Sachin Gaur is director operations at InnovatioCuris. He is interested in topics of mHealth and Cyber Security.
Abstract: We are seeing phenomenal technology shifts and human life is greatly impacted by them. Health sector is not untouched as the health systems now have deep IT integration and care givers increasingly rely on the information shown by digital systems. Hence, any compromise to the integrity of such systems would lead to wrong diagnosis or treatment. This paper investigates some of the early signals about the kind of threats out there relevant to the health systems.
The famous Silicon Valley investor Marc Andreessen says, “software is eating the world”. By, which he means that increasingly we are bringing software into systems to increase efficiency, lower down the cost or time involved in the process. Interestingly, humans also do software writing and humans are prone to make mistakes. It is estimated by various experts that 1000 lines of code (KLoC) has approximately 15-50 bugs present. Bugs here mean mistakes made by the software programmer while writing the software code. Bugs often result in some kind of malfunction or wrong output. Some of these bugs can lead to exploit by a third party making the larger system vulnerable or as we call hackable. As long as humans will write software, bugs will be there.
In a typical software company as bugs are discovered, new code is written to fix these bugs. The new code might further result into new bugs hence the cycle continues. At the consumer end, we keep receiving software updates over the air, as we use our phone / laptops or other devices, which are many times an attempt of the software company to overcome the past mistakes.
A lone computer hacker or an organized crime group looks at these software updates (sometimes called patches) very curiously as for them this could be a chance of hitting the jackpot! They reverse engineer it and try to understand the bug, that the patch is trying to cover. Very often systems are not updated with latest updates. Leading to most system having a known vulnerability, which the hacker can take advantage after understanding it well. Hackers further can create a simple script (programming code snippet) to some sophisticated software, which can then take advantage of the vulnerable system. We often call such a program as malware, as it is built with bad intention.
Today, as we talk it has become from a hobby crime to organized crime! Software companies regularly receive communication from bounty hunters about exposing their critical software bugs and in exchange not to do so, hackers want to charge them bounty money. Some software companies have gone further and engaged these bounty hunters to reduce security risks in their software.
In some cases the hacker is not interested in the bounty money (hence they do not inform the software maker) but rather interested in exploiting the bug. Sometimes, the bug is not known to the software maker or anyone else in the world and can be converted into a lethal attack. Such attacks are known as a zero day attack! As prior knowledge of such a vulnerability does not exist. Hence, most software security solutions, like anti virus software do not work on them. Further selling the knowledge of exploit as lethal software is now called as a cyber weapon. Nation states are now engaged in buying or building such software to infect systems of enemy states. Hence, we have come very far in the business of software bugs, where the enemy could be a lone developer, an organized crime group or a Nation state.
How is software eating the health sector and the threats linked to it?
In the above section we discussed in general, how the exploitation of software is increasingly becoming a serious business. While, we have seen many examples in last 30 years from a hobby software programmer to Nation states taking advantage of the software driven vulnerabilities. We would like to share some examples closer to the health sector.
1. Malware affecting data systems
Hospital information systems and similar information systems as part of the healthcare delivery have become very commonplace and one of the core component of the system. As pointed out in the introductory section, organized crime groups are now looking to exploit software bugs for commercial purposes. One of the ingenious way that they have developed is a malware known as ransomware . Ransomware is a malicious computer program which when executed on a system encrypts the data with very strong encryption making it unusable for hospitals or any other care provider to access patient records or other vital information. It then demands a ransom inform of bitcoins (a crypto currency) in order for the victim to have the key to decrypt the vital information. In recent incidents of ransomware infection, some hospitals in USA have even demanded millions of dollars as ransom and some have even paid.
The mitigation strategy for countering ransomware for any organization would be a strong backup of data. Also, creating awareness among the employees on sources of malware and reducing the chances of accidental infection of the workplace systems.
The long-term solution of tackling such organized crime is a better international legal framework, which allows international prosecution and cooperation among law enforcement agencies.
2. Denial of service attacks on ehealth services
In 2007 there was a distributed denial of service attack that took place in Estonia. A statue of the Russian soldier was removed from the Tallinn Square, capital of the country. Which sparked a response from sympathizers from Russia and it brought down the Estonian economy for three days. Estonia being one of the most advance countries when it comes to take up of e governance services, ehealth being one of them. The entire attack costed less than 50,000 US dollars. That was the first Denial of service attack the world saw at the level of a nation state.
