[SecurityRatty] tag: physician

Florida doctor sentenced to 33 years in prison for child porn

Tue, 25 Nov 2008 02:00:00 +0000

A Florida physician is sentenced to more than 33 years in prison after being convicted of child pornography charges.

Physicians and medics

Mon, 26 May 2008 16:12:12 +0000

My thanks to Mike Rothman who last week gave me credit for “fighting the good fight”. I’d like to think he’s right — it has been a bit of a struggle over the years, I’d like to think I’m winning (or at least managing a draw) as I continue the struggle, and I’d like to think it’s worthwhile. Mike does seem to continue to question the pragmatism of my approach though, which is what this post is about.

Don’t get me wrong. I greatly admire the work Mike does and wish he and his book had been around when I started out as a CISO. Would have saved me significant pain and suffering. On the other hand, if I’d had Mike’s P-CSO I might have become complacent and ended up believing that’s all there was to being a CISO. Not that I think Mike is advocating complacency — he’s not. I also don’t think he discounts risk analysis concepts. He’s simply focused on helping that component of our profession who’s just getting started or who faces other practical constraints in dealing with our very complex problem space. His is a necessary and highly valuable contribution, and he provides it in an entertaining way that’s too rare.

Let me set this discussion in a medical analogy context. If I was in the middle of nowhere or didn’t have the resources for a physician, then a medic who’s skilled in lifesaving basics would do just fine. However, if the situation called for a deeper understanding of the complex, sometime subtle health considerations, then I’d prefer a physician. Someone who didn’t say; “Boy, this anatomy and physiology stuff is complicated. I’m just going to stick with ‘The hip bone is connected to the back bone…’” My physician may, of course, choose to follow a pragmatic, commonly-used course of treatment, but they’d be able to do so with a deeper understanding of the problem space, greater (but not perfect) certainty that the course of treatment would work, and a better ability to explain to me, the patient, why I had to swallow this bitter pill, undergo the knife, or have this long tube snaked into one of my orifices.

Yes, I realize that physicians sometimes get it wrong, sometimes get wrapped up in fancy and even unnecessary procedures, and can drive up costs. That’s just as true as what can happen at the other end of the spectrum — the shaman who operates entirely by superstition, faith, FUD, and intuition. The point is, there’s absolutely a need for both medics and physicians (and levels in between). We, as professionals, can choose where we want to be within that continuum. With this in mind, a few things to consider are:

In the heat of battle, when resources are limited, or when it just makes sense, physicians always have the option of behaving as medics and sticking with the bare essentials (the reverse isn’t true). In fact, the best physicians I’ve encountered are pragmatic in their approach but have the deeper knowledge to leverage when need arises
Medics might effectively deal with 80+% of our problems, but that remaining ~20% can be critical
A person can start out as a medic and then become a physician later, as need and resources dictate
Physicians tend to be paid more

Bottom line — knowledge and understanding are never a bad thing, but it requires extra effort to acquire them. And, as Mike points out, the simple approach is often good enough and may be all we can hope for given our individual circumstances. For myself though, I prefer a deeper understanding of our complex problem space. I want to be able to answer the hard questions about why and how. But that’s just me.

BTW - I was amused at Mike’s characterization of risk analysis as Black Magic, as this phrase would also have been used in the past to describe medical and scientific concepts/practices we take for granted today.

University of Miami reports stolen tapes affecting patients

Fri, 25 Apr 2008 11:34:41 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
University of Miami

Contractor/Consultant/Branch:
Archive America Ltd.

Victims:
Medical patients that visited university medical facilities since January 1st, 1999.

Number Affected:
"more than 2 million" (2,000,000+)*

*According to the ComputerWorld report. The University of Miami will be notifying 47,000 people whose data may have included credit card or other financial information regarding bill payment

Types of Data:
Names, addresses, Social Security numbers, health information, and credit card or other financial information

Breach Description:
"A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported."

Reference URL:
University of Miami announcement
The Associated Press via The Florida Times-Union
ComputerWorld

Report Credit:
The University of Miami

Response:
From the online sources cited above:

University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
[Evan] I'm not sure where ComputerWorld came up with the 2,000,000 number. I could only find references to the number 47,000. I went with the 2,000,000 in this report because 47,000 doesn't seem large enough for "Anyone who has been a patient of a University of Miami physician or visited a UM facility at any time since January 1, 1999"

Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17.

Thieves removed a transport case carrying the school's computer backup tapes

Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.

The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen.

In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
[Evan] Absolutely a good decision! More organizations should be more transparent in their responses to incidents involving personal information. After all, personal information belongs to the person, not the organization.

Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site

"At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better,"
[Evan] I like this response.

Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft,"

Law enforcement is investigating the incident as one of a series of petty thefts in the area.
[Evan] Interesting that they chose the word "petty".

The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999.

Financial data from approximately 47,000 people may be on the missing tapes

UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information

After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.

security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’ Based on this information, the University believes misuse of the information on the tapes is unlikely.
[Evan] I very much respect Ontrack's views on data recovery. These guys are the experts in data recovery.

"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information,"

The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters.

the University has also established a call center at 1-866-628-4492

Commentary:
Minus the amount of time it took for the school to get the word out (for which there might be good reason), I am impressed with the school's response to this incident. The fact that they chose to consult with two independent "experts" about the risk of disclosure and convincing them to comment publicly was an excellent move. The school's transparency about this incident instills a sense of trust and honesty that could have easily turned the other way. Other organizations could stand to learn a thing or two here. Kudos to the school's management team.

