation, tends to ring alarm bells for information security professionals because of a long history on unhappy consequences.
Consider the electronic filing of tax returns, first introduced in 1986, and from which telemedicine could learn some lessons. Recently, Treasury Secretary Jack Lew testified that more than 80% of Americans now file their tax returns electronically, “saving the Department [the IRS] millions of dollars every year.” Sounds like a success story, right? Unfortunately, Lew avoided mentioning that in July of last year the Treasury Inspector General for Tax Administration estimated fraudulent tax refunds made possible by electronic filing have already cost the Treasury $5.2 billion. Furthermore, over $20 billion in potentially fraudulent refunds could be issued, electronically, in the next five years.
These are not theoretical losses. In cities like Miami and Tampa we’ve seen multiple cases of criminals “earning” a million dollars or more, each, from such schemes, which rely on a form of identity theft. Why is this relevant to telemedicine? Because it tells us that any security vulnerabilities in telemedicine technology that can be used to make money will eventually be exploited, mercilessly and at scale. It also tells us that building security into systems from the outset works way better than bolting on security after technology has been deployed (think healthy lifestyle preventing heart disease versus fixing up a diseased heart).
So, what are the chances that telemedicine will succeed in maintaining the confidentiality, integrity, and availability of health-related information in the foreseeable future? Right now, they do not look good, and I base that assessment on three symptoms:
You need look no further than the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, published in late 2012, to know that all is not well:
“Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) or patient information…The consequence of not having adequate funding, solutions and expertise in place is clear. Since first conducting this study in 2010 the percentage of healthcare organizations reporting a data breach has increased and not declined.”
During the roll out of the HIPAA privacy and security rules a decade ago, I had the pleasure of working with Dr. Larry Ponemon and know that he does not jump to conclusions or make casual assessments. The above is his considered opinion and it is a chilling one when you flesh it out with statistics like the percentage of organizations in the study that had at least one data breach in the past two years: 98%. Indeed, the average number of breach incidents for each participating organization in the past two years was not one or two, but four. Clearly, the existence of a framework of privacy and security regulations and fines has not forced healthcare institutions to do a stellar job of protecting patient data.
The systematic review of telemedicine literature published in 2011 by Garg and Brewer made it pretty clear that the sector was not yet living and breathing security in the way it must if it wants to survive exposure to the malicious elements that will eventually attack it:
“There is a dearth of standardization in telemedicine security across all chronic illnesses under study. It also appears that many telemedicine researchers are unfamiliar with the field of security in general.”
While there may be products and service in development to help telemedicine protect patient data, the anecdotal evidence is not promising. At a recent healthcare IT conference I spoke to a company that sells secure medical report delivery systems for doctors and hospitals. When I asked him how most doctors deliver medical reports he said 60% send them as faxes, a method which he characterized as “the slowest, most expensive, and least secure”.
Just yesterday the Wall Street Journal reported that the U.S. Food and Drug Administration has asked medical-device makers to fortify products against hackers and malware, citing “a recent uptick in cybersecurity incidents affecting equipment such as patient monitors and imaging devices”. (Further reading: ESET’s coverage of the story here and David Harley on the security of medical devices.)
While factors 1 and 2 would be bad news enough for telemedicine, the third factor, the emergence of a sophisticated malware industry, is perhaps the scariest. Why? Because it is not yet on the radar of enough people in the world of healthcare IT. Indeed, right now there are not enough people in general who know that all it takes to engage in cybercrime is a lack of ethics and a basic knowledge of how to surf the web.
In recent years we have entered a new phase of digital malfeasance, in which all of the elements you need to rip off people and companies, from malware to mules, are available to rent or buy in a system of markets. For those not familiar with the jargon of this thriving underworld that exists just below the surface of the web, malware is malicious code, the software that infects and suborns digital devices, from desktops to smartphones, laptops to tablets, card readers to web servers. Mules are the people who turn fake credit cards into cash, like the $45 million that was taken from ATM machines around the world earlier this year, in a matter of hours.
Thanks to these markets, and the natural processes of specialization and division of labor that they foster, the people who write the elements of malicious code – the droppers, bootkits, rootkits, keyloggers, exploit packs, DDoS modules, spam modules, obfuscators, packers, and injection scripts – have been able to focus on what they do best, then sell their wares and services to the highest bidder, in most cases with very little risk of detection, let alone prosecution. That means new exploits can be developed and deployed quicker than ever. (Here are my slides and notes on this industrialization of malware.)
As soon as they figure out how to profit from compromising the massive amounts of data flowing through telemedicine systems, the bad guys will attack that “market” with the same vigor we have seen in their exploitation of the banking system, retailers, telecomm operators, and just about any business that handles a lot of money. The fact that, in the case of telemedicine, malware-based attacks may put people’s lives at risk will pose no impediment to their perpetrators.
Despite some media stereotypes, security researchers tend to be big fans of technology, and I can see the enormous benefits to people and society that could be reaped from telemedicine. The President of the American Telemedicine Association, Edward Brown, MD, recently pointed to exciting new initiatives “like ACOs, Medicare re-admission penalties and the medical home – programs that need telemedicine at their core – including telehomecare, remote monitoring, text messaging, videoconferencing and eConsultation.”
Yet there is one set of bars in a chart in the Ponemon study that tell me the task of realizing these benefits in a safe and sustainable way is not going to be easy. It shows the percentage of healthcare data security incidents classified as criminal attacks. That number rose from 20% in 2010 to 33% in 2012. I fear we are seeing the result of too little security expertise applied too late. Whether it is healthcare in general, or telemedicine in particular, failing to respond adequately to this situation could have painful and tragic consequences for an industry full of promise.
Author Stephen Cobb, ESET