As a CTO/CIO I must be my doctor’s worst nightmare.

When I walk into the office my eye roves about like a searchlight, looking for passwords under desks, removable media devices, unguarded networks and all the dirty little secrets daring me to unveil them from their dark hiding spots.

It starts with the front desk. Concealed behind a thin sliding glass window, a simulcrum of HIPAA, sits the front office Mac with its USB ports pointed straight at me. In my mind I see a gaunt hacker asking for a piece of paper located in the back office then slipping a tiny keylogger into place between the keyboard and the CPU. Would anyone ever notice?

I register and open my laptop. The Wi-Fi points pop-up showing a guest network and a private network. I fire up Kali and start aircrack. Sure enough they have WPS enabled on the private network, a protocol designed to allow you to easily connect pieces of hardware to the network that can be very simply brute forced. Worse still they’re using WEP, and I estimate that I could have the password in the 30 minutes for which I will be waiting for the doctor. After that I can continue my attack in a leisurely way from my car, feet on the dash, listening to the soothing murmur of baroque oboe.

Must .. fight .. evil .. tendencies.

I connect to the guest network and run a quick network scan. Ah ha!  There’s a netgear hotspot with its web admin enabled. I head over with my web browser and try my standard password list.  Bang!  I’m in and the network is mine.  The joyful glee subsides as I realize my data is now compromised.

My doctor comes out beaming and we get down to the business of clinical care. This is a routine appointment and I know my physician well. He’s a great doctor who’s helped me with chronic back issues for many years, and I like to think that we’ve developed something of a friendship. When he tells me that I need a less stressful job I laugh at him and quote “ physician heal myself”. We both smile and continue the appointment.

As he logs into the EMR I watch his fingers on the keyboard. My practiced eye easily recognizes password12345! and I groan internally. It’s a cloud-based system and I’ll take money on the fact that the IP ranges are not restricted to the practice network. Now I can log in from home and find out anything I want about everybody who’s been in for care.  A sense of despair washes over me as I wonder what else is going on here.

I mention the idea of multifactor authentication to him and he laughs and says, “ I’m not an IT guy”. I can’t dispute that but I say that the federal government might and that his risk is high. He turns to me and says, “Isn’t that risk something that my EMR company is responsible for? I’m a doctor you know.”

Here then is the rub. He is a doctor, and he really doesn’t understand what he needs to do to make his practice secure. His IT consultant comes in once a month and make some changes. He has no idea what they are, nor does he have any way to verify their efficacy. The cloud computing vendor tells him that no PHI is stored on his network and he takes that as a catechism, ignoring scanned paper records in folders, and backup media neatly organized into a pile on top of the filing cabinet.

He’s doing his best, but it surely isn’t enough.

In the space of approximately an hour I’ve identified 10 critical deficiencies in security within his office that could easily be exploited by anyone who is competent to do so. What should I do?

I could certainly come in on the weekend and tighten the network right up, but then, his consultant would undo all my work in a week’s time. There would also be costs that he’s not in a place to absorb, and his ability to feed his family could be affected by a loss of revenue. Despite what you read in the media, many physicians don’t make oodles and oodles of cash .  It’s a brutal business to be in and with massive consolidation it’s getting harder for independent practitioners each day.

In my mind the real problem here is that nobody is providing him a business reason to prioritise security, and the reimbursement models do nothing to offset his rising information technology costs. While he cares greatly about his patients, he is in no position to implement the mandates from the federal and state governments, and he’s not alone.

After all, the dirty little secret of Healthcare is that independent physicians offices are rarely secure.

4 thoughts

  1. Great write up and illustration of some of the security challenges associated with doctors offices. I agree with you that none of them are really secure. Plus, if someone breaches them, most will never know it. Sadly, that’s true for most hospitals as well.

    You’re right about many doctors not getting paid well, but they don’t do themselves any favors driving around in their Mercedes.

    1. Thanks John. I always appreciate your pithy comments – right on point. Some of these folks will have a visit from law enforcement asking about data found online in the dark web, and they’ll be totally, utterly speechless as they try to work out what happened.

  2. Independent physicians offices may not be secure, but big organizations have a so called “smaller chance but bigger impact” security issue. Once in a while a breach leads to thousands or millions of medical records to end up on the streets (or rather in the the hands of health insurance companies or other organizations who, thanks to the false belief in ‘self regulation’ of markets driven solely by profit, will use it to their advantage and disadvantage of their customers).

    In the end this is about privacy, a very very underrated issue in the US, where people tend to believe that if you’re not a terrorist, you got nothing to lose. WRONG. Everyone has interests, as consumers, as patients, as citizens. And big businesses also have interests and they are usually not the same as yours. When the car dealer knows you just got a bonus at work, he might just offer you a higher price. When you know how much his wholesale price was, you might just be in a better position to negotiate a lower price.

    When law enforcement knows, through your google map and lots of FRAGMENTED pieces of information, that you were near a crime scene 5 years ago, YOU are not likely to remember the details that prove your actual innocence.

    I believe we should own all the information about us, that cannot be accessed without our involvement. And I know what it takes technically to make this happen. But it will not be in the interest of those who currently collect your personal information, so they will not cooperate in the implementation without government enforcing a law. And that is why many things will not work without a strong central government. Without it, the world will be run by big businesses instead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s