House Energy and Commerce Subcommittee on Health Hearing
Federal Information & News Dispatch, Inc. |
Introduction
Good morning, Chairman Pitts, Ranking Member Pallone, and distinguished members of the Sub-committee. Thank you for the invitation to testify on the expectations of smart cards to combat waste, fraud and abuse in the
My name is
Experiences in smart card security and health care provide me with a broad perspective on risks and bene.ts of deploying information security technology in health care settings:
* My cybersecurity research includes the security analysis of contactless "smart card" credit cards ("Researchers See Privacy Pitfalls in No-Swipe Credit Cards," NY Times,
* I am also known for research that analyzed the security of an implantable cardiac de.brillator-- demonstrating that the device could be wirelessly tricked into inducing a fatal heart rhythm ("A Heart Device Is Found Vulnerable to Hacker Attacks," NY Times,
* I manufacture an experimental smart card for advanced security research at universities, industrial research labs, and the
* At a community hospital, I participated in the roll out of a smart-card precursor to authenti-cate health care providers for accessing paperless medical records and an electronic billing system. The less exciting part of my job involved issuing replacement authentication cards to nurses and physicians who lost their cards.
I am speaking today as an individual. All opinions, .ndings, and conclusions are my own and do not necessarily re.ect the views of HHS, NSF, or any of my past or present employers.
Smart cards
Smart cards are math in plastic. I like math. The security depends on (1) how the cards are used in a system, (2) the dif.culty of breaking various algorithms, and (3) the dif.culty or tampering with the physical card. A .aw in any these three elements makes a smart card vulnerable. The .rst element is most relevant to
While smart cards may reduce fraud in other sectors, there remain challenges that may make deployment more costly and less effective than anticipated:
1. Smart cards authenticate smart cards, not people. For this reason, a key shortcoming of even the most perfect smart card is the dif.culty of securely linking the card with a person. Linking people to a smart card is notoriously dif.cult.
2. There are several documented hacks against smart cards.
3. Smart card hacking will lead to increased malware on clinical computing systems.
4. Interrupting clinical work.ow can lead to unanticipated consequences on patient care.
My testimony summarizes general security problems in smart cards, fraud remaining in health care programs in other countries already using smart cards, and implications for public health.
Problems with
Below I highlight a number of security shortcomings in smart cards that led to card cloning and fraud for payments and facility access control. A common property is that the cards were seen as ironclad secure until they were not.
Chinese hack of DoD Common Access Cards. Authentication and identity systems that seem to work securely one day can lose that sense of security the next. For example, the DoD Common Access Card (CAC) was rightly cited as not having any problems with counterfeiting in 2011.
"The Medicare Common Access Card Act of 2011 seeks to replicate the smart card technology currently used by members of our armed services and applies it to the
The DoD CAC was suggested as a model approach for the Medicare Common Access Card. Two months later, a Chinese computer virus hacked into the computers connected to smart card readers to steal PINs from DoD smart cards. The attack installed keyloggers by tricking personnel into viewing an emailed PDF .le containing an exploit n5 ("New Sykipot variant can steal PINs from DoD smart cards," GCN,
"A Chinese-based cyber attack is targeting the Defense Departments Common Access Cards with technology that could steal information from military networks while troops and civilians work at their desks" ("Chinese virus targets DoD Common Access Card," ArmyTimes,
Breaking into government buildings protected with smart cards. In 2006,
Contactless credit cards hack. In 2006, I co-led a study that analyzed the security of credit cards containing contactless smart card technology n8.
"The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information.
Whenever I meet a cashier with a contactless smart card reader, I ask how often customers use a contactless smart card. So far, the answer has consistently been none except for one cashier who said that the engineer who installed the reader tested a card. One cashier asked me to explain what the smart card reader did. Thus, fraud is likely low due to moderate levels of use and exposure.
Chip and PIN smart card hacks. The Chip and PIN technology deployed overseas to protect credit cards is often heralded, but unfortunately this technology has also experienced several security .aws that led to fraud.
"Cards were found to be open to a form of cloning, despite past assurances from banks that chip and PIN could not be compromised. ... For example, a physics pro-fessor...bought a meal for some people for
Many security vulnerabilities begin with complacency and a misbelief that lack of a reported security problem today means there can be no security problems tomorrow.
"Dr
"The devices were modi.ed, by adding hardware, in order to send credit card details over mobile telephone networks to the scammers." ("Hundreds of tampered chip and PIN devices spread in stores across
Cloning proprietary smart cards. Many smart cards are based on proprietary algorithms that have not been tested or evaluated with strong and open peer-review. Proprietary algorithms can lead to a false sense of security. For instance, this Dutch researcher shows how to clone a propri-etary smart card in 5 seconds on an ordinary computer with
"With more than 300 million cards sold, HID iClass is one of the most popular contact-less smart cards on the market. It is widely used for access control, secure login and payment systems. ... These cards are widely used in access control of secured build-ings such as The
"Hackers have stolen credit card information for customers who shopped as recently as last month at 63
An attack that seemed farfetched a short time ago has become real. And the attack vector may have been a modi.ed credit card containing a virus rather than a credit card number.
