Page 26 - Layout 1
P. 26
BUSINESS OF
MEDICINE
USB=
Universal Security Bust?
A broad window of
vulnerability for doctors, clinics and hospitals
By David Schulz, cipp & Ray Sims, cissp
How is your office like Iran’s nuclear program? Both can be adapter. The computer happily then starts sending all of its network
brought down by a simple thumb drive. For doctors, clinics and traffic to the rogue device. These types of devices have existed for
hospitals, this threat can be a matter of life or death. more than a decade but new software allows them to convince the
computer to send even more sensitive information. As the researcher
Saboteurs used USB flash drives to infect Iran’s military com- who discovered the vulnerability said, “this is dead simple and
puters with malware that destroyed nuclear enrichment cen- shouldn’t work, but it does.” This device is available online for less
trifuges, spinning them out of control. Just recently, 18 such than $50. (https://lanturtle.com)
thumb drives were scattered in a U.S. hospital where they were
likely to be found. Within 24 hours, at least one of them was Scarier, still, a saboteur can now plug in a USB device that elec-
plugged into the network, delivering a payload of malware. Catas- trocutes the equipment to which it’s connected. Brags the manufac-
trophe was a single keystroke away. turer, “Almost all consumer level hardware fails when tested against
the USB Kill 2.0. — Our tests reveal that more than 95 percent of
Fortunately, it was a dry run, a test of the hospital’s safeguards to all devices using USB ports will be damaged permanently or com-
help guide personnel training. It should guide our own as well. As pletely destroyed by a USB power surge attack.” Again this device
patients increasingly responsible for our own health records, there is available online for less $50. (https://www.usbkill.com/)
should be more guidance on maintaining and safeguarding these
valuable data. It isn’t hard to imagine disgruntled employees or patients, with
medical records in hand, or on thumb, wreaking havoc on a
Doctors, clinics and hospitals have a much broader window of provider’s computers and networks. It is important to disable USB
vulnerability which puts patient records at risk as well. With so ports that are not needed, we recommend physical blockers as they
much digital information flowing in and out of providers’ facilities, can stop the power surge attack. While USB has brought a previ-
regarding patient treatment, payment, or office operations, it may ously unknown convenience to the conveyance of information, it is
seem convenient for patients to have their records on a thumb drive. not without its drawbacks. Providers need to stay informed of new
But convenience costs. In today’s world of cyber threat, “honey pots” challenges and maintain a risk management program that helps
abound, traps that tempt users with convenience or cost-savings but them focus their efforts.
instead deliver misery in the form of malware. And a USB port taps
into some of the deepest, most subterranean aspects of a computer’s David Schulz, information privacy professional, is executive director
control system and is a bullseye for cyber criminals. of Cyber Risk Associates. Ray Sims, information systems security profes-
sional, is managing consultant for Decypher Technologies. They collab-
Just in the first week of September, two brand new USB vulner- orate to provide managed compliance services for HIPAA covered
abilities were discovered. First, even a locked computer can be entities, assuring both information privacy and data security safeguards
tricked into giving up sensitive information such as usernames and are in place and working.
passwords from an unprotected USB port. A special device is used
that hoodwinks the computer into believing that it is a network
26 San Antonio Medicine • December 2016