The basic premise behind such an attack is that you have a service (e-service) to be provided to citizens over Internet like their own health records for example. The provider would have some finite amount of bandwidth and computing power at the backend of the service correlating to the average load on the service. In a distributed denial of service attack, the attacker uses compromised computing devices (commonly known as a bot) to access the Internet service. The botnet, which is a collection of such bots could be having thousands or millions of such devices that simultaneously access the service. The service provider is not able to distinguish the normal traffic from the bot traffic and often the server crashes under the heavy load. For a normal user trying to access the service, the service is unavailable because of the finite resources of the server being exhausted by the bot traffic. Hence, it is called a denial of service attack.
Hence, when a city, state or a nation is considering providing an eservice to citizens it could witness such attacks. One strategy to mitigate such attacks is to have tracking of the server traffic for any anomalies and having redundancy available in the system. This is achieved many times by putting the service on a cloud, which can tolerate such traffic fluctuations.
3. Data leak and breaches
Many health systems or systems require some kind of authentication mechanism to log in to the system in order to access the service. Many a times these are text password based systems behind which, important patient profile or health records information is stored. The largest of the companies like that of Google, Microsoft etc have seen attacks where the attacker is able to leak the passwords of millions of their customers. Such scenarios result in massive breach of data privacy and compromise for customers.
Good security practices, proper encryption of data and regular updates of the system are some of the key considerations for avoiding such instances. Nowadays, two-factor authentication has become a standard practice for making the authentication systems more robust. However, still some user awareness is needed to opt for better security practices whenever possible.
4. Hacking medical devices and health system
If we look at the building blocks of the health systems, where information technology is deeply integrated. We have already covered the health information systems, eservices and patient interface of authentication into the services. However, increasingly we hear about Internet of Things (IoT) devices in the health sector domain. Which means the integration of Internet services into traditional medical devices or new age devices, which have also connectivity. For example, a thermometer which can send the temperature data to your phone or a stethoscope which can record the patient breathing sound and upload in a server for finding patterns of lung diseases. These are powerful use cases and provide great opportunity to clinicians and care providers, where they have greater computation power available to them and they are able to do more with less. However, these IoT devices are prone to the same kind of attacks as any other communication device or a software program. They can be compromised to show wrong values and totally messing up the diagnosis. There are already such instances. One such instance not related to health sector but important is of the Stuxnet. Stuxnet was designed for the SCADA systems of Iranian nuclear program by USA and Israel in order to delay their nuclear program.
5. Stealing identity information
As mentioned in the point 3, about data leaks and breaches at the system level. One problem, which can arise from such an attack, is a further more damaging attack that is stealing of identity information. In India, mobile phones to receive an sms message containing one time password is increasingly becoming a standard practise because of being cost effective, simple and secure. Any such application, which you may install on your phone, can also get access to the sms and other features of your phone. Meaning the incoming sms or calls can also be stolen by this application to complete the transaction on your behalf. As increasingly we have to prove ourselves using biometrics or passwords to online systems. It is possible for the attackers to steal these credentials and access our records without our knowledge. Hence, any third party applications that we install on our devices (especially phone) , we need to be very careful about the type of access control they have on our devices.
6. Implantable medical devices with communication interfaces:
In 2007, the former US Vice President, Dick Cheney’s implanted pacemaker’s wireless communication was disabled fearing a terrorist attack. This sounds like science fiction to many but incident has already happened ten years back! Many of the medical devices are built with a communication interface and it is quite normal for a typical pacemaker or other such devices to have a Bluetooth or a similar communication technology based interface for remote diagnosis and other purposes. While, the communication ability of such a device was planned for looking at the state of the pacemaker it was not designed with keeping security in mind. Hence, it is possible that someone can connect to a critical device like pacemaker and shuts it down remotely.
One more reason that such exploits are possible increasingly as computing is becoming cheaper. What seems strong security today might not be strong tomorrow. However, an implantable device might stay in the patient’s body for tens of years. Hence, we need to have a long-term view on the communication interfaces and their capabilities on such devices. We need to make considerations on control and information capabilities of these interfaces. Misuse of control capabilities can lead to even death and misuse of information capabilities can lead to breach of patient privacy.
Way forward: why Internet is the new breeding ground for crime?
The law of the land governs the Internet in every country and hence the legal regime globally is very fragmented. However, a user of Internet does not see any borders or walls and so is the criminal. They build their criminal businesses where they do not fear strict government action and often for paltry sums the user or the national law enforcement agencies do not pursue the criminal cases cross border.
On top of it newer crypto currencies like Bitcoins, makes it easy to make such transaction in an anonymous manner. Dark net marketplaces provide a breeding ground for criminals to conduct illegal transactions of billions of dollars without getting caught. So, the three important components, weak legal enforcement, anonymous currency and secret marketplaces are enabling the cyber crime to flourish. If we want to slow it down, we will need greater international collaboration among lawmakers and user awareness at all levels.