The FISMA Focus IPD

From: Wired

By Daniela Hernandez

Eugene Vasserman is uneasy about his digital pedometer. The company that makes the thing doesn’t know his name, age, or gender, but it does track his every step and his location. “They know where I sleep. They know my address,” says the Kansas State University cybersecurity and privacy researcher.

Some might think he’s paranoid. But he hasn’t stopped using the device. It’s just that he sees the worst-case scenario — and he’s adamant that the rest of us should see it too. Once health data leaves your immediate possession, he explains, it’s out of your control.

“I’m aware of the tradeoff I’m making … [but] I don’t think people understand what they’re giving up by putting this data out there,” he says. “The direct repercussions are not quite clear because the definition of cloud — excuse the pun — is very nebulous.”

What we do know is that security breaches surrounding healthcare information have been on the rise, according to the Ponemon Institute. And according to the The Washington Post, there are “gaping security holes” in many of the systems that hold our healthcare data.

As more and more health data is hoisted onto the so-called cloud — for research, medical, and, yes, recreational purposes — these vulnerabilities will only expand. Geneticists and bioinformaticians are using the Amazon cloud to crunch through petabytes of genetic data. Electronic medical records are a key part of the Affordable Care Act, and they’ll be the norm in the not-so-distant future. Consumers have jumped on the health “gamification” bandwagon and are sharing their health information with a wealth of companies, many times unaware that their data could be sold to third parties or whether these companies have the proper security measures in place to safeguard their health information.

“Most people see a service, and they just assume it’s safe and secure and they use it,” said Avi Rubin, the director of the Health and Medical Security Lab at Johns Hopkins University. “There seems to be, I believe, a bias when people get hold of a product to trust it and to think that it’s okay until proven otherwise instead of the other way around.”

But as the recent chain of hack attacks at companies like Apple, Twitter, Facebook, Dropbox and most recently Evernote suggest, that may be the wrong assumption to make. “Any system that consists in large part of software is hackable,” Rubin warns. At some point, someone will hack a major repository of healthcare data. And it won’t be pretty.

Right now, the big companies that have joined the “I’ve-been-hacked” club are not health-related outfits. But that doesn’t mean they don’t store health information. On Facebook, users upload photographs of their medical conditions to crowdsource diagnoses or join disease-specific support groups. Researchers are able to identify drugs’ adverse side effects from Google search logs. Medical professionals use storage services like Dropbox and Box to share documents and facilitate discussions. In December, iHealth partnered with Evernote to allow data from its blood pressure monitors and scales to seamlessly integrate into an Evernote health report card.

“It’s small bits and pieces that are possibly unrelated,” says Vasserman, the pedometer-wearing security researcher. “But a sophisticated hacker could put two and two together…Our health data is going to be breached and people either don’t realize or they don’t associate these services with health data.”

Recently, Shawn Merdinger — a security researcher at the University of Florida — came across a shared Dropbox folder the University of Chicago had set up for its residents while he was reviewing how iPads were being used in medical settings. The folder was tied to a shared Gmail account with the password published on a public online manual. (It has since been closed). One of the big questions right now, he says, is whether Dropbox complies with the Health Insurance Portability and Accountability Act (HIPAA), which protects individually identifiable health information.

These are sensitive issues that consumer tech companies sometimes skirt because dealing with government organizations like the Department of Health and Human Services or the Food and Drug Administration — which oversee health privacy and the regulation of medical devices, respectively — involves some serious red tape.

More recently, Merdinger has been using the Shodan search engine to look for medical equipment exposed to the internet. Shodan scans the web for all sorts of devices and dumps the results into a searchable database. Merdinger recently found a Phillips virtual access system for fetal monitoring that doctors can use to check in on patients remotely.

“It’s really scary stuff,” he says. “How do we meet the needs of providing a physician convenient access from home to check on her patients [without] exposing a device like this to the big, bad internet where people with all sorts of motivations could attack?”

Once that data is made public, he says, it’s unclear whether it’s still protected by data security laws.

Part of the problem, he says, is that companies working in this space are small outfits that manufacture single products. They don’t have the resources or expertise to create a comprehensive security system and so they rely on commercially available products like the Amazon cloud or 3G networks to implement wireless solutions, but often these are not set up to handle healthcare data.

The bigger players either get out or are tight-lipped because they fear facing liabilities. “What the hell happened to Google Health? Gone! They didn’t want the liability,” Merdinger says. “The complexity of this is mind-boggling. Heath care is really in for a beating from the security side…if Google can’t stop this, how is a hospital going to stop this?”