HackingHealth

ProfessorAviRubinComputerScience

JohnsHopkinsUniversity

1

MyfirstsecurityevaluaAon,2003

-  RentalreceiptwithprintedCC#-  Easyaccesstoconsumerdata-  PoordatasecuritypracAces-  WeakauthenAcaAon,ifany

FoundedsecurityevaluaAoncompany

GeNngtoknowHealthITSecurity•  In2009,transiAonedfrome-voAngsecurity–  TohealthcareITsecurity

•  BeganwithIT-focusedtoursofseveralhospitals–  Radiology,Pathology,Children’shospital,etc.–  About6visits

–  SecuritysituaAonwasabysmal•  8,000hospitalemployees100%access•  Nursew/“specialtask”•  HomeVPNasbridge•  DesktopEHRaccess

Example:X-rays

Oldway: Newway:

•  BloodGasAnalyzers(BGA)compromised•  PACSsystemcompromised

HealthcareisUnique•  Theplayers:

–  Doctors•  (Godcomplex;don’tlikenewwaysofdoingthings)

–  PaAents•  (ogennottechsavvy;don’tfollowinstrucAons)•  Includesallofus

–  Nurses&otherClinicalstaff–  Regulators:Congress,FDA

•  (wellmeaning;maynotunderstandimplicaAons)–  Insurancecompanies–  Medicaldevicemanufacturers–  Entrepreneurs

•  Mobile,Wearables,•  InternetofThings

HealthcareapplicaAons•  ConnecAvity

–  Moderndevices,alwaysconnected,alwayson–  Databasesalwaysonline

•  Mobile/cloud–  DatainmulApleplaces–  Dataownernotinpossessionofdata

•  ExpectaAonthatdataisalwaysavailable

Keypoint:mostinteracAonwithhealthdatacontrolledbySOFTWARE

Controlledbysogware•  RadiaAondosage•  DosageofmedicaAon•  StockingofsuppliesinICU•  ShigscheduleforDoctors&Nurses•  EHRs•  Drugdispensingrobot•  CommunicaAonsofdevices

Threatmodel:

Anythingcontrolledbyso1wareispoten5allyexploitable.

Biggestbangforthebuck1.  ApplicaAonwhitelisAngonmedicaldevices2.  Hygieneforbackendsystems3.  DatabaseAcAvityMonitoring–anomalousqueries4.  MulAfactorauthenAcaAonforremoteaccess5.  VirtualizaAonforaccesstoclinicaldata6.  UniversalencrypAonofdata7.  Termsofagreementwithcloudserviceproviders8.  Automatedsupportforsecurityinchartaccesses9.  Privacyforself-idenAfydata(e.g.genomesequences)–  HIPAAsafeguardsinadequate

10. AuthenAcaAonforclinicalpersonnel

FinalThoughts•  HealthcareSectorhasuniquesecuritychallengesdueto:

–  regulatoryenvironment–  Stakeholders–  Dependenceonsogware–  Availabilityrequirementsfordata–  Affectsusallpersonally!–  Trendtowardscloud/mobile

•  NeedtoconsidersecurityimplicaAonsofnewtechnologies,

e.g.network-connectedinfusionpumps

SpeakerinformaAon

ProfessorAviRubinDept.ofComputerScienceJohnsHopkinsUniversityEmail:rubin@jhu.eduWeb:avirubin.com:@avirubin