I’ve been recently writing about why Microsoft Windows and the Microsoft monoculture in general is a bad idea for medical device vendors – see my essays on Windows vulnerabilities and medical devices here, here and here.
It is now time to slaughter one more sacred cow: SSL.
One of the most prevalent misconceptions with vendors in the medical device and healthcare space regards the role of SSL and TLS in protecting patient information. When faced with a requirement by a government or hospital customer for compliance to one of the US privacy and security standards, a vendor usually reacts with the CEO asking his CTO to look into “solutions”. The CTO’s answer usually goes like this:
I did some research. Apparently to be FIPS (or HIPAA, or …) compliant we should use TLS and not SSL. I think that configuring the browser to be FIPS (or HIPAA, or …) compliant may take a little work.
Action items are given out to the technical team, they usually look like this:
Joe – You establish a secure web site
Jack – Make sure all the addresses on the workstation point to https instead of http
Jack and Joanne – Compile a new version of the Servers and workstation to work properly on the new site.
Jack and Jill – Do what ever needs to be done so that the web services work on the new site.
That’s all – No other changes need to be done to the application.
Oooh. I just love that last sentence – “No other changes need to be done to the application”. What about patching Web servers and the Windows operating systems? What about application software vulnerabilities? What about message queue vulnerabilities ? What about trusted insiders, contractors and business partners who have access to the application software?
There are multiple attack vectors from the perspective of FIPS and HIPAA compliance and PHI data security. The following schematic gives you an idea of how an attacker can steal PHI, figure using any combination of no less than 15 attack vectors to abuse and steal PHI:
There are potential data security vulnerabilities in the client layer, transmission layer, platform layer (Operating system) and cloud services (Amazon AWS for example).
So where does SSL fit in? Well, we know that the vulnerabilities for a PHI data breach can not only happen inside any layer but in particular there are vulnerabilities in the system interfaces between layers. That means between server layers and client-server interfaces. SSL Quoting from the Apache Tomcat 6.0 SSL Configuration HOW-TO:
SSL, or Secure Socket Layer, is a technology which allows web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning that both the server AND the browser encrypt all traffic before sending out data.
Another important aspect of the SSL protocol is Authentication. This means that during your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials, in the form of a “Certificate”, as proof the site is who and what it claims to be. In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as “Client Authentication,” although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication.
In plain English, SSL is good for protecting credentials transmitted between the browser and web server during the login process from eavesdropping attacks. SSL may still be vulnerable to man in the middle attacks by malware that piggybacks on the plain text browser requests and responses before they are encrypted. Similarly, SSL may be vulnerable to cross-site scripting attacks like the Paypal XSS vulnerability discovered in 2008 that would allow hackers to carry out attacks, add their own content to the site and steal credentials from users.
SSL is a key component in a secure login process, but as a security countermeasure for application software vulnerabilities, endpoint vulnerabilities, removable devices, mobile devices and data security attacks by employees, servers and endpoints, it is worse than worthless because it sucks the medical device/healthcare vendor into a false feeling of security.
SSL does NOT make a medical device/healthcare Website secure. The SSL lock symbol in the browser navigation window just means that data in motion between a browser client and Web server is encrypted. If you can attack the endpoint or the server – the data is not protected. Quoting Gene Spafford ( I think this quote has been used for years but it’s still a good one)
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”
– Gene Spafford Ph.D. Purdue, Professor of Computer Sciences and Director of CERIAS
This is all fine and dandy, but recall our conversation from the CTO giving action items to his team to “establish a secure web site” as if it was point and click on a Microsoft Office file. The team may discover that even though SSL is not a very good data security countermeasure (albeit required by FIPS and HIPAA), it may not be that easy to implement, let alone implement well.
It’s no wonder that so many web servers are misconfigured by the clueless being led by other clueless people who never read the original documentation and were all feeding off google searches for tutorials. Yikes!
Most people don’t bother reading the software manuals and google for advice looking for things like “Tomcat SSL configuration tutorial“. Jack, and Jill and Joanne in our example above, may discover themselves wandering in an abundance of incorrect,incomplete and misleading information in cyberspace, which is mixture of experts who assume everyone knows how to setup secure AJP forwarding and Tomcat security constraints and a preponderance of newbies who know nothing (or a little bit, which is worse than nothing).
Working with a client in the clinical trial space, I realized that the first and perhaps biggest problem is a lack of decent documentation, so I wrote SSL and Certificate HOW TO – Apache 2.2 and Tomcat 6, Ubuntu which I hope will be my modest contribution (along with this blog) to dispelling some of the confusion and misconceptions and helping medical device and healthcare vendors implement secure Web applications. No promises – but at least I try to do my bit for the community.