Past Breaches:
Unknown

Hacking Medical Devices

Wed, 12 Mar 2008 07:39:59 +0000

Okay, so this could be big news:

But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker.
They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal -- if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory.

The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device’s maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery.

There's only a little bit of hyperbole in the New York Times article. The research is being conducted by the Medical Device Security Center, with researchers from Beth Israel Deaconess Medical Center, Harvard Medical School, the University of Massachusetts Amherst, and the University of Washington. They have two published papers:

"Security and Privacy of Implantable Medical Devices," Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Pervasive Computing, January 2008.
"Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and Privacy, May 2008.

This is from the FAQ for the second paper (an ICD is a implantable cardiac defibrillator):

As part of our research we evaluated the security and privacy properties of a common ICD. We investigate whether a malicious party could create his or her own equipment capable of wirelessly communicating with this ICD.
Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could violate the privacy of patient information and medical telemetry. The ICD wirelessly transmits patient information and telemetry without observable encryption. The adversary's computer could intercept wireless signals from the ICD and learn information including: the patient's name, the patient's medical history, the patient's date of birth, and so on.

Using our own equipment (an antenna, radio hardware, and a PC), we found that someone could also turn off or modify therapy settings stored on the ICD. Such a person could render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia.

Of course, we all know how this happened. It's a story we've seen a zillion times before: the designers didn't think about security, so the design wasn't secure.

The researchers are making it very clear that this doesn't mean people shouldn't get pacemakers and ICDs. Again, from the FAQ:

We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician. The implantable cardiac defibrillator is a proven, life-saving technology. We believe that the risk to patients is low and that patients should not be alarmed. We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack. To carry out the attacks we discuss in our paper would require: malicious intent, technical sophistication, and the ability to place electronic equipment close to the patient. Our goal in performing this study is to improve the security, privacy, safety, and effectiveness of future IMDs.
For all our experiments our antenna, radio hardware, and PC were near the ICD. Our experiments were conducted in a computer laboratory and utilized simulated patient data. We did not experiment with extending the distance between the antenna and the ICD.

I agree with this answer. The risks are there, but the benefits of these devices are much greater. The point of this research isn't to help people hack into pacemakers and commit murder, but to enable medical device companies to design better implantable equipment in the future. I think it's great work.

Of course, that will only happen if the medical device companies don't react like idiots:

Medtronic, the industry leader in cardiac regulating implants, said Tuesday that it welcomed the chance to look at security issues with doctors, regulators and researchers, adding that it had never encountered illegal or unauthorized hacking of its devices that have telemetry, or wireless control, capabilities.
"To our knowledge there has not been a single reported incident of such an event in more than 30 years of device telemetry use, which includes millions of implants worldwide," a Medtronic spokesman, Robert Clark, said. Mr. Clark added that newer implants with longer transmission ranges than Maximo also had enhanced security.

[...]

St. Jude Medical, the third major defibrillator company, said it used "proprietary techniques" to protect the security of its implants and had not heard of any unauthorized or illegal manipulation of them.

Just becuse you have no knowledge of something happening does not mean it's not a risk.

Another article.

The general moral here: more and more, computer technology is becoming intimately embedded into our lives. And with each new application comes new security risks. And we have to take those risks seriously.

Reproductive Medicine Center doctor loses patient data on flash drive

Fri, 01 Feb 2008 13:44:24 +0000

Technorati Tag: Security Breach

Date Reported:
1/30/08

Organization:
University of Minnesota Physicians

Contractor/Consultant/Branch:
Reproductive Medicine Center

Victims:
Patients

Number Affected:
3,100

Types of Data:
Patient information including details of infertility treatments

Breach Description:
A doctor with the University of Minnesota Physicians, Reproductive Medicine Center lost a flash drive containing sensitive personal information belonging to patients. He was using the flash drive to back-up his data.

Reference URL:
WCCO Channel 4 news
AOL Video

Report Credit:
Esme Murphy, WCCO

Response:
From the online sources cited above:

Dr. Theodore Nagel, a doctor at the fertility clinic, lost a flash drive that he used to back up his computer. The drive holds details of infertility treatments for 3,100 patients going back to 1999.

The physician who is affected is absolutely mortified and we are also very concerned," said Dr. Bobbi Daniels, U of M Physicians Medical Director.

University of Minnesota regulations require doctors to encode information on flash drives. Nagel did not do that on his flash drive nor did he use a password.
[Evan] It's nice to see that the University of Minnesota has requirements for how information on flash drives must be stored. It stinks that Dr. Nagel did not follow the requirements. I wonder if he was aware.

"I think this would be the hardest for people that are currently undergoing fertility treatments," said Amy Anderson, a former infertility patient.

"You are talking about your sexuality and just a lot of private medical issues," said Anderson.

"It is hard but once and a while accidents do happen," said Anderson.

Nagel reported the loss of the drive himself and he's written the patients a letter of apology.
[Evan] I almost feel bad for Dr. Nagel

The clinic has also set up a hot line for those affected. The lost drive did not contain any financial or social security information.

Commentary:
No financial risk to affected individuals, but huge personal privacy risk. A word or two, do NOT use flash drives as data backups. If you must, then don't go WITHOUT strong encryption (and don't write down the key/password).

Past Breaches:
Unknown