Insecurities in Emergency Rescue
by Metalx1000
Just yesterday, I was having a conversation with my friend at work over the security of medical records.
Today, I turned on the TV and saw a news report about a $10 million ransom for stolen medical records. Now, of course, the news story focused on the "evil hacker" that did this. But, let's face it - the guy is a criminal. He broke in and stole nearly 8.3 million medical records from a website that tracks prescription drug abuse in Virginia.
As a fire fighter, I have patients on most of the calls I go on. A report must be done for each patient, on each call. In most cases there are multiple medical reports created and submitted for each call. If there is more than one patient, there is more than one report. If there is more than one department on scene, there is going to be a report submitted by each department. And, currently, my department creates two reports for each patient on each call, due to the fact that we have two software applications being used to fill out reports.
Where does the information go once the report is written? How secure is the transmission of this information? How secure are the computers that this information is stored on? Who has access to this information? I plan on answering as many of these questions as I can with the knowledge I have gathered in my short time with my department. What I will be sharing with you is only part of the picture. Due to the sensitive nature of people's personal information, I can't really dig around too deep into the subject. What I plan to show you is what I have observed in my regular daily routines. Anyone with a little knowledge of computers, whether it be hardware or software, would notice the same things I have.
And that is the scary part.
One of my main focuses is going to be on "EMS 2000," a common program used by many departments.
EMS 2000 is an application that was designed using Micro$oft Access. Although Microsoft Access is closed and proprietary, it is a very common application for storing information to tables in a database. And thanks to its popularity, there are a number of tools out there to view and manipulate the information in a Microsoft Database (MDB) file.
Now that we know what format the information is in, let's have a look at where it's stored. Each department, whether it be a fire department or EMS, has multiple stations and multiple computers for doing reports. Each one of these computers stores the data on its hard drive. The information is stored in a sub-folder of the EMS 2000 program itself. The MDB files are not encrypted or password protected. This means that anyone who has physical access to one of these computers has access to all the patient information that has ever been entered.
That brings up the question, "How hard is it to sit down in front of one of these computers without permission?" The answer: not very hard.
If you are familiar with the job of emergency rescue services, you know that we are in and out of the station all day long. A short call for us is about 20 minutes. It's even longer for transport units that have to go all the way to the hospital.
So the opportunity is there. But what about locks?
Can someone enter a station while no one is there? Some departments leave their doors unlocked. My department has combination locks with five numbered buttons. They are mechanical locks which only allow each button to be used once. So, 435 could be a combination, but not 445. Three-digit combinations seem to be the standard, so quick math tells us then that there are only 60 possible combinations. Even if you went slowly and took six seconds per combination, you could try ten a minute. That means that it would only take six minutes to try every possible combination. And, don't forget, you don't have to try every possible combination. You just have to try until you hit the right one. Even if the lock used a five-digit combination, it would only take 12 minutes to go through every combination.
Now if we used digital locks, this would be different.
We would have the ability to use the same digits more than once in the combination. The locks also have more buttons. Instead of 1 through 1, they have 1 through 10, plus a # key and a * key. They also lock down for a minute or so if you enter the combination incorrectly three times.
That means you can only try three combinations per minute. So, quick math again, 12 * 12 * 12 = 1728 possible combinations. 1728 / 3 = 576 minutes. 576 / 60 = 9.6 hours. You could try every possible combination in 9.6 hours. That is, if you didn't realize that most of the digital locks have a default unlock code of pressing every key starting at 1 and ending at #. It's worked on all the ones I've tried.
You may be thinking, "No one is going to do that." Yeah, you keep telling yourself that. No one is going to spend 3 minutes at the door of a fire station in order to get information that is worth millions of dollars in identity theft or, as we are seeing in recent days, ransom.
So, if the door isn't already open, it takes someone less than six minutes to get in. How long does it then take to get the information off of the computer? Depends on how it's done.
If one is familiar with the software, in this case EMS 2000, 30 seconds. Stick the flash drive in, grab the MDB file, and go. If the software is unfamiliar, one can still be in and out in a few seconds. Someone who may not know exactly what they are looking for can still guess where the good stuff is. Offices use office files. MDB, DOC, and XLS files would be a good start. A program could be written to scan for those files and be executed off of a flash drive or CD. It would take a while to scan the whole computer, but the thief doesn't need to wait around. The program could copy the files to one place on the hard drive for later retrieval (since the thief already has the combination to the door). Or, more likely, the program could transmit the data over the Internet. Drop a CD in and go. By the time the thief gets home, he will have all the files waiting for him.
"What about firewalls!" you cry out. Firewalls are great for keeping things out. But, they really suck at keeping things in. Just remember, if you can send emails, or even search Google, you are sending information out. If you can do that, what makes you think someone else can't?
You're still thinking, "I don't believe anyone would do this." Right, because if you were a firefighter and you came back to the station and found someone inside the first thing you would think is, "They must be stealing patient information!" The thief could say, "I needed to use the phone and the door was unlocked" and, once he left, you would start yelling at each other, "Who left the door unlocked!" or "Someone write up an Notice of Repair on the door!"
Let's say you are right and the person is too scared to go in the station.
Let's take a look at not just where the information is stored, but where it goes and how it gets there. EMS 2000 uses SQL to send the information to a server. I used Ettercap to study the network traffic coming out of and going into the computer as it sent reports to the SQL server and saw all the information EMS 2000 was sending flashing by on my screen. Most of the packets being sent were just binary data, but I did see some ASCII text (plain text words). When the capture was completed, I needed to search through the data to see what I had. My name is in the report, so I searched for that. I was amazed to find not only my name, but my Social Security number as well. And, not just mine either.
EMS 2000 not only sends the information for the report currently being submitted, but also the entire database of every report ever completed on that computer. It also sends a database with a list of all the employees in the entire county. Along with private information, such as Social Security numbers, home addresses, phone numbers, and even email addresses. And, it was sending it all in unencrypted plaintext. Now I know that my personal information is sitting on computers all over the county. Computers that anyone can walk up to. My personal information was also being sent across the networks at all these locations.
As I said earlier, you have to be on the local network to packet scan and grab the information being sent. How hard is this to do? It's easier in some ways than standing at a door for six minutes pushing buttons. You can sit in your car and push buttons. Every station I work at has Wi-Fi. The Wi-Fi is supposed to be encrypted, but half the stations have not been for at least a year. I don't know why. On top of that, we are using WEP, which can be easily broken in about 5 minutes.
How else can someone get on the local network at a fire or EMS station? A physical Ethernet jack will do the trick. If you can physically plug into the network, there is no password required. But how can this be done? You have to be on the network when the report is submitted, to capture the data being sent. No one is going to hide in the closet with their laptop and wait for you to send a report and then run away. And nobody puts Ethernet jacks on the outside of a building. Or do they?
Most offices don't have cubicles outside. So why have a network jack outside? Well, the field of emergency rescue services is not like most offices. Firefighters spend a lot of time in their trucks. Because of this, there are phones outside by the trucks. VoIP phones using a SIP protocol. These phones not only have a Cat 5 network cable plugged into them, they also have an Ethernet port labeled "PC". You could plug a computer into this port, or a wireless router. Anyone could walk up, plug a router into the phone, and walk away. Most people would not have a clue as to why the router is there or if it should be there.
This was just a quick look at a few areas of security that need work. There is no such thing as a secure computer. I want to make that clear. There is always going to be some flaw that will allow information to end up where you may not want it to go. This is just a fact of life. But when a hole is found, it should be fixed immediately.
Especially when there is a legal responsibility to protect patients' confidential information.