Don't look now, you've been hacked!
Attendees at HIMSS13 -- in one way or another entrusted with the protection of their patients' personal health information -- may not be pleased to learn that they work in the most widely breached industry in the United States.
"The security tools that you put in place aren't really stopping us as hackers," said David Kennedy, founder and principal security consultant at TrustedSec, an information security firm based in Strongsville, Ohio. Kennedy, whose professional experience includes work for the National Security Agency and the U.S Marines (cyber warfare and forensics analysis), presented "Hacking Your Life," a Views from the Top educational session at HIMSS13 on Tuesday.
"When we look at different industry verticals such as retail or manufacturing or banking, they're trying to be very proactive when it comes to what mechanisms they have in place. However, it seems that time and time again, for us to get into medical systems or hospitals, it's very trivial," said Kennedy.
Statistics bear out his claim. Last year, Kennedy performed about 150 penetration tests against hospitals. "Out of those 150, not one of them stopped us from breaking in and taking all their data," he said. "With current technology, it's never been easier to break into an organization."
According to the Open Security Foundation's DataLossDB, which tracks the loss, theft or exposure of personally identifiable information, the highest number of such incidents over time occurred in 2012. And of the 1,520 total incidents reported last year, 327 occurred in the medical industry.
What can happen if hackers break into a hospital or specific medical devices? Kennedy's answer is chilling: "Anything is possible. "
For example, medical equipment can be used to kill patients – by delivering a lethal charge of electricity into a hacked pacemaker from a distance as great as 50 feet. Kennedy also provided evidence from his hacking experience of being able to change information on intended surgical patients.
Kennedy warned that current anti-virus technology only protects against breaches about three percent of the time. He said organizations need to assess security from a business perspective. "If you start securing systems at the business level -- by finding where your critical assets are and securing them instead of trying to secure the entire infrastructure -- it's a much better approach to defending against the attacks that are out there."
Kennedy will be signing copies of his book Metasploit: The Penetration Tester's Guide at the Diebold booth (#1661) on the exhibit floor.