I live in Modiin in Israel and among my other vices (software development and women), I ride bikes (mountain and road).
Four years ago, I crashed in the Ben Shemen Forest. Going up a dirt ramp, I flipped and landed on my side, cracking my helmet.
After regaining consciousness, and with some help from a fellow rider; I cleaned myself up and rode home. After taking a shower, and soaping down abrasions on shoulders and face, I walked over to my doctor.
The doc did a quick neurological exam – pronounced me ok, and said I was her second bike crash victim of the morning and by far worse looking even though her first patient broke a clavicle.. She sent me for an x-ray. The x-ray place is a short walk from the office and they are networked to my HMO.
By the time, I returned to my physician, she already had the imaging results and said I had not broken anything and said I was good to go. In fact, it was a month before I was good to go and another 3 years before I got on a mountain bike again. Instead, I road bike; my friends say I have a death wish, but I was scared of flipping over again.
The results of a patient visit, together with the diagnosis (“Good to go”) and the imaging results (“haven’t broken anything”) are stored in EHR systems.
Health information exchanges (HIE) enable the sharing of electronic health records by physicians and other healthcare providers, enabling my family physician to see the results without getting up from her desk or without me schlepping paper or CD.
The basic idea is simple. Save time and ensure reliable and accurate data.
Modeling HIE after retail supply chain networks is a very bad idea
Unfortunately, HIE (healthcare information exchanges) are being modeled by people in the US healthcare IT industry after the retail industry supply-chain model. You swipe your VISA credit card in Old Navy on West 34th Street in NYC and it gets processed through the VISA payment network and eventually debits your bank account in Tel Aviv.
You visit a physician, he enters the results of the encounter, your imaging and lab work go into the national healthcare network, where state and regional “switches” move your EHR data to the next physician visit.
The vision of a US National healthcare network that consolidates a supply chain of healthcare information at local, state and national levels is frightening on many levels.
A US national HIE network will be highly vulnerable to cascade failures
Let’s imagine what kind of vulnerabilities and threats of cascade failures exist if the US were to build an interconnected national healthcare network of HIEs.
There is a huge, unmitigated threat surface of transactions that are transported inside the healthcare organizations and between healthcare business units using message queuing technology. Message queuing is a cornerstone of retail commerce (and healthcare information exchanges) and in a highly interconnected system, there are lots of entry points all using similar or same technology – Websphere MQ Series, TIB.
Since most healthcare organizations are focused on perimeter security; attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks on the next HIE in the supply chain.
It is plausible that well placed attacks on message queues in an intermediary regional HIE players (for example a state level clearing house) could not only result in the inability of the regional HIE processor to clear healthcare transactions but also serve as an entry point into upstream and downstream systems.
A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.
If these attacks cascade, the entire healthcare system will crash.
I started thinking about the vulnerabilities of a large interconnected network after having lunch on the Bat Yam boardwalk with my friend Maryellen Ariel Evans on her last visit to Israel.
Maryellen is passionate about message queueing security:
"I realized that it is not just the large threat surface of a very big, very complex network of HIEs. It is not just the large number of attacker entry points in a very big, very complex network of HIEs. It is the threat of a cascade failure due to the fact that everyone is using the same technology and following the same compliance checklists from HHS. Since everyone is using the same technologies and the same HIPAA compliance checklist – life is sweet for attackers – who know exactly what vulnerabilities everyone has."
Back to the future in September 2003
A report from a stellar cast of information security experts and thought leaders shows that the complexity and dominance of Microsoft’s Windows operating system in US Federal agencies makes the US government prone to cyber attack – a national security threat.
Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles Pfleeger, John Quarterman and Bruce Schneier wrote a report titled: CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft’s Products Poses a Risk to Security.
A commonly used claim by Microsoft proponents is that all operating systems have vulnerabilities and Windows is no better nor worse than Linux or OS/X. If “you” patch properly everything will be hunky-dory.
There are a number of reasons why this is fallacious, to quote the report:
- Microsoft is a near-monopoly controlling the overwhelming majority of systems. This means that the attack surface is big, on a US national level.
- Microsoft has a high level of user-level lock-in; there are strong disincentives to switching operating systems.
- Microsoft’s operating systems are notable for their incredible complexity and complexity is the first enemy of security.
- The near universal deployment of Microsoft operating systems is highly conducive to cascade failure; these cascades have already been shown to disable critical infrastructure.
- Even non-Microsoft systems can and do suffer when Microsoft systems are infected.
- This inability of consumers to find alternatives to Microsoft products is exacerbated by tight integration between applications and operating systems, and that integration is a long-standing practice.
- Security has become a strategic concern at Microsoft but security must not be permitted to become a tool of further monopolization.
- After a threshold of complexity is exceeded, fixing one flaw will tend to create new flaws; Microsoft has crossed that threshold.
If Windows is a threat to national security because it’s used in Federal government offices, Windows is really a bad idea when used in hospital HIES, state HIEs and then in nationwide level HIES.
A US national HIE network will be the death of patient privacy.
We know that the first sin of the 7 deadly sins of software development is making the software complex. Complexity is the enemy of security because with complex software, there are more design flaws, more software defects and more interfaces where vulnerabilities can arise.
Similar to the history of data security breaches of retail systems, the healthcare IT industry is (or may soon be) facing a steeply increasing curve of data security and patient safety events.
In the past 5 years, over 300 million credit cards have been breached. It is a reasonable assumption that your card and mine is out there. The damage to your credit card being breached is minimal. Life goes on.
Instead, let’s imagine that 300 million personal healthcare records are breached from the “healthcare supply chain”. The damage is not minimal. Your data is being brokered to potential employers and insurance companies. The privacy of you and your family doesn’t exist anymore – anyone can pay a darknet healthcare information broker a small sum of money and know your personal healthcare issues, deny you employment, raise your insurance premiums or blackmail you for financial gain.
We are not in Kansas anymore. Perhaps we should prefer a cascade failure of such a nationwide HIE network and go back to schlepping paper and CDs with those x-ray images.
In a follow-one article, I will propose a better, more secure, far cheaper and much more private alternative to a patch work network of HIEs.
Cross-posted from PathCare