Security Threat Posed by USB-Based Personal Health Records
Adam Wright, B.S. and Dean Sittig, Ph.D. Annals of Internal Medicine. 20 February 2007, Volume 146 Issue 4, Pages 314-315
Introduction: This letter and a published response are reviewed, with comments.
Disclosures: The authors disclosed no financial conflicts of interest. The respondents did identify a relationship with a USB personal health record manufacturer that did not provide a sample device for the study. This reviewer has no financial interest with any party identified, but has been a student of one of the article authors.
Background: USB-based personal health records allow patients to easily transport health information between providers using small thumb drives or flash drives that can hang from a key chain. The drives are inexpensive, popular, and can contain an array of digital information from insurance to medical history, lab results and digital x-ray images. They are being given away free to patients by insurers, health systems and employers.
Question: The question studied was whether USB devices pose a security threat to the physician’s computer and/or network.
Objective: Determine whether USB personal health record devices pose a threat to provider data.
Methods: The authors identified 5 manufacturers of USB personal health records, and obtained devices from 3 of the companies, 2 companies declined to supply a sample of their device. After analyzing the device structure, attempts were made to modify the software on each available device to perform alternative tasks.
Key Findings: None of the devices studied had protections against this type of software re-engineering. All 3 devices were modified so that when connected to a computer they gave the appearance of normal functioning, while surreptitiously searching for and copying data from the computer to a hidden location on the USB device.
Discussion: The authors note that the security threat posed by “existing patient-controlled USB devices is serious”. Depending on how the USB software is modified, programs on the device could potentially:
alter provider data, spread computer viruses, corrupt the hospital or practice network, copy health or financial information, or leave software behind that could (for example) copy and send usernames and passwords to a third party;
all while the physician is viewing patient data. Since each of the devices requires that its embedded program be used to view the patient record, and “no reliable mechanism can verify the integrity of these programs”, the authors conclude the only sure way to avoid attack is to avoid using such devices. The authors recommend using web-based personal health records as a safer alternative.
Vendor Response: The respondents take issue with two claims:
1) USB drives pose a significant security risk to physicians, and 2) Web-based solutions are safer.
They counter that for such computer attacks to be successful, the physician’s systems must either lack appropriate anti-virus software, or the malware author needs intimate knowledge of both the personal health record program on the USB device and the physician’s computer environment, particularly the filetype that is to be infected or stolen. They offer an alternative solution by having a physician open USB patient records on a designated stand-alone computer that does not store sensitive information. With regard to the safety of the web environment, the respondents classify the statement as “more opinion than scientific research”, since there was no attempt to test the web environment. They note that cookies could be implanted and that a web interface could leave systems vulnerable to phishing techniques.
Reviewer Comments: This article and its response raise the important issue of endpoint security in health care. To what extent do medical providers bear responsibility for the security of their systems, and the devices that interact with them, and to what extent should they reasonably expect that security to be provided by their vendors? Underlying this issue is that of system interoperability. Maintaining software on the USB device facilitates interoperability and information exchange across providers, a desired outcome. However, as currently designed this is done at a significant security risk.
Both technology users and their vendors share responsibility for endpoint security. However, that greater burden rests with technology providers, in this instance the manufacturers of USB personal health records. It is the responsibility of health providers to establish for the marketplace thier requirements for security. It is alarming that none of the manufacturers included protection against device tampering. That may be a function of price competition (why include security software if it increases the price of the device and the market is not demanding it?)
It is important that the health industry and its practitioners define and advocate for appropriate security if these devices are to be used. Questions of HIPAA compliance in the reasonable protection of private information are now raised. The practice of giving these devices to consumers should be halted.