Security: The Massive hole in the PCEHR system

In the last few days, three computer security stories have hit the news:
These may seem small, incidental stories, but they are signs of something much darker. At the end of 2004 the Hackers Turned Pro [and a 2007 piece]: now they're after the money, not publicity nor headlines. In fact, rather the reverse, like special tactical units, military or police, they now want to go completely undetected - to avoid detection, to be completely stealthy.

How do the three stories link to the Personally Controlled Electronic Healthcare Record (PCEHR) initiative of the Australian Government?
  • ADFA/UNSW is a high-profile, high-value target that's been forced to do leading-edge Computer Security and Intrusion Detection since the early 1980's. Any tertiary education site teaching computing, especially security and/or Operating Systems like ADFA and UNSW, has a very active and inquisitive student body looking to "test all limits", which translates to "break the system".
    • The break-in is troubling for two reasons: the hackers got past very long standing multi-level security... and
    • they were after Identity information.
  • The Romanians did it all remotely: they didn't set foot in Australia, though there have been some Eastern European rings that have visited to run "skimmers" on ATM's. You can't expect small retailers to be experts in I.T. and Security, but you'd expect the Credit Card companies to know what's happening, to at least have checklists and advisories for their merchants, even audits, and channels to advise clients of the latest threats, vulnerabilities and protective/remedial actions.
    • And yet, from the other side of the globe, small retailers here were targeted: these guys knew exactly what they were looking for and exactly who was on their hit-list.
    • Nothing about these attacks was accidental or random: retailers were identified, probed, targeted. Not unlike a military or law enforcement operation.
  • For me, the Medical Centre is interesting. It wasn't a desktop that was compromised, but a server. Something setup much more carefully than a desktop and rarely changed and never used for casual browsing and email - the majority vector of attacks.
    • The hackers had to get through a firewall, scanning software and then the administrative passwords on the server. This should not have been a cake walk. From news reports we might infer that like most small businesses with a server or two, they don't have a full-time professional administrator, but do have paid, professional support: an I.T. firm that knows how to lockdown systems [and how to rebuild them].
    • The hackers didn't mistake the target: they identified this business as being large enough to pay the demanded ransom. They got in, looked around and figured they could make money there...
    • It seems they didn't steal any of the data, just made it inaccessible, but who knows?
The common thread I'm seeing is very high quality Identify and Financial information being stolen.

The massive hole in the PCEHR is the Medical Practices - just like the one on the Gold Coast. The large numbers of minimally managed and unchecked PC's and servers are the soft underbelly of the whole system. The front-door is massive, strong and very well defended, only they forgot completely about the backdoor... Oops.

The vulnerable systems aren't just the servers, but the much more vulnerable PC's on the Doctor's desk. It doesn't help that one application has around 70% of the market: hackers need one successful exploit for just a short time, whilst vendors and administrators have to be 100.00% perfect all the time. "To Err is Human" guarantees a vigilant and persistent attack will find an exploitable weakness, given time. Given that the business of these practices is medicine, not Computing and IT Security, it's reasonable to expect that there will be frequent errors and security level will be "moderate" at best.

Any service or action that a properly identified, authorised and authenticated user (read a Doctor) can initiate on their PC can be remotely performed by hackers. Proof? the second two examples above.

Even if a Medical Practice thinks it has very good IT Security, the ADFA story tells us, "Maybe not" - even with full-time dedicated experts on the job, high-value targets are hacked. It's all about the Money.

Look at the information taken and available: Credit Cards are an immediate 'hit', but are simply countered: the Issuer cancels the card, changes the number, the value of the information is then zero.

But Personal Identity Information doesn't change: that's the point of it - the unique dataset that identifies you, forever. When hackers steal your identifying information, they can trade and resell it for the next 50 years... That is a great business model! The gift that keeps on giving...

With a PCEHR system, what's the value of the information that can be stolen?
  • For everyone in the system, all the usual personal identifiers plus a Medicare number: a high-quality government issued ID. The trick is for a hacker to get a new card mailed to them without going into an office.
    • The Gold Standard Attack would be collecting all personal data from all Practices running  the single most popular Medical Record application. But you'd best not make it look at all obvious, try to grab it too quickly or be too greedy in selling/using it all at once.
    • The Platinum Standard is compromising the vendor systems: subtly modifying the code, especially of some 'security feature', defines this "vector". This is a well-known attack and there have been credible attacks detected/shutdown in the wild. Anyone with the "Keys to the Kingdom" needs especially strong security and detailed, regular security audits: something I didn't notice in the standards when I looked at them 12-18 months ago.
  • Knowing someone's medical history isn't an obvious money spinner, unless they are a celebrity or can be blackmailed. That's a pretty specialist and highly-targeted activity: creating a secondary market for information to private investigators, tabloid journalists and others.
  • The obvious direct money spinners are:
    • capturing credit card details, or issuing extra card transactions while the customer is present.
    • transferring payments out of the practice bank accounts, especially the extra amounts so they won't be noticed in Accounts reconciliations. [the add/delete cancels out]
    • Assigning medicare rebates to other (hijacked or bogus) practices and practitioners.
    • Creating extra procedures on real patients and fake claims for non-visits: then transfer these out or assign them elsewhere.
    • Issuing electronic prescriptions on zero- and low-activity patients. Needs "mules" to be recruited, with fake ID (eg Medicare card), to physically collect the drugs, like Oxycontin.
      • Or with on-line pharmacies and direct delivery, no ID required, just a post box.
What are the odds of this happening?
These hacker rings are smart, motivated and very, very creative. You have to act as if they've already thought of anything you've come up with.

Look at just the few we know about, above: these guys are disciplined and expert.

To tell a happy story, IT Security can be simple, cheap and effective - you have to know your field and application and come up with a good design.

A recently retired friend, a Dental Technician, started using some Practice Management Software around 2000. A few years later an electrical storm killed a bunch of their household appliances: including "the PC", a 'white box' hand-assembled by an I.T. associate.

I persuaded my friend to do two things with his new business computer:
  • Buy a standard computer from a Tier 1 vendor (HP, IBM, Dell, Acer, ...) because they'd have a warranty and spare parts, even service, for years and year and
  • NOT to ever connect the Practice computer to the Internet: to maintain "an air-gap" from the wild Internet.
He bought a $250 laser printer just for the business PC and a KVM switch to share the monitor/keyboard between the other, Internet, PC and the Practice PC.

He also religiously backed up his application and data every day (he could easily recreate a single days' data) onto three USB flash drives. When one of them blew up once, he replaced them all for $50-$100. They were stored in different places, all away from the PC and office.

Despite Windows XP complaining it had never been patched and the system had never had a Virus Scanner installed, it just worked and maintained perfect security for him till he retired... He understood what was happening and how to keep his system and data secure. Whilst not everyone has the luxury of disconnecting from the Internet, it does show that good security can be attained and maintained by small businesses.

BTW, air-gaps are not perfect security, that doesn't exist. The best example is the Stuxnet attack against the Iranian Uranium enrichment facility by US Cyber-Command. The target systems were air-gapped and that didn't help them. Nothing will stop a determined attacker in either military or I.T. situations.

No comments: