By Marty Graham, Contributor
As a hospital emergency room physician, Dr. Christian Dameff knows the value of fast access to a patient’s medical records. More than a few decisions are made with the help of records; knowing a patient is diabetic, for example, tells the ER doctor that blood sugar will need to be monitored, whatever the situation or procedure.
It’s for this reason it worries Dameff that if someone wanted to kill a patient, doctors and nurses could become unwitting tools in a murder triggered by hacking the patient’s medical records and changing key details. He’s certain it can be done. In August, Dameff and two colleagues demonstrated the attack at a hackers’ conference, slipping into the routing that’s part of the most widely-used hospital internet and intranet protocols.
The attack was “rather trivial technically,” Dameff said. “It’s pretty easy to perform an attack on legacy records systems.”
A Vulnerable System
The white coat team – Dameff, whose practice is at the University of California San Diego (UCSD) Health System; Dr. Jeff Tully, a pediatrician and anesthesiologist at the University of California Davis; and Maxwell Bland, a computer science post-grad at UCSD – used a precise model of a healthcare’s records system, not the actual hospital for the demonstration.
The idea for this hack attack started with the knowledge that medical records are often unencrypted and shared using communication devices with inadequate security. Many hospitals, labs, and doctors still use the Health Level 7 (HL7) standards created almost 40 years ago. Many, if not most of them, are not secure.
“The HL7 protocols are run everywhere,” Dameff said. “When they were designing the protocol in the 1980s, they weren’t considering that someone might want to hurt someone in our care.”
Those vulnerabilities made it possible for Dameff, Tully, and Bland to penetrate the system in what’s called a man-in-the-middle attack between the lab and the system, set up to mimic hospital patient records. During a man-in-the-middle attack, direct communication between two actors is hijacked or compromised by the third bad actor between them. (Spoofing and phishing are easy examples.)
“We are where the financial industry was 20 years ago, before finance recognized it was really important to get the security right.”
— Dr. Christian Dameff
The white coat hackers demonstrated they could make changes to blood test results and thus could cause care providers to unknowingly deliver fatal treatments in seemingly routine examinations. In one instance, they changed results to look like a patient had low potassium levels and another to look like a diabetic patient who needed insulin.
“Our hearts rely on a very controlled concentration of potassium, and when [doctors] see it’s too low, we know people can get paralyzed and die, but if your potassium levels are too high, it can cause your heart to stop,” Dameff explained, pointing out that a high dose of potassium is part of the lethal-injection execution cocktail. “Doctors give patients potassium all the time when we see low levels.”
As Dameff explained it, modern healthcare is so complex that these small details are very important – the complexity of using appropriate and beneficial treatments depends on having accurate information. “Medicines and treatments are double-edged swords,” he said, “they can be very helpful, but only in the right context.”
To further demonstrate this vulnerability, the white-coat hackers inserted themselves between a laboratory and a hospital system and became part of the traffic of lab reports headed for medical records.
“It was easy to intercept that communication — to identify a particular patient and obtain their identity and medical records,” Dameff said, “and it was easy to alter the results and send them to the hospital.”
The HIPAA Effect
In 2017, the U.S. Health Care Industry Cybersecurity Task Force assessing the state of cybersecurity concluded that hospitals and medical systems “often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information.”
What’s more, the report went on, “many organizations also have not crossed the digital divide in having the technology resources and expertise to address current and emerging cybersecurity threats.” The report cites the legacy systems with large numbers of vulnerabilities, and few modern countermeasures.
Hospitals have long lagged behind the electronic frontier, plunging into cyberspace only to meet federal mandates to share and access patient information. The rush to the web was focused on fixing this interoperability in order to receive federal reimbursements, including Medicare.
“If you talk to hospitals about security, they think of HIPAA,” Dameff said. “The administrators don’t understand the potential danger to patient health — that these attacks could actually hurt people.”
The federal task force concluded that 80 percent of hospitals lack even one full-time employee patrolling the cybersecurity beat. That lack of security extends far outside of hospitals, in part, because a single medical facility can have thousands of linked devices outside the building — from physician tablets to monitors and medical devices used by patients.
“In theory, interoperability is a great thing for patients, and in principle it’s a great idea — we can get important information to help our patients,” Dameff said. “What we failed to do was develop security to match the connectivity. We went to connectivity at such a fast pace that our ability to secure these systems didn’t keep up.”
Dameff, Tully, and Bland demonstrated conclusively how their attack, dubbed Pestilence, exploited the gaps without being detected. “Our attack allowed us to read all the information going from point A to point B — all ‘protected’ information in a medical record,” Bland said. “It’s easy to read the data that streams across the network unencrypted.”
In fact, it was just as easy to manipulate the records, Dameff found. “We took it to the next step and changed things,” he said. “We could change radiology results; we could change information about allergies, for example, penicillin allergies, where administering a dose can be fatal.”
Hospital Security Pioneers
Some medical systems – those with more money – are investing in cybersecurity. The Mayo Clinic in Minnesota is “a bright shining light,” Bland said. The clinic has a staff of about 100 working on cybersecurity.
Yet, what the clinic needs to protect itself is staggering. Along with the various hospitals and locations to account for, director of clinical security Kevin McDonald said the clinic had 25,000 devices plugged into hospital systems.
According to Bland, the Mayo Clinic is an outlier, but one that other medical systems should pay attention to. “Healthcare is distinct from other sectors in that the manipulation of critical infrastructure has the potential to directly impact human life, whether through direct manipulation of devices themselves or through the networks which connect them,” he wrote in the research paper.
The white coat hackers are not making their methods public quite yet — the hack was meant to test the systems and call attention to the vulnerabilities. Dameff is quick to point out that hospitals have plenty of security, but not what they need on the patient-protection front.
“We are where the financial industry was 20 years ago, before finance recognized it was really important to get the security right,” Dameff said. “Hospitals are trying to secure their records with firewalls and virus protection, but it gets fragmented, is hit-or-miss.” What’s more, “there’s a disparity between the well-funded hospitals and the underfunded hospitals.”
A lot of hospitals know about healthcare’s industry-wide vulnerability and have decided to use their HL7 system only in their hospital and immediate network because they assume that it is safe from outsiders. It is not, Dameff said.
Damett and Bland look at the attacks on hospitals – including the WannaCry virus ransomware attack on 81 hospitals in the United Kingdom – as a glimpse at the future of healthcare system attacks.
“Something really big is going to happen if we don’t get there first,” Dameff said. “I fear in the meantime we’re going to have a WannaCry situation and that will lead to a crisis of confidence for patients.”