HHS officials said health-care providers must combine cultural, practical and technological solutions to defend against theft and hacking. The officials also said that they have ramped up enforcement efforts against organizations that failed to protect patient information.
“While there is always more work to do, we have reached record settlements against companies who violated privacy laws and sent a message to everyone that privacy violations will not be tolerated,” said Leon Rodriguez, director of the HHS Office for Civil Rights.
‘A pipeline for attackers’
Three years ago, Rubin, the Johns Hopkins researcher, began assessing systems at major hospitals and clinics, making visits to operating rooms and intensive-care units.
He found that doctors and medical workers used the same computers to connect to both the Internet and internal networks. Rubin said doctors become “a pipeline for attackers into the sensitive networks.”
One nurse told Rubin that she had the job of typing in a physician’s password constantly so that the doctor would not have to, leaving the unattended machine unprotected. “She literally walked around the room logging the doctor into every machine, every hour,” Rubin said. “Unbelievable.”
He declined to name the institutions he studied because to do so would violate his research agreements.
“The doctors and technicians I spoke with seemed mostly well aware that their systems are vulnerable,” said Rubin, who has previously found security problems in voting machines. He said that health care “is an industry with the least regard, understanding and respect for IT security of any I’ve seen, and they have some of the most personal and sensitive information of anyone.”
Another researcher, Tim Elrod, a consultant at FishNet Security, found vulnerabilities in a system that enables care providers using a Web browser to automatically dispense drugs from a secure cabinet produced by Omnicell.
Working with Stefan Morris, Elrod discovered that unauthorized users could sidestep the login and password page and gain control of a cabinet at a hospital run by Integris Health, the largest health organization in Oklahoma. They used a well-known hacking technique called a “forced browsing” attack.
“At that point, we had full administrative control,” Elrod said. “We could do anything.”
After being contacted by The Post, Peter Fisher, vice president of engineering at Omnicell, said he “is launching an immediate investigation into this reported vulnerability.” The same day, the company issued a software fix to customers around the globe.