Don’t get caught with your password guard down

Hackers use hospitals as springboards

You probably wouldn’t leave your car idling with the keys in the ignition as an open invitation for an uninvited guest to drive away with it. So why do so many hospitals leave their computer systems as vulnerable to guest users as an unlocked car?

That’s what virtually all of the medical facilities were found to be doing in a survey conducted by Berkeley (CA) Research Group, a research and development company that specializes in information technology security and has recently added health care to the roster of industries it covers.

According to Christian Valor, vice president of research and development in Berkeley’s Medical Informatics Division, virtually all of the thousands of facilities with Internet access surveyed in California left themselves somehow vulnerable to security breaches. Several major medical institutions that use dial-up modems do not require passwords for access to patient information databases stored on their computer systems, he found.

Valor conducted his survey in August and September using a technique called "wardialing." The surveyor selects an area code at random and, using a modem, calls every phone number within that area code.

"When it locates a computer it will try a couple of generic logins, like ‘guest’ or ‘user,’’’ Valor says. In roughly one out of every 50,000 tries, Valor’s modem gained access.

Such generic logon names as "guest" or "user" permit general access to the computer system. A hacker or unauthorized user could then exploit other security weaknesses in the system, creating a so-called "superuser," Valor says. "It’s used to find computers that are connected and have dial-up [access]. This is where we find the ones that don’t have passwords," Valor continues.

Passwords are a simple security precaution often lacking in the health care field, Valor says, and that makes a lot of patient information very vulnerable to prying eyes.

The fact that hospital computer systems are left open makes them a "very popular target" for computer hackers, Valor notes. "It’s mostly people who know that they’re an easy target to get into, and they use [hospitals] as launching pads because they want to attack someone else’s computer system. If I were a hacker, I’d use a doctor’s account as a launching point against other computers."

Information security vs. information access

But as any health information manager knows, health care involves an unending struggle between privacy and security of information and the need for authorized personnel to have immediate — and often life-saving — access to that information.

Valor’s survey is part of ongoing research into the field of information security in health care. There is, he says, very little solid research being done on the topic. "One of the things we’ve been noticing from attending seminars and traveling around the country is that there a lot of people throwing around a lot of information that they can’t back up with a lot of material or research."

In addition, "No one wants to touch the medical community," he says. "You have an establishment that’s meant to save lives. It’s hard to implement security. Whenever you increase security, you decrease user convenience. But [HIM] people need to be a little more computer-savvy than the average bear."

Following are some of the areas that Valor recommends health information managers pay closer attention to in order to preserve the security of the patient information entrusted to their care:

Old versions of operating systems.

Sure, it saves money to keep the same operating system running for years on end, but these older systems are particularly vulnerable to hackers trying to gain access to hospital computer systems, Valor says. Operating systems are continually updated, which usually involves fixing previous security problems. Every time a new version comes out, it fixes old security features from the past, many up to 7 to 10 years old, Valor says. Such problems are "very well-documented security weaknesses" that are not difficult to exploit.

Misconfigurations.

If a computer system is not quite set up right, "It may work, but it’s kind of jerry-rigged together," Valor warns. That creates built-in vulnerabilities. "When [hackers] come into these computers over the Internet, you end up giving superuser access."

Mountable file systems.

The commonly used UNIX system, for example, offers the ability to "mount file systems." That means once access is gained to one computer, an unauthorized user is then "able to automount every single computer in the building. They can gain access to anything in that system, anything that’s connected to that entire network," Valor says.

And since the hacker has likely gained access as a superuser, by using the kind of generic password mentioned above, the unauthorized user wouldn’t need passwords to go into any other computer systems.

"Since you’re doing that from superuser access, you don’t need passwords to go into these other systems. You can access anything. You come in through a simple account. Then you do something to ‘panic’ or confuse the system. The computers are set up so that when they panic they drop down to the superuser access level. The only person who could fix those is the superuser. Guess what? You don’t fix the problem, you start hacking away."

The first line of defense, Valor says, is to use passwords.

1. Make sure every user account has a password. "That’s the main thing," Valor says.

2. Use "hard" passwords. That means a combination of both uppercase and lowercase letters should make up the password. "And you might want to throw in a number or throw in a punctuation mark," Valor adds.

3. Use a wide variety of passwords. Valor says he is amazed in his travels across the country giving security seminars at the lack of imagination used in choosing passwords. When he asks audience members to indicate who uses his or her login name followed by the number one as a password, roughly 30% sheepishly raise their hands. That’s the first password a hacker will try, he says.