Cybersecurity at the Doctor's Office

I like this essay because it nicely illustrates the security mindset.

Posted on May 17, 2012 at 12:28 PM • 14 Comments


GrymoireMay 17, 2012 2:13 PM

The "Security mindset" can be different in different situations.

While many business systems have the Default:Deny stance, many hospitals use the Default:Allow stance, especially in emergency conditions. After all, you never want to prevent a Doctor from saving someone's life.

Doug DMay 17, 2012 4:02 PM

Grymoire: I sure hope that if they've got a "Default:Allow" stance on a computer, that computer is at least in a DMZ, or possibly separated from the rest of the universe by an air gap.

This writeup reminds me of the "always mount a scratch monkey" parable.

It also makes me think about ways to add filesystem-level signing extensions to removable media, so that the media will work in a stock/normal computer, but a secured computer can check for fingerprints and signatures before agreeing to mount filesystems.

(On the one hand, I'm not sure that'd be very hard, but on the other hand, I know better than to trust my own gut on issues like this. Is anyone already doing that?)

Doug DMay 17, 2012 4:09 PM

...and a moment's research indicates that TiVo holds a patent (#8171285) on a cryptographically-signed filesystem... granted just sixteen days ago. (Filed in 2006, though.)

(It's specifically geared to tamper-proofing a device's boot process and talks about mechanisms for a server to push secure updates to clients -- no shock TiVo is working on that -- but that's just the abstract. Now I'm off to read the specific claims.)

ThomasMay 17, 2012 5:35 PM

My worrying starts when I see the wireless keyboard and mouse they all seem to use...

Peter A.May 18, 2012 3:50 AM

Being a "computer guy" I am occasionally asked by friendly doctors to "help out" with their PCs and software. Such events date back even to my late high school years, the era of DOS PCs and carelessly written apps in dBase III and the likes. I could tell whole stories. So I know a little what a crap such software is around here. I doubt the other side of the pond makes much better, HIPAA or no.

Clive RobinsonMay 18, 2012 5:02 AM

Hmm we have Drs and other "medical proffesionals" telling us to only have/use "safe xyz" where xyz can be a multitude of things (think prescription drugs from across the border etc etc).

Now when ICT proffesionals tell Drs to only have/use "safe xyz" (ie comms, web connections, media usage, etc etc) they give all the aperances of "knowing best" and being unsafe...

I wonder if their "malpractice insurance" coverss them for this...

vasiliy pupkinMay 18, 2012 7:11 AM

Q: Could files be e-mailed as attachment from one medical office to another and scanned for troubles before openning at destination point rather than using removable media? This media could be provided to the patient for his/her own records and usage on own computer.

bobMay 18, 2012 8:07 AM

E-records will be the death of us all. Now one (inadvertent or malicious) click of a computer mouse and it will be up to YOU to prove that you are NOT a sex offender (constitution notwithstanding). And you will have to prove it while a bunch of cops/cellmates beat the crap out of you. And of course the only way to prove your innocence would be with a piece of paper that the system no longer generates.

Additionally, prescriptions are e-sent from the Dr to the pharmacy. Sounds like a great attack vector for drug-seeking behaviors.

Brian MilnesMay 18, 2012 10:02 AM

I was just sent to a Radiologist. When I arrived they had swing around signing screens. Someone's data was up on one and no clerk. And their PC's were not locked while I was there: ever. ( is a good idea or a commercial key fob).

When it finally came to my sign in, I noted that the windows START menu was available. So I could have just downloaded my favorite malware, none of this complicated disc making.

I commented on this and it got to the right person.

Nick PMay 18, 2012 7:56 PM

As for specific issues, I posted simple solutions in the comment section. I doubt it would be news to anyone on this blog though.

DoctorTMay 18, 2012 9:06 PM

There's lots of tar flying around, but not every medical office and hospital deserves to be splattered by it. I'm very familiar with many hospital and laboratory information systems and with some medical office electronic medical record systems. The good ones offer excellent security: strict log-in requirements, short time-out periods, single-keystroke log-out and screen clearing, user- and task-based customized security settings for employees, WEP2 secured wireless (or no wireless), IT control over software installation on connected computers, blockage of media reading (optical drives, floppy drives, USB flash drives, external hard drives, etc.) except on isolated computers run by information technologists, internet connections only through a secure server/firewall combination, no ability to connect (via wire or wireless) any computer to the network without IT review, server-based logging of all transactions (complete audit trails), isolation of equipment and instrumentation computers (chemistry analyzers, CT scanners, etc.) from patient recordkeeping computers (to prevent spread of malware or improper access to patient data), live mirror-image backups of the server, and daily onsite backups plus offsite backups and archives of electronic records. I've used a number of these systems and never heard of a malware infection or successful data theft by a cracker. (Note: Less secure medical informatics systems have been infected and cracked.)

Systems with the features I listed are quite secure, especially when employees know that security is important and that their actions are monitored. In one of the hospitals I worked at, medical information on a local politician was leaked to the press. The leaker (a nurse who had legitimate access to patient records but was not part of the team caring for the politician) was caught (via the audit trail) and fired within hours. The incident was reported to all employees. Spot audits for the next three years did not detect any improper record access.

Nick PMay 19, 2012 7:39 PM

@ DocterT

Nice post. My criticisms are that a vast number of smaller outfits provide only the minimum amount of security and enforcement isnt top notch. Additionally, many groups aim for HIPPA compliance rather than real security. Compliance and security arent equivalent in many cases.

So, there's still plenty of work to be done wrt securing hospitals. I'd like to add that they havent even mastered correctness of things like radiation machines, much less security.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.