"hackers installed malware on the so-called point-of-sale (POS) card readers to sniff the card data and PINs as customers typed them in. ... researchers installed their malware using a rogue credit card inserted into one device, which caused it to contact a server they controlled, from which they downloaded malware to the device." ("Thieves hack
If a bookstore cannot protect its payment terminals from fraud, it is unlikely that a non-tech-savvy home health care worker can adequately protect a smart card reader carried from home to to car to home to use at "the point of service and use it to verify services received."
"a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150
Stealing data wirelessly from smart card terminals. Hackers are getting more clever in how they ex.ltrate data. Wireless ex.ltration from a card reader is suf.ciently common that Visa issued a warning to merchants.
"A new bulletin from Visa indicates that it is increasingly concerned about point of sale terminals being adapted to steal card data over Bluetooth connections. To combat this threat, Visa advises merchants to scan for Bluetooth signals, which could be evidence of a wireless skimming device transmitting stolen card numbers." ("Tampered card readers steal data via Bluetooth," American Banker,
There is so much wireless traf.c in a clinical environment, it would be extremely dif.cult and costly to effectively deploy wireless Bluetooth attack detectors at every smart card reader.
"the students had uncovered vulnerabilities within the magnetic stripe and
Dutch transit smart card hack.
"The Dutch RFID public transit card, which has already cost the government
International Problems with Smart Cards in National Health Programs
A number of countries already use smart cards for national health programs. One of the more interesting uses is to store a mini electronic health record on each card so that providers have in- stant access to prescription data in emergencies and patients receive more consistent care across different providers ("Health care abroad:
"Why launch a new version of the card? ... It is also open to fraudulent use." ("French carte Vitale to be upgraded," FrenchEntree, 2006) n21
A common source of smart card fraud happens during the vulnerable registration process. A secure smart card is much less effective against fraud if registration process remains weak.
"Inadequate checks by social security authorities leave the system open to abuse by foreigners..." ("Calls to tackle carte Vitale fraud," The Connexion,
"Even if identity documents are becoming more and more secure...the requirements for obtaining these documents are particularly lax. ... it is easy to get a birth certi.cate for a borrowed identity or to counterfeit an identity. ... the carte Vitale is the object of massive fraud and there is no serious securitization process in place." ("
"The cards can also be used fraudulently, with the consent of the owner. Attempt to limit the phenomenon, all new cards issued Vitale since 2007 (about 15 million copies) include a photo. But the effectiveness of the measure -which apparently has never been evaluated -remains to be seen." ("Vitale card biometric expensive and dif.cult to implement," translated from Le Figaro,
"surgeons from the
According to a security expert in
"a former gynecologist ... allegedly performed surgeries on healthy patients, claiming more than
Even a secure smart card cannot stop this kind of fraud.
"The fraudulent misuse of health insurance cards caused billions in damage. ... The principle of the card cheater is easy: either several non-insured use a smart card together...or a group of relatives and friends in
The deployment proved dif.cult when the smart cards were accidentally distributed without PINs.
"Embarrassing mishap of the electronic health card: approximately two million patients have received faulty payment cards. The manufacturer promises to replace the defec-tive copies quickly." ("Breakdown: Millions of faulty health payment cards," translated from Der SpiegelOnline,
"A recent survey conducted by the GP's newspaper Pulse revealed that one in six NHS staff .outed the rules regarding con.dential medical records, and shared smartcards. Despite CfH warnings that 'disciplinary procedures should follow' if smartcards are used improperly, 5% of GPs also admitted sharing their own smartcard." ("NHS loses contact to smartcards,"
"IBM's AU$23.6 million contract with the
Implications for Public Health
The overly trusting bene.ciary. My understanding is that a signi.cant source of fraud comes from home health care services. A home health care patient who cannot remember to eat break-fast on his own is not going to be able to remember a PIN or password. A patient who quali.es for home health care can literally be home-bound. For instance, the patient might not be able to independently shop for groceries for over a year. A stroke victim who must relearn how to swal-low may not be able to talk or feed herself without assistance. Thus, a home health care patient depends greatly on the kindness of others, and can be particularly vulnerable to overly trusting a provider. A vulnerable home care patient would likely comply with an unscrupulous provider who asks to "hold on to the smart card and PIN so as not to inconvenience the patient." In short, smart cards that work well for the subway traveller or retail shopper will likely not work as effectively for