Shellshock's Threat To Healthcare - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
11:55 AM
Mac McMillan
Mac McMillan
Connect Directly

Shellshock's Threat To Healthcare

The Bash bug is everywhere, including in medical devices. The industry must be better prepared to protect itself and patients.

25 Years Of Health IT: A Complicated Journey
25 Years Of Health IT:
A Complicated Journey
(Click image for larger view and slideshow.)

We've all seen the news about the next big threat to information systems, Shellshock, which takes advantage of a vulnerability in the now ubiquitous open source Bash shell (Bourne-Again Shell).

The immediate reaction to the announcement was ominous with claims that the new Bash bug, Shellshock, is much worse than Heartbleed. We're not sure that we're entirely in that camp for a number of reasons, but it is very safe to say that Shellshock is a threat to be taken quite seriously, as the number of port scans looking for services affected by this vulnerability have already significantly increased. Those organizations that are doing security correctly (defense in-depth, network segmentation, firewalls with DMZs, etc.) have far less to worry about than others who are still thinking that they won't eventually get hit.

The good news is that a patch for the source code already exists and can be applied. The bad news is that a patch for the raw source code requires the end user to apply the patch to the source code, recompile, and then re-deploy the binary -- something beyond the scope of most end users, and something that means most will be waiting for a pre-compiled binary distribution from the operating system vendor. Most of the major operating system providers have, or will have, a patch available for widespread deployment very soon.

[Do you know enough about Shellshock? See Shellshock Bug: 6 Key Facts.]

Further bad news is that embedded systems, such as medical devices, cameras, network appliances, and so on, will require waiting for the manufacturer to make a fix available (which can take far longer than your typical operating system), and it will be necessary to re-image the flash/boot code for the device. Any such assets that are accessible from the Internet will be vulnerable until the vendor publishes a fix.

It is also safe to say that Heartbleed and Shellshock are not the last of these types of threats that will present themselves, but, rather, the beginning of a new era of threats that affect multiple systems throughout an enterprise and create a real challenge for organizations. Even months after the Heartbleed bug surfaced, thousands of systems are still vulnerable to it -- just consider the unfortunate breach of Community Health Systems.

One remedy for Shellshock that is being discussed is the use of an application layer firewall or proxy service, which is definitely one mitigating control, but only if the application layer firewall or proxy is configured properly and supports the vulnerable port(s)/service(s) (i.e. not all services have widely available proxy services or application layer gateways). This does not mitigate the risk of "insiders" exploiting the vulnerability, so the assets in question would still need to be patched or completely isolated from internal traffic. By and large, the threat to the bulk of most organizations' assets will be manageable through good security practices, proper configuration, and patch management.

Connected glucose monitor. (Source: Diabetes Journal)
Connected glucose monitor.
(Source: Diabetes Journal)

What is most at risk? Any asset that runs embedded operating systems, such as appliances and network gear. This poses a significant threat to the healthcare industry due to the extensive amount of medical devices that could be affected by the new bug. Once again, the healthcare industry is at risk from these devices that are critical to providing care. More importantly, they are not in a position -- without significant replacement or security costs -- to address the issue. Simply put, we need standards around developing and accrediting medical devices that are going to go on hospital networks or connect directly to patients and communicate to the network. It is irresponsible to allow these critical care assets to be developed and implemented in a manner that they become a risk to the hospital or the patient.

The security threat that Shellshock poses to medical devices clearly demonstrates why more guidance is needed. Fortunately, later this month the FDA is holding a workshop in Alexandria, Va., on this topic to gather input from providers, device manufacturers, and other interested parties. They are also supposedly finalizing final guidance for medical device considerations for manufacturing and implementation. Hopefully, that guidance will have the force and accountability of a new rule, or we fear that the FDA won't accomplish its intended purpose. We are sure that some device makers will adopt its tenets and do the right thing, but if history repeats itself with voluntary compliance, there will be far more that don't do the right thing.

Ultimately, it will leave the end users (providers and patients) right where they are today ... at risk.

Dr. Michael G. Mathews, President, COO, and co-founder of CynergisTek, also contributed to this column.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Mac McMillan is co-founder and CEO of CynergisTek Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as an HIMSS Fellow. ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/29/2014 | 11:33:57 PM
Another Wakeup Call....
Is this another wakeup call for the world of development. As we see time & time again, the sharing of code and the proliferation of the open-source environment lead to major holes in security and even basic common sense.
User Rank: Apprentice
9/29/2014 | 9:24:27 PM
The author is totally ignorant

This is a bug that has had NO BREACHE, NO BREAKINS, NO ATTACKS what-so-ever.  But the yellow journalists, like this article, would have you believe that this bug is the asteroid that killed the dinosaurs and its going to hit the earth tomorrow!  OMG.

The FIX was out 2 days ago.  This author INCORRECTLY states that embedded systems are at risk - Embeded systems DON'T USE BASH. 

Here's how difficult it is to fix this bug:

>update bash-package

That's it,  5 seconds later, its fixed.  That's why this is all hype and boloney.  I wouldn't be surprised, because this media hype is SO OVER THE TOP, that Microsoft money wasn't behind this big hype campaign.

Microsoft's done it before - remember the smear campainge they did on Google Chrome-books. 

11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
What Comes Next for AWS with Jassy to Become Amazon CEO
Joao-Pierre S. Ruth, Senior Writer,  2/4/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll