It’s interesting that the Heart bleed bug is out and there seems to be one vertical that is very quiet. Banking and Finance? Nope.. They’re all over it. Government? Nope. They’re on top of it too. Manufacturing and eCommerce? Nope. They’re some of the first to address the issue. We know it’s definitely not the internet. So who could it be?
Go figure.. It would be healthcare and medical device manufacturers. Why? Because it’s too expensive for them to make a stink about it. There’s nobody to sue. They can’t point or blame fingers at anyone. It’s them.
What happens if you happen to have a device that captures personal information about your health that happens to upload it to some server out in the cloud? or even worse.. to your insurance carrier. You see, the problem is once it’s out that your prized medical gizmo is transmitting your health information insecurely, it’s a problem. It becomes a liability issue.
Here’s something most people don’t know, but in the US (go figure) the most complete view of your medical record does not lie in your doctor or hospitals database. It is in your insurance company’s database. Every doctor, clinic, lab test, therapist you ever saw is in their database. Every prescription you’ve ever filled, prosthetic you’ve purchased, and even your plastic surgery procedures. Even if you didn’t use insurance to pay for it. It’s all there. Every diagnosis and procedure ever performed on you is in their database.
Why is this important? Would you want any of that data to get out? I know I wouldn’t. But what does it have to do with your internet based blood pressure meter? Let me draw a hypothetical, but not too unrealistic situation.
John uses a device to measure his blood sugar levels (glucometer) and punches the results into a portal everyday to share with his doctor and family. That server sits on the internet and has a version of OpenSSL that is susceptible to the Heartbleed Bug.
Bob (who really dislikes John for some reason) knows that John carries his iPad everywhere and keeps track of all his information on it. It wouldn’t be a far stretch for Bob to start scanning Personal Health Record websites for the Heartbleed bug. In his desire to find out information about John, he starts to download and test every healthcare medical application he can from the iTunes store. Bingo! Out of the 50 or so major applications he downloads, he finds one that transmits information to a Heartbleed affected host. He snoops his home wifi and gets the destination host of where all that information is housed.
Using the exploit, he retrieves the private key of the server and initiates an attack on the server, gains access to the keys and also finds out the EHR also shares information with Medical Claims clearinghouses and Insurance companies. (some of them affected as well).
Over the course of 48-72 hours, Bob gains access to the medical records of Millions of people.
How real a scenario is this? Very. It’s not a lot of effort for someone with intermediate IT skills to do and the damage is irreparable. In other words.. It’s a concern.
Why have the healthcare device manufacturers been so quiet? It’s expensive to recall every device that is affected, remediate the systems, issue a firmware update and take it through the FDA again. The problem is.. someone needs to point out this is a problem. So I guess I’m doing it.
Another thing to consider. Every doctor and pharmacy uses a system that is in one way or another connected to the internet. In fact, many Practice Management Systems and EMRs are internet hosted. How many of those are affected? Even if you haven’t seen your doctor in a long while, he may have upgraded his system to store his records in the cloud.
How about Pharmacies? You get the idea. They’re all susceptible.
This needs to be brought to the forefront and addressed as the entire Healthcare vertical has pretty much been completely silent about the whole issue. Remember people.. In the US, Healthcare isn’t about saving lives.. it’s about making money and control of information.
Spread the word.