RFID security for hospitals: Vigilant data monitoring is key

Original post, click here

If you watch TV for any amount of time, you’ll notice that there are a lot of commercials for wallets and devices that protect your cards from being read by RFID. Like medical devices, RFID was designed before security was the priority it is now. While encryption is supported and is an ISO standard (14443-4), there has not been much in the way of including security and authentication throughout RFID itself. 

RFID isn’t as secure as it needs to be on its own. Due to many of the implementations out there, there is a perception that people will read information without being traced, and cause identity theft. Android cell phones have been modified to steal contactless credit card information using the NFCProxy application. The UniProxy presentation at DEFCon 25 showed that it’s possible to spoof credit cards using cheap dedicated hardware. It’s also possible to clone RFID tokens for physical or computer system access.

Because of these findings, there’s a need to build security into the ecosystem supporting it, and guard against several key types of attacks. There are two types of attacks that can cause major issues for a health enterprise, those being the unauthorized interception of patient information, and attacks on the supply chain and associated systems.

[Part 1: RFID security for hospitals: What are the use cases?]

The largest concern is guarding against the interception of patient information. As medical devices and implants start to use RFID, the potential for device association with a patient increases. This is already a concern with surgical device and tool tracking as these IDs can be used to associate equipment with a patient. We need to isolate by design patient information from RFID readers and devices as much as possible to reduce risk. We also need to address concerns with association of devices and tools to patients.  With the emphasis on privacy emanating from GDPR, this is even more at the forefront than before.

The second-biggest concern is guarding against attacks on the supply chain. Generally, they use a large number of handheld and wireless devices. Many of them run Android or older versions of Linux. Some even still run Windows CE, a much older operating system best remembered for being used in smartphones that predate Android or iOS. Many of these devices haven’t been patched, and there are many of them that run older versions of Android that are vulnerable to vulnerabilities such as KRACK or even Heartbleed. It’s easy to attack or intercept traffic on devices not patched for recent vulnerabilities. It’s even easier to attack networks and systems not designed for security. 

Oftentimes, many of these handhelds interface directly with back-end systems that support supply chain, specifically Inventory Management and Enterprise Resource Planning (ERP) applications. Many of these have a large number of vulnerabilities, and specific attacks against certain vendors have been disclosed over the past year. ERP systems, due to their criticality, may not receive updates as much as a standard desktop PC. Yet, they are a major driver of automating the complexity of hospital supply chain and order management. Corruption of RFID or its supporting systems has a potential downstream effect of corrupting financial, inventory management, or asset management systems.

To begin protecting against these attacks, we need to understand data flows. We cannot protect against attacks if we don’t understand where the data flows are occurring.  We need to understand where information can be compromised so we can protect it. We also need to know where to look for discrepancies and why. If there is an issue, we need to document it and show defensible processes to assure the confidentiality, integrity and availability of data. 

We cannot stop the unauthorized reading of RFID tags or information but we can limit the association of these tags with patient information, especially ID cards. We can protect the systems that store and process the data and make it harder to spoof or inject bad data by segmenting data collection from core processing in the ERP systems. Maintaining systems well and being vigilant about reviewing data input will also make them more secure. 

It’s not complex or impossible to overcome. In the next article, we’re going to go over the six steps needed for a good RFID security baseline and set up a good foundation for a security program.  We’re going to wrap up the series with the six steps to a (reasonably) secure implementation and discuss the benefits you can expect to see from it. 

Mitchell Parker is Executive Director of Information Security and Compliance for Indiana University Health.