Protecting Patient Information: There Are Some Non-Obvious Leaks That Can Be Easy to Fix
Nothing is more private than information about one’s health. No other type of data is exchanged at such trying and crucial times. When one enters a hospital or a doctor’s office, one’s mind is typically focused on matters other than “where is my data going to end up?” or “who can learn about my condition?” When you are seriously ill, you don’t have time to think or worry about the sanctity of your information. You expect the doctors to heal you and you certainly don’t want to think about the individuals or organizations out there that benefit from stealing your private data.
On the medical practitioner side, doctors are adopting new technologies at a rate unlike ever before. Healthcare companies use technologies to track patient conditions, doctor prescription preferences, and other health-related information. Hospitals are making significant investments in cutting-edge technology, like the latest imaging devices or surgical robots, all to help ensure the health of their patients. Doctors must focus on the important challenge of healing; they don’t have time to think about who the bad guys are, or who is sniffing around looking to steal patient health information.
The unfortunate truth, though, is that there are bad guys out there trying to steal private information. The very complexity of the medical world means that data is flowing everywhere, and is ripe for the taking. A modern hospital, or even a doctor’s office, is more than the medical professionals that treat patients—they have evolved to become ecosystems and are, in many ways, very similar to an information technology (IT) company. These organizations are increasingly staffed with their own IT staff: technology specialists whose responsibilities are to deploy and maintain these new technologies and ensure that the benefits of the latest technologies are brought to bear to help patients. Typically, the IT staff is also responsible for ensuring that the organization is following HIPAA regulations, particularly in regards to the security and privacy of private health information (PHI).
This is quite a daunting task since the IT staff must also bridge the gap between “the way things were” and “advancing the organization with the latest and greatest.” Unfortunately, as these new technologies are deployed, it is very easy for technology specialists to focus on the near-term and miss some important credos related to the overall mission of protecting patient information:
The challenge of securing an organization increases with the scale of the organization and the number of different technologies that are called upon to serve the organization’s mission;
The security/privacy of any particular piece of information is governed the security of the weakest technology that touches that information;
Organizations typically carry with them many legacy technologies that their members lean upon for familiarity and convenience;
The overall technological landscape is evolving rapidly, and is providing new tools to hackers and entities interested in acquiring PHI.
To describe these points another way: while it is essential that the latest telemedicine surgical system is deployed on the organization’s network and that it has the latest security patches, one should look at the organization’s entire technology ecosystem when considering the protection of PHI. Will that remotely-controlled, surgical robot share information with another system that has not had the latest patches? How are physically-separated doctors sharing pre-surgical information with each other? Are the administrative staff members interacting with doctors and patients using technologies that prevent information from being seen by others?
One major hurdle facing medical organizations is the challenge associated with coping with their wireless addiction. Wireless technologies, which have been around for decades and are a key enabling technology for the next generation of medical devices, are essential to hospitals because they are tetherless. Wireless devices allow doctors and nurses to roam anywhere within their organization, access patient records from a smart device, or even to be on call while located off site. Wireless technologies are now integrated into pacemakers and insulin pumps, and will allow new sensors to collect data and monitor patient well-being remotely in realtime.
Unfortunately, wireless technologies can be considered the weakest link for several reasons. First, many wireless-enabled devices are being used without careful consideration of their security and privacy implications. In fact, wireless technologies are so convenient that one forgets to think about their security. Second, wireless signals do not have the notion of physical protection. With the right tools, they can be seen beyond the confines of the organization’s building—even at distances hundreds of meters away (or more!). In fact, technological advancements have made it easy and affordable for adversaries to record and decode wireless signals. Third, many wireless devices, such as the new generation of wireless-enabled medical sensors, will be power-limited and might not be able to employ security mechanisms.
It is now possible for anyone with a modest software programming background to acquire a wireless device, known as a software-defined radio, and program it to monitor wireless signals being transmitted in their vicinity. To drive the point home, using a USRP X310 software-defined radio with a UBX RF daughtercard, connected to a Linux laptop and running the publicly-available GnuRadio software library, we found many wireless communications coming from a nearby hospital. The good news was that the internal WiFi networks were all secured (using WPA2). The bad news, there were some signals that were not. In particular, zooming in on the 929MHz band revealed lots of frequent wireless signals (see figure). This band is particularly important as it corresponds to one of the paging bands frequently used by the medical community. The actual communications, in fact, are being sent using the FLEX paging protocol, a popular paging protocol developed by Motorola. Unfortunately, FLEX transmissions are unencrypted and understanding the communication signals was easy as there is publicly available code for the USRP that translates these signals. What one finds is alarming: full patient and physician names, dates of births, social security numbers (SSNs), medical conditions and diagnoses, phone numbers and room numbers are all being transmitted in the clear!
Now, the reality is that the paging system is precisely one of those legacy technologies that have hung around because of its convenience. Doctors have used paging technologies for decades and, possibly, it is not even on the list of technologies that a hospital or doctor’s office IT staff tracks. But, it should be and so this raises the question: what can be done to protect PHI in this case and, in general?
First, medical organizations should assess whether they are using any paging technology and then transition to a more secure paging alternative, such as using cellular messaging or even “secure” paging apps that operate on smartphones.
Next, organizations should take a broader inventory of technologies that are being used by their employees— in particular, both the latest as well as legacy technologies. These should all have a quick sanity test done to see whether they have any form of security being used to protect them.
For cases where the technologies themselves do not use encryption or more generally are not secure, then the IT staff should identify secure alternatives, and work with the organization’s executives to put together a roadmap to adopt these secure alternatives. This will, unfortunately, necessitate expenses, including new equipment and possibly expanding the IT staff.
In all sincerity, we should put these warnings in a real-world context and recognize the silver lining. While security experts often advocate an “all or nothing” philosophy about security, the truth is that (generally) there aren’t hackers sitting out in the parking lot sniffing for wireless signals. Further, a little extra diligence can go a long way as many of the leaks will be easy to fix—like using a privacy filter to prevent shoulder surfing attacks (which, by the way, would be a useful item to install on most screens in a hospital). It is an exercise, though, that needs to be done across the nation at all levels of the medical community, from small medical practices to larger hospitals.
Ultimately, we believe there is a lot to be said for raising the bar for the casual hacker and plugging the easy holes, perhaps most notably that it clears the table, permits organizations to return their focus on deploying the new technologies that will advance healthcare, and allows doctors to dedicate their attention to healing patients.
This post was authored by Wade Trappe and Rob Miller.