Health IT Security Shellshocked by Bash Bug

Potentially more dangerous than Heartbleed, the Bash computer bug could be exploited by hackers who may be able to access a wide range of digital health systems—including computers running electronic medical records, websites, hospital equipment and medical devices.

With stolen medical records now worth 10-20 times more than credit card information on the black market, the discovery of another vulnerability that hackers can exploit does little to allay patients’ fears about the use of digital health services—as well as digital health and wellness devices.

Computer security experts recently discovered a bug in Unix-based operating systems that run:

• Healthcare websites
• Electronic medical records
• Health IT systems
• Hospital equipment
• Medical devices

It’s yet another warning for a healthcare industry that’s getting increasingly vulnerable to cyber attacks.

Health IT Industry Shellshocked by Bash Bug

The bug—called “Bash” or “Shellshock”—can be exploited by hackers to potentially interact with a system, rather than to merely gain access and spy on data like what the Heartbleed bug allows, said a Reuters report.

Linux distribution companies and security firms have scrambled to release patches to address the Bash bug, and medical device makers are expected to do the same in coming weeks.

“An unknown number of devices may contain the flaw, including millions of stand-alone Web servers, Unix and Mac OS X systems, and numerous other Internet-connected devices,” according to a Healthcare Info Security report.

Apache servers—which run half of the 1 billion servers connected to the Internet—run Linux and the Bash command shell installed with it by default.

“It's quite common for embedded devices with Web-enabled front-ends to shuttle user input back and forth via Bash shells, for example - routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed,” Tod Beardsley, engineering manager at Rapid7, told Healthcare Info Security. 

Multiple Warnings Issued

The US-CERT (United States Computer Emergency Readiness Team) had issued a statement saying that it is:

“aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) likewise issued an alert:

“to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations.”

HITRUST cited security analyst Troy Hunt, who said that:

“50 percent of web servers use Bash to run commands and that many Internet of Things (IoT) devices and OS X-based servers use Bash—suggesting that even more servers have the Shellshock vulnerability.”

Health IT Security Troubles

The discovery of the Bash bug comes a month after officials discovered that a hacker breached a server of the HealthCare.gov insurance exchange portal.

Weeks earlier, hackers used the Heartbleed flaw to steal 4.5 million patient records of U.S. hospital group Community Health Systems (CHS), which operates 206 hospitals in 29 states.

In another investigation, an unidentified large U.S. healthcare organization with 3,000 doctors and 2,000 other workers was found to be leaking data, making hospital equipment such as defibrillators and insulin pumps vulnerable to outsiders.

According to a survey by the Ponemon Institute, the percentage of healthcare organizations that have reported criminal cyber attacks has doubled to 40% in 2013 from 20% in 2009.

About 90% of the facilities it surveyed encountered hacking attempts last year alone.

The FBI’s Warning to Healthcare

The spike in the number of cyber attacks has prompted the FBI to issue a warning to healthcare organizations:

"The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII)," the FBI said in an alert. "These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data."

The FDA Addresses Medical Device Security

Meanwhile, the U.S. Food and Drug Administration (FDA), in coordination with the U.S. Department of Homeland Security, is holding a workshop/conference in October to address cybersecurity.

According to a Washington Post article, the gathering of cybersecurity experts is to engage in:

"identifying cybersecurity gaps and challenges, especially end-of-life support for legacy devices and interconnectivity of medical devices."

The FDA is stepping up efforts to strengthen the medical device industry against hacking attempts since hackers broke into the computer networks of Medtronic, St. Jude Medical and Boston Scientific last year.

Government authorities and computer experts continue to encourage healthcare organizations to beef up their Health IT cybersecurity measures amid increasing threats. Heartbleed and Bash are likely to be the first of many exploits that are yet to be discovered.

Hackers who covet medical information will have plenty of targets as more facilities and providers shift to using electronic health records (EHR), ehealth technologies, and other applications of digital health innovation in the future.