Hacker calls health security 'Wild West'

'What's in the news is just the tip of the iceberg'
By Erin McCann
08:15 AM

Kevin Johnson is a professional hacker -- albeit a self-described ethical one. As head of the security consulting firm Secure Ideas, his job involves probing into organizations' networks and applications to identify vulnerabilities. And what he sees in healthcare terrifies him.

Johnson, who will moderate a panel ­– "Frontline Perspective: Combating Cyber Crime in Healthcare" – at the HIMSS Media and Healthcare IT News Privacy and Security Forum June 16-17 in San Diego, has conducted tests for health insurance companies, hospitals and medical app companies. For the majority of them, he said, "security sucks."

In an alarming number of cyber attacks, for instance, organizations were completely unaware they had been hacked, according to a March FBI report. Some "3,000 organizations of all types, but very many of them medical related, the way they found out there was a problem with their network is they got a phone call from the FBI," said Johnson. "If the FBI is initiating your incidence response, you have a problem."

Part of the that problem pertains to perceptions of these healthcare organizations – in particular, many smaller hospitals.

"They’ll say to you, 'Who's going to attack me? I'm some small hospital … we don't have anything people care about; we don't have credit card numbers,'" he said. These perceptions can get organizations and, more importantly, consumers into a whole lot of trouble. Medical records for identity theft actually profits the bad guys more, Johnson pointed out: "Here is a massive piece of data that as a bad guy, I would want to have access to."

The folks at the five-hospital St. Joseph Health System in Bryan, Texas, are seeing this firsthand. Just this past February, in one of the biggest HIPAA security breaches ever reported, the health system notified 405,000 individuals that their medical data, Social Security numbers, dates of birth and addresses had been compromised after a three-day-long security attack.

Hospitals are far from the only offenders, Johnson added. Vendors are equally to blame for shoddy security. Johnson recalled conversations with medical app developers, with one app in particular used by many major medical hospitals and recommended by insurance companies. The developer described the security of the app as being base64 encryption – something that doesn't actually exist.

"Base64 is not an encryption mechanism; it's an encoding mechanism," said Johnson. "That's like saying because I spoke in French and you don't understand French, it's secure."

Due to non-disclosure agreements, he can't name the app. But because of the deficiencies of apps and third-party vendors out there, Johnson recommends that healthcare organizations verify vendors' security and make it part of their contract. 

Security deficiencies and subsequent data breaches can also be partially attributed to IT folks failing to do their job, he added, and neglecting to detect in a timely manner when something on the network looks wrong. He's aware he comes off harsh, but there’s good reason for it.

Just like an individual who drives their car to work every day would notice a problem if the car makes a particular noise that it never usually makes, IT folks should know what’s right on their networks, how much traffic they have, what processes are run on the machines. For instance, if a keylogger were to be installed, it wouldn't take you a month to identify something like what transpired at UC Irvine last month.

"This is not just a security thing; this is an everything thing," said Johnson. "If you don't know what's normal on your network, how can you manage your network?"

In addition to the glaring security failings on the IT end, the healthcare's clinical end doesn’t exactly breed a culture of security, noted Johnson.  

He recounted one of his recent visits to the doctor where, upon arrival, he was asked to sign in on a piece of paper, together with his Social Security number, date and the reason for the visit. Johnson told the staff he wouldn't be filling it out – a response met with a considerable amount of shock.

"Well, Kevin, I think you're making a bigger deal of this than it is," said one staff member.

But Johnson works on the incident response end. He sees the identity theft, the hacking, the breaches and the severe network deficiencies. It is a big deal, he countered.

Healthcare security, in its current state, is "the Wild West," said Johnson. "What's in the news is just the tip of the iceberg."