The FISMA Focus IPD

From: CSO

Security consultant maintains that U.S. government Health Information Exchanges mean ‘the death of patient privacy’

By Taylor Armerding

August 16, 2012— CSO— With convenience comes risk — and too much of it when it comes to patient privacy in health care, says Danny Lieberman, CTO of Software Associates, a software security consultancy in Israel, and a founder of Pathcare, a private social network for physicians and patients.

The risk factor, he said, is Health Information Exchanges (HIEs), required under the Patient Protection and Affordable Care Act, which are designed to enable the sharing of electronic health records by physicians and other health care providers.

The goals of such a system are efficiency and accuracy of data. But Lieberman contended in a post last week on both Pathcare and Infosec Island, where he is a long-time contributor, that “a U.S. national HIE network will be the death of patient privacy.”

Such a network will be highly vulnerable to malicious attacks, he said, largely for two reasons: “[A] huge, unmitigated threat surface of transactions that are transported inside health care organizations and between healthcare business units using message queuing technology,” and the fact that Microsoft is “a near-monopoly controlling the overwhelming majority of systems.”

“Since everyone is using the same technologies and the same HIPAA (Health Insurance Portability and Accountability Act) compliance checklist — life is sweet for attackers — who know exactly what vulnerabilities everyone has,” Lieberman quotes a friend saying.

Lieberman told CSO Online that the goals of the law are fine, but that its execution is the problem. “The Obama administration has given states until 2014 to implement HIE systems,” he said. “Otherwise, the federal government will implement a national HIE.”

“So what is worse — a bunch of state systems strung loosely together with bailing wire or a federally-run system? Neither alternative is attractive from a data security perspective,” he said.

But Lieberman’s fellow information security experts do not all share his sense of impending doom. Some of them say he is overreacting, and is basing his argument on conditions that existed about a decade ago, but which have improved since then.

Lieberman’s major focus is the technology of exchanges, which he said is being modeled on the retail industry supply chain. “A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade. If these attacks cascade, the entire healthcare system will crash.”

Jody Westby, CEO of Global Cyber Risk, said Lieberman’s asess was too much “gloom and doom,” although she, like others, acknowledges there is no such thing as 100% security.

“But everyone will not be using the same technologies or have the same system configurations,” she said. “There are already health information exchange networks — the network that enables the insurance companies to see claim information. The one proposed is a bigger concept, but along the same lines.”

Westby said: “Attacks will happen and security is a significant part of the HIEs, but the picture (Lieberman) paints is a parade of horribles that is not fully fleshed out and is too broadly stated.”

Randy Sabett, an attorney with ZwillGen and an information security expert said Lieberman is “making two major assumptions that aren’t necessarily well supported.”

The fact that a highly connected system is designed for ease of use and is based on a common technology, “doesn’t necessarily lead to the conclusion that there will be cascade failures. It will fail only if it is not well designed,” he said.

Sabett, citing Microsoft’s Trustworthy Computing initiative along with general security awareness in both government and enterprise, believes the design will be much better than it would have been even two or three years ago. “With HIEs, you know security is going to be a big deal,” he said. “And HIPAA is requiring that all this data is going to be encrypted.”

Rebecca Herold, an information security privacy and compliance consultant, said the development of exchanges does mean increased risk, but agreed with Westby and Sabett that the design of the systems can tackle those risks.

“If the HIEs are thoughtfully and responsibly architected and implemented there will be no cascade of privacy failures,” Herold said. “The key is to build them right, with appropriate security and privacy controls, standards and policies, from the very beginning.”

Herold, like most experts, said the protection of patient privacy would take more than technology. Besides strong security controls, exchanges must “provide training to ensure their workers know how to protect the information that they work with.”

But Lieberman is not about to back down from his warnings. “A lot of the HIE technology is not state of the art,” he said. “A person who is in charge of one of the biggest state HIEs in the U.S. told me, ‘I don’t see why SOA (service oriented architecture) is relevant and I don’t believe in cloud computing.'”

And he said the Microsoft “monoculture” in systems and software is worse now than it was in 2003, when a group of security experts wrote a paper [http://cryptome.org/cyberinsecurity.htm]titled: “CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft’s Products Poses a Risk to Security.”

“Even if they did use state-of-the-art technology, the threat surface of systems with a lot of PHI in a network of interconnected systems is very big,” he said.

Lieberman adds that encryption is not a guarantee against data loss. “The HIPAA Security rule requires transmission security – encrypting data in motion – but is vague regarding encrypting data at rest. So even if you encrypt data in motion between two HIEs, once the data hits the HIE premises, there are probably dozens of attacker entry points to get at the data in clear text.”

Lieberman said he has a better idea than the current model, which will focus on, “a vendor-neutral, standards-based approach for exchanging healthcare information between patients and providers that will not involve intermediate message buffering and switching.”

Details of that, he said, will come in a later post.