Skip to content ↓ | Skip to navigation ↓

What you are about to read is not from 1995. This is not Throwback Thursday. What follows is an account of the first full day of booth duty at Healthcare Information and Management Systems Society (HIMSS) 2016 conference in sunny Las Vegas.

For those of you who have never heard of HIMSS, (I certainly hadn’t until my boss asked me to attend.) it is a conference for IT in the healthcare industry. There are supposed to be 40,000 people here, and judging by the sheer volume of suits in the streets, I would gather that this is correct.

As I meet folks at our booth and walk the show floor, I see that quite a few, perhaps most, of the attendees are CISO-level with a good mix of managers and directors. Interestingly enough, however, actual keyboard monkeys seem to be few and far between. Indeed, this event does not look like a show for your average IT or security admin, which may be explained by the fact that they somehow managed to schedule this conference at the same time as RSA.

So…here are some of the observations I have made that lead me to think I stepped into a time machine:

  1. Security is an afterthought in the healthcare industry. Many of the folks I have met so far who have security in their title used to be system administrators and were given the title because they browsed a security book once at Borders.
  2. The cyber security pavilion is tucked quite nicely into a far corner in the basement, conveniently located next to the bathrooms. Maybe its just the locale, but the foot traffic through here is pretty light. Some of the vendors bought big booths that are going largely unused. It felt like Comdex 1985.
  3. No one seems to really care. I mean lip service is being paid, but when I walk around to talk to various healthcare vendors about security, I usually get “Huh…we never thought about that” as a response.

Let’s pause for a second. I recently dropped my father off at a VA hospital, and while I was there, I noticed the staff using these little rolling carts that came equipped with a PC, monitor, and keyboard. The RNs sat with my dad or other patients and gathered their information or processed data as they worked. What struck me was that when not in use, they were often tucked into the hallway–just another piece of equipment like a gurney or wheelchair.

healthcare cart

Now I am not a high-level, live-in-my-mom’s-basement hacker. But I work and live information security, and I do know a few things about the need for physical security, as well. To illustrate, I attended DEF CON 15 last year, and I was amazed at the vendors who were selling hacker tools on USB sticks. You could almost write the advertising in your mind: “Drop one of these in any corporate parking lot, and let the fun begin!”

With that in mind I walked the vendor floor to see if anyone had any thoughts about security, and anecdotally speaking, the answer has been “no.” Every healthcare vendor who sold one of these carts I saw at the VA was more than happy to give me a demo and show me the computer that sat attached to the outside of the unit. Each and every one of them had exposed USB ports.

Think about that for a minute. Hackers spend days, maybe weeks figuring out ways to get onto a network or social engineer a way into a building so they can seed their malware. It would literally take them five minutes in most hospitals across the United States. “Hey. I’m here to visit my Uncle Bob,” they could say. All they would need to do is find a cart in the hallway, plug in the USB stick, and walk away.

Let’s remember something important: these carts and their PCs are on the network. They have to be to transmit and receive patient data. Or maybe they encrypt it. Or maybe they don’t hold much data… just enough to process their work. Even if that is true, there are logins and other bits of information that the malware can use to fingerprint the network and give the hacker a head start into breaching a healthcare organization’s system.

It’s an interesting problem I am seeing here, one that will take a tremendous amount of education to begin addressing.

Near our booth, one of the vendors has little stations with a security quiz on it. My colleague couldn’t get past the first question. She found it to be easy to the point of insult. But that is from a person who, like me, works and lives in information security. Apparently, these things are aimed at folks who haven’t thought about security since the ’90s, if ever at all.

When you read stories about the Los Angeles area hospital that had to pay 17,000 in Bitcoin to pay off some ransomware scheme, one realizes that this is the tip of the iceberg. HIPAA was written for a reason, and the healthcare industry better start paying attention if it hopes to avoid a cascade of security incidents.

Title image courtesy of ShutterStock

Tripwire University
  • David Craig

    At RSA this week, there were quite a few sessions on Security in Healthcare. The common theme was how far behind the industry was. Cloud may accelerate the industry catching up.

  • jctaylor405

    Chris, welcome to healthcare! I really enjoyed your article and your perspectives on the healthcare industry’s general lack of awareness around IT security. Reported breaches and potential exposures of personally identifiable information from hospitals, medical centers and the health insurance sector exceeded 130mm or so separate individual records when I stopped counting late last fall. Bottom line, by reported numbers, if a medical record exists with your name on it, the probability of prior exposure is >30%. But what about the undetected breaches? Please keep up your reporting on this issue. Shaming may be the only avenue for getting some attention to this remarkable degree of willful ignorance coming from the healthcare sector.