In a recent post, I discussed healthcare as a new target for cybercriminals (see: Is Medical Cybercrime the "Next Frontier" for Hackers?). A recent article about cyberwar and DARPA's Plan X (see: Inside DARPA's "Plan X" For Cyberwar) called to my mind a scenario whereby hospital EMRs might be a key target as part of a cyberwar or terrorist plot. Below is an excerpt about Plan X:
On September 27, DARPA will hold a workshop to flesh out the government cyberwar strategy called “Plan X.” The one-day workshop consists of a general access session for government employees and contractors, along with a Secret-clearance and above closed session to draw a roadmap for the future of America's cyberwar forces. While the next great virus won't be proposed at the Plan X workshop, the Defense Department's cyberarmy infrastructure development plans...will....Plan X has received $110 million in funding for the next five years. A publicly available DARPA document says that Plan X will “create revolutionary technologies for understanding, planning, and managing cyberwarfare in real-time, large-scale, and dynamic network environments” and “conduct novel research into the nature of cyberwarfare and support development of fundamental strategies and tactics needed to dominate the cyber battlespace.” In other words, Plan X will give Pentagon cybergeeks top-notch tools and research capabilities for the high-tech worms, malware, monitoring equipment, and network infrastructure hijinx that are an integral part of military capability circa 2012. DARPA, however, explicitly stated that Plan X will not fund research and development for the development of cyberweapons or vulnerability analysis. DARPA IS ESPECIALLY INTERESTED IN THE DEVELOPMENT OF CUSTOM, SECURE OPERATING SYSTEMS AND PLATFORMS FOR USE IN “HOSTILE NETWORK ENVIRONMENTS.
All of the major hospitals in the U.S. have converted, or are in the process of converting, to EMRs. Although all such deployments have backup plans whereby hospital physicians and nurses revert to written records when the system is down, such changeovers are always sub-optimal. These are backup plans that you usually don't want to even try. Many major cyberwar scenario's are bloodless and involve disruption of public utilities such as power grids and water systems. However, I can also envision cyberwarfare in association with terror incidents with mass casualties. Think about the confusion that would ensue if the major hospitals in the cities where such terror attacks took place had their EMRs hacked. The injured could not be triaged and treated efficiently.
I am reporting on these unattractive scenarios, both cybercrime and cyberwarfare, to make the point that EMRs need to operate at a level of security certainly as high as those in critical industries and public utilities. The problem for EMRs is that they also need to provide access to data for patients in the community via patient portals. In my mind, this is a vulnerability that could be exploited. Some hospital systems have already been breached (see: Hospital Management Systems Breached, By @OfficialComrade .c0mrade). Here is part of the message left on a hospital server by a hacker:
Hello, my minions. Let me start off by answering some questions.
Q: Why do you do what you do? A: I’m not in it for treason or pedestrianizing millions around the world, I’m solely in it because Computer Security is the most fitful outlet for me. Nowadays, the Hacking community is motile. There’s hundreds of group who are hostile and make freedom-ring by indulging in illegal matters and leaking information on Websites to industrialize themselves within the scene....
I’ve yet to report [that I have hacked your system) to those who created the dreadful piece of software. I plan on calling them later this afternoon.