The Department of Veteran’s Affairs suffered over a billion cyber attacks in March. To put this in some perspective, this amounts to around 500 attacks a second. Let me say that again so it sinks in. The VA is being attacked at the rate of 500 attacks a second and, the bad news is that this number is expected to at least double in coming months. Here is the breakdown for March taken from the Information Security Monthly Activity Report.
Notice that, at least according to this report, all attempts at breaches were blocked or contained, which is pretty amazing on the surface. Of course, if an attack was successful, it would take some months before that would be discovered. The average length of time to discovery is around 7 months, so if you hear that a breach occurred in the VA records next October, don’t be surprised. However, the main problem is clearly on the horizon. As VA Chief Information Officer Stephen Warren points out, “at some point, if we’re not able to knock this back… we may get overwhelmed.” This could be the understatement of the year. Warren estimated the agency would have as many as 5 billion attempts in April. The exact figures have yet to be released.
I suppose the security architecture at the VA automatically recognizes and stops most attacks at the gateway. That might be, but this still means that server resources are being used. At some point, the VA is bound to reach its limit and the servers will either slow down to the point that they are ineffective or break down completely. This means that at some point the VA will experience, at the very least, a DDoS attack.
It seems to me that the big question here is: Why the VA? Why is it being singled out for such an assault and who would be the agents behind it? Warren doesn’t think there is anything special about the VA. “It is across the board,” he said, indicating that all government offices are under an equal increase in attacks. I would, however, have to disagree. Attackers nowadays are mainly after information and no department has more useful information than the VA. Realizing this and to escape from such information-seeking attacks, Warren wants to store some of the VA data in the cloud. This is confusing in that it assumes cloud storage will be more effective and secure than the VA’s own security. (If your security is stopping virtually all attacks, what more could the cloud offer?) Perhaps, they want to lower the volume of attacks on their own site by deflecting them elsewhere. There is no proof this would work and no evidence that cloud storage is more secure than that which the VA currently has in place. In fact, this strategy seems to have some other motive that can best be summarized as: Let someone else be responsible for any cyber breaches that may/will occur.
Let me take a step back here. A few days ago, (May 5th), Epic Systems, a company that provides a platform for electronic medical records sharing, signed a contract with IBM Watson to add its power in decision making to the Epic platform. Why is this important? Because Epic Systems controls the health records of 54% of people in the US. It is used by, among others, the Mayo Clinic and Kaiser Permanente It also works with the VA. In other words, clinics and hospitals and their staffs from all over the US are all connected to the same network. Another way to look at this is to realize that millions of people (281,000 physicians alone) are, at least indirectly, connected to the VA. The connection with Watson could help to increase these connections dramatically. This is because Epic, teamed with IBM, is top in the running for an $11 billion contract with the US Department of Defense. The Department of Defense wants to merge its medical data on military personnel with that of the VA. This would massively increase the amount of information that can be tapped into and massively increase the number of endpoints that must be secured. Herein lies the problem.
Now, it’s not that the two departments weren’t already connected in a number of ways. Many agencies are connected by the eHealth Exchange and other networks. It’s a confusing picture to say the least. According to one definition, “the eHealth Exchange is the nationwide health information exchange comprised of a group of federal agencies and non-federal organizations that came together under a common mission and purpose to streamline and improve patient care and public health reporting through secure, trusted and interoperable health information exchange in the U.S.” Below are shown some of the main participants in this network. Notice that the Department of Defense, Department of Veterans Affairs, and the Social Security Administration use this network. To put it succinctly, breaking into this network would be a hacker goldmine.
Why does the Department of Defense need Epic Systems? It seems that Epic will organize all of the minor networks into one super network or, as one source put it, “a network of networks”. If this is, indeed, true, Epic better have some damn good security. So does it?
This is where we get into some murky waters. Epic Systems is somewhat secretive and has, not infrequently, been compared with a cult. Whether this is true or not is of no interest as long as its product meets security standards. I will, therefore, condense what I’ve learned about Epic from reviewing numerous comments on a variety of forums. Basically, the company hires college graduates and works them as much as they will let themselves be worked. Working 60 hour weeks is not unusual. These new recruits are sent out as ‘consultants’ to help their new customers understand how to use the software, often before the consultants fully understand it themselves.
The software is mainly written in a code developed in the 1960s called MUMPS. According to one Epic employee, “the product still has a lot of code in it that was written in the 70s and 80s and if you support the backend, your job will basically be putting bandaids on top of bandaids. They throw a lot of people at this issue, but it never goes away. This will suck for you if you like elegant code and pride yourself on your computer science background.” The issue of using outdated and difficult software has been raised elsewhere. “You couldn’t design a less user friendly system if you tried. It takes as much skill and training to use Epic as it does to perform open heart surgery, “one user remarked. Another claimed that “It functions like a circa 1995 spreadsheet or word processing program. There is no search function even within a single patient’s chart — a feature on everyone’s computer for more than a decade now!” However, far more worrying, from a security viewpoint, is that the VA failed its last security audit by the Government Accountability Office (GAO), The GAO found that the VA lacked proper data protection which included:
- “Failure to address an underlying vulnerability that allowed a security incident to occur
- Did not allow access to activity logs on VA’s networks for investigation
- Poor reporting of security incidents
- No evidence to show that their remediative security actions were effective
- Failure to address key web application vulnerabilities
- Vulnerabilities identified in VA’s workstations had not been corrected
- 10 critical software patches weren’t applied, each ranging in availability from 4-31 months (policy requires critical patches to be applied within 30 days)”
The reason this is important is because the VA uses a database/language based on the same MUMPS code that Epic uses on its own platform. The VA has named this, vistA. At the end of 2013, researcher Doug McKay found a major vulnerability in the vistA architecture and commented that “this vulnerability allows you to execute any of the thousands of operations in it without any authorization or authentication. It could allow you to view or edit or change patient records” An article on this vulnerability points out that, “VistA runs in an intranet, but the flaw could be exploited not only by a malicious or careless insider, but also by an outside attacker who already had gained a foothold in the network via another hack, such as a spear-phish that infected a client machine in the hospital’s or clinic’s network.”
This still does not fully explain why the VA is such a tempting target. There is no good reason why an attacker should be interested in someone’s medical records unless they can profit from them. As it turns out, there are few things more profitable than a medical record. In the deep web, a medical record is worth at least 10 times more than credit card data. This is because the medical record contains all the data needed for an identity theft. With an identity and medical data, an attacker can get credit cards, drugs, and can even perpetrate costly medical fraud. In other words, the more medical records an attacker can get, the richer they can become. With the predicted growth in individuals connected to the government’s main medical record database, attackers are working overtime to position themselves within medical networks. With more and more mobile devices connected to such databases, hackers have more ways to enter the network. And now it is reported that Epic has opened its own app store. Is there, then, any surprise in the fact that attacks on the VA are ramping up?
The VA has been hacked in the past by Chinese based hackers who, apparently, saw all the data as an opportunity to make some money. Did these attackers leave undiscovered malware on the network that can be exploited by a new round of attacks? Now, however, with the looming increase in connections of the VA and the Department of Defense, government-based hackers may have other motives in mind. The VA could serve as a handy attack platform to infiltrate the DoD network. In fact, if a cyberwar does break out, as the government seems to be predicting, this would be a good place to look for the first shot across the bow or even the cyber Pearl Harbor that some claim is inevitable.
If your firm or organization allows employees or others to connect to your network via smartphones or tablets, you need to secure those endpoints with state of the art security architecture. Check out InZero Systems’ hardware separation architecture which puts an impenetrable barrier between endpoints and sensitive data stored on your network.