Vulnerability Test: NEHEN Security
Anthony Bettini wants to cross over.
No, not to the afterlife. He's just 22.
Instead, he wants to prove that it's possible to use the 50 characters allowed in two data fields of a Web page at Beth Israel Deaconess Hospital in Boston to grab data that he could use to gain access to information about patients and medical transactions at the Tufts Health Plan across town.
The objective requires that he figure out a way to put half his script in one of the fields and then use the computer equivalent of an "and" sign to continue his script in the other field.
For four hours, he has been inching closer to figuring out how to cram his sequence of instructions into the maximum 50 numbers and letters available.
Shortly after lunch on his second day of trying, Bettini is able to "throw the code" and get the script to work. Under a certain set of conditions, he now could prove that an attack could be launched against the Tufts server from another part of the New England Healthcare EDI Network.
Not that he wants to. Bettini is a white hat, working for Guardent Inc., a Waltham, Mass., company that assesses the vulnerability of computer networks to attacks from insiders and intruders.
Its task on the first Thursday and Friday of 2002: To find chinks in the armor of NEHEN, the four-year-old medical network that is regarded as a model for how to create a secure means of exchanging patient information electronically between hospitals and insurers.
When he and James Foster, also 22, are done, they will have found three "high risk" vulnerabilities in the NEHEN system, five "medium" risks and five "low" risks.
None will last long, with each of the risks identified in the vulnerability test requested by Baseline being fixed by network administrators before publication. Nor does Guardent even try to prove that an outsider could get unauthorized access to any sort of patient name, address or medical care information.
Indeed, the network uses private leased lines. Also, none of its gateways are "dual-homed"; that is to say, also connected to the Internet, and therefore they are not vulnerable to outside attack.
Beyond that, the attack that Bettini has spent so much time pursuing could be successful only when a fortuitous and complex series of conditions occur at the same time. For instance, a malicious e-mail would have to be sent to a network user using an outmoded and faulty version of Microsoft Outlook, who would open the e-mail at the same time he or she was accessing the health care network for other purposes. Just for starters.
But even obscure chinks are chinks. And Bettini and Foster are acting as the most likely of threats: knowledgeable insiders who may have axes to grind. In that context, it's almost impossible to completely lock down any network, medical or otherwise.
"It's very unusual that you do a test like this," says Jonas Hellgren, a managing director of Guardent, "and you don't find anything. It's very difficult for anyone to keep any application locked down and tight over time."
Yet it's not that hard for Foster and Bettini to find some simple oversights that couldon the wrong fingertipsrepresent what they believe to be a "huge confidentiality leak."
On one Web page belonging to the CareGroup of hospitals, which includes Beth Israel Deaconess, the pair find a file available to all authenticated users, from receptionists on up, that contains passwords to a Tufts file transfer server. In effect, a CareGroup user could be used to potentially compromise a non-CareGroup serversomething that is not supposed to happen on this highly secure electronic infrastructure of New England health care institutions.
The Tufts firewall may still have prevented access. But, from the CareGroup side, the antidote is a quick 20-second fix, limiting access to this file to administrators only.
The original point remains: In secure networks, only administrators should have access to administrative functions. Users should not be able to get such data as other user identification information, passwords or even communication port IDs.
Also of concern to Bettini and Foster are some of the communications channels in the network. Leased data circuits connect gateways between the member institutions to each other. The idea: to remove the pipes from access by outsiders.
This way, there is essentially no way the leased lines between gateways could be compromised, maintains Kristofer Karas, technical security engineer for information security at CareGroup.
A vulnerability here would assume that some individual is sophisticated enough to break into the telephone company's servers and find a way to put a tap on a fiber connection, then use some sort of advanced tools to capture the raw pool of packets that are being relayed along these lines as frames of data and to sort the data into some sort of intelligent output.
"These are all well beyond the techniques of a typical script-kiddie," says Karas.
But the members of the network have chosen to send data unencrypted over those leased lines, which concerns Guardent. That means that a knowledgeable foe could place a sniffer on a compromised server behind a gateway and pull off information about patients and the care they are seeking without having to crack itor the leased lines between gatewaysat all.
A person smart enough to grab packets in some fashion off private lines between gateways probably would be smart enough, Karas notes, to break into a hospital's own internal network and bypass NEHEN altogether. Crackers are famous, he says, for "going for the path of least resistance."
Bettini and Foster indeed are more concerned about CareGroup's internal network, anyway. The highest risk, in their estimation, is in the unencrypted traffic inside CareGroup between one of its older database servers and the gateway that leads out to the New England-wide network.
The risk here is that a malicious insider could put a tap of some sort on traffic to and from the database; and find out what outsiders want to know about CareGroup patients.
But CareGroup Chief Information Officer John Halamka notes that the NEHEN gateway and his hospital organization's database system are connected by private fiber lines. "There is no risk that this could be sniffed or intercepted," he says. "I know of no company in America that encrypts traffic in its data center."
Which brings the Guardent test back to its original conclusion: That medical networks such as this are vulnerable not so much to outside individuals that have some sort of vendetta against patients under their care as to the disgruntled or wrongly curious employee.
The vulnerabilities that Guardent found (and CareGroup fixed) are "subtleties that are largely theoretical in nature that they [cannot] actually exploit," at this juncture, said Halamka. And when insiders go bad and try to use the system in some unauthorized fashion, as happens from time to time, logs and other mechanisms make it easy to redress their actions, he says.
"We fire them," he says.Conducted">
How the Testing Was Conducted
Guardent Inc., a leading provider of computer network security services based in Waltham, Mass., performed a series of tests at Beth Israel Deaconess Hospital that:
Sources: Caregroup, Guardent, Baseline