Healthcare Interoperability

How secure is your doctor’s office?

As a CTO/CIO I must be my doctor’s worst nightmare.

When I walk into the office my eye roves about like a searchlight, looking for passwords under desks, removable media devices, unguarded networks and all the dirty little secrets daring me to unveil them from their dark hiding spots.

It starts with the front desk. Concealed behind a thin sliding glass window, a simulcrum of HIPAA, sits the front office Mac with its USB ports pointed straight at me. In my mind I see a gaunt hacker asking for a piece of paper located in the back office then slipping a tiny keylogger into place between the keyboard and the CPU. Would anyone ever notice?

I register and open my laptop. The Wi-Fi points pop-up showing a guest network and a private network. I fire up Kali and start aircrack. Sure enough they have WPS enabled on the private network, a protocol designed to allow you to easily connect pieces of hardware to the network that can be very simply brute forced. Worse still they’re using WEP, and I estimate that I could have the password in the 30 minutes for which I will be waiting for the doctor. After that I can continue my attack in a leisurely way from my car, feet on the dash, listening to the soothing murmur of baroque oboe.

Must .. fight .. evil .. tendencies.

I connect to the guest network and run a quick network scan. Ah ha!  There’s a netgear hotspot with its web admin enabled. I head over with my web browser and try my standard password list.  Bang!  I’m in and the network is mine.  The joyful glee subsides as I realize my data is now compromised.

My doctor comes out beaming and we get down to the business of clinical care. This is a routine appointment and I know my physician well. He’s a great doctor who’s helped me with chronic back issues for many years, and I like to think that we’ve developed something of a friendship. When he tells me that I need a less stressful job I laugh at him and quote “ physician heal myself”. We both smile and continue the appointment.

As he logs into the EMR I watch his fingers on the keyboard. My practiced eye easily recognizes password12345! and I groan internally. It’s a cloud-based system and I’ll take money on the fact that the IP ranges are not restricted to the practice network. Now I can log in from home and find out anything I want about everybody who’s been in for care.  A sense of despair washes over me as I wonder what else is going on here.

I mention the idea of multifactor authentication to him and he laughs and says, “ I’m not an IT guy”. I can’t dispute that but I say that the federal government might and that his risk is high. He turns to me and says, “Isn’t that risk something that my EMR company is responsible for? I’m a doctor you know.”

Here then is the rub. He is a doctor, and he really doesn’t understand what he needs to do to make his practice secure. His IT consultant comes in once a month and make some changes. He has no idea what they are, nor does he have any way to verify their efficacy. The cloud computing vendor tells him that no PHI is stored on his network and he takes that as a catechism, ignoring scanned paper records in folders, and backup media neatly organized into a pile on top of the filing cabinet.

He’s doing his best, but it surely isn’t enough.

In the space of approximately an hour I’ve identified 10 critical deficiencies in security within his office that could easily be exploited by anyone who is competent to do so. What should I do?

I could certainly come in on the weekend and tighten the network right up, but then, his consultant would undo all my work in a week’s time. There would also be costs that he’s not in a place to absorb, and his ability to feed his family could be affected by a loss of revenue. Despite what you read in the media, many physicians don’t make oodles and oodles of cash .  It’s a brutal business to be in and with massive consolidation it’s getting harder for independent practitioners each day.

In my mind the real problem here is that nobody is providing him a business reason to prioritise security, and the reimbursement models do nothing to offset his rising information technology costs. While he cares greatly about his patients, he is in no position to implement the mandates from the federal and state governments, and he’s not alone.

After all, the dirty little secret of Healthcare is that independent physicians offices are rarely secure.