Online medical data open to attack
If you think the latest security threats to social media sites like Twitter and LinkedIn are bad, just wait until attackers set their sights on your home, or your hospital. While hackers attacking your Facebook site may be annoying, it’s not hazardous to your health the way an attack that infects the computer that controls your X-ray or MRI machine might be.
Threats like this are real and have already been observed by researchers. These threats stand to multiply with serious consequences to our physical well being if we do not demand that health care and other businesses, like utility companies that are moving toward smart grids, build strong computer security into these systems from the start to keep cyber attackers at bay. Cyber security experts are meeting this week at the 2010 Georgia Tech Information Security Summit to discuss the evolving nature of threats to your online and, ultimately, personal security.
Just last month malware infected the computer systems of industrial sites that control the oil, electrical and nuclear power facilities in Iran. In addition, the infection spread quickly to other countries such as India, Pakistan and Indonesia. If these countries’ utility systems aren’t safe, who’s next?
U.S. electrical utilities are moving toward being fully automated to bring greater efficiency to operations, but the digital communications that will enable this will be at greater risk of being attacked. In this race to create the smart grid, no utility company wants to be the first to make headlines on how its system was infected, so these firms must address security threats to keep data safe all the way from the generators to the smart meters at each home.
This year has also seen major milestones in the growth of social networks with Facebook reaching 500 million accounts and Twitter reaching 100 million accounts. This opportunity did not go unnoticed by attackers as they have escalated their efforts to reach users within these networks. For example, a study by Barracuda Labs shows that one in 60 accounts created on Twitter is suspended for malicious or inappropriate use.
What happens when hackers turn their attention to more serious targets, like the health care system? It’s already happening. Colleagues at SecureWorks reported that attempted attacks launched against their health care clients nearly doubled during the last quarter of 2009. USB devices also pose a particular problem for hospital security.
At the information security center at Georgia Tech, we’ve seen hospitals clean their systems after an infection, only to be re-infected by USB devices. Hospitals regularly disinfect their operating rooms, why not their computers?
Medical facilities may face unique challenges because policies for security updates to systems and devices used in patient care have to be harmonized with guidelines set by the various regulatory commissions that govern them.
But these organizations need to take note: Cyber criminals will waste little time in monetizing the sensitive information that can be stolen by infecting your systems. There are thousands of opportunities available to those who want to wreak havoc in patient care. We need to build security into these systems now, or it will be too late.
There are great benefits to having our data online. But consumers need to demand more accountability from the companies they do business with and security professionals and policymakers need to work together to ensure that security is built into critical systems from the start.
Mustaque Ahamad is the director of the Georgia Tech Information Security Center. Paul Judge is chief research officer and vice president at Barracuda Networks.
