Hospital records hacked hard

[William Knowles <wk () C4I ORG>]

http://www.theregister.co.uk/content/6/15285.html

By: Kevin Poulsen
Posted: 07/12/2000 at 03:44 GMT

A sophisticated hacker took command of large portions of the
University of Washington Medical Centre's internal network earlier
this year and downloaded computerized admissions records for four
thousand heart patients, SecurityFocus has learned.

The intrusions began in June, and continued until at least mid-July,
before network administrators at the Seattle teaching hospital
detected the hacker and cut him off. The medical centre was reportedly
unaware that patient records were downloaded, and elected not to
notify law enforcement agencies of the intrusions.

"It's a story of great incompetence," said the hacker, a 25-year-old
Dutch man who calls himself 'Kane'. "All the data taken from these
computers was taken over the Internet. All the machines were exposed
without any firewalls of any kind."

SecurityFocus reviewed portions of the databases the hacker
downloaded. One file catalogues the names, addresses, birth dates,
Social Security numbers, heights and weights of over four thousand
cardiology patients, along with each medical procedure they underwent.
Another file provides similar information on seven hundred physical
rehabilitation patients. A third file chronicles every admission,
discharge and transfer within the hospital during a five-month period.

"I can say we're investigating an incident," said hospital
spokesperson Walter Neary. "We are taking it very seriously."

In a telephone interview, Kane said he did not tamper with any
hospital data, and described his forays into the hospital's network as
a renegade public service aimed at exposing the poor security
surrounding medical information.

A self-described computer security consultant by trade, the hacker's
illicit investigation was inspired by a conversation with a colleague,
in which they wondered aloud about how well highly sensitive computers
were protected. "The conversation came around to medical data, which
is sensitive indeed, and I thought I'd have a look around," said Kane.

The hacker said his quest also led him to crack a university medical
centre in New York, and one in Holland, but neither of those
penetrations gave him significant access.

David Dittrich, a well-known security guru and a senior security
engineer at the University of Washington, helped the hospital's
computer staff evaluate the incident at the time. Dittrich agreed that
the intruder's motives appeared to differ from those of the common
cyber vandals and Web taggers he confronts daily.

"There are much less frequent intrusions where they will be very
up-front about what they know, to try and scare people into doing
something about the problem," said Dittrich. "This particular incident
was more along those lines."

The incident highlights the unique vulnerability of university
hospitals, which tend to adopt the generally relaxed security posture
of academia. "Private hospitals in general don't have an Internet
presence, except for a Web page," says Kane. "But universities are
traditionally insecure, and they use the same methodologies for their
medical centres."

A University of Washington Medical Centre IT worker, speaking on
condition of anonymity, agreed with the hacker's evaluation, and said
there continues to be little support within the centre and the
university for erecting firewalls between the hospital and the
Internet -- even after the intrusions.

The worker said that with more effort, an intruder could have gained
access to even more sensitive data. Although the hospital deployed
personal firewalls after the incident, the worker painted a bleak
picture of the hospital's state of network security. "I'm confident
that it hasn't happened since then," said the worker. "But that it
couldn't happen again? No."

Dittrich acknowledged that the university, including the medical
centre, has no perimeter firewall, but added that he didn't believe a
firewall would fix the problem. The sheer size and complexity of the
medical centre, and the rapid rate at which it embraces new
technology, makes it vulnerable. "You can get to a point where you're
almost too big too survive," Dittrich said.

The hacker gained initial access through a Linux system in the
hospital's pathology department. That system was running the client
side of a remote administration tool called VNS, which allowed him
access to a Windows NT box. From there he exploited file shares and
remote administration relationships and used Trojan horses to expand
his access throughout the network.

According to Kane, some of the backdoors installed in the network
remained in place, undetected, until September -- long after
administrators thought they had evicted him. "If I've been in over
this period of time, how many other people have done it?," asked the
hacker.

The University of Washington Medical Centre was ranked thirteenth in
the nation by US News & World Reports' annual list of America's finest
hospitals.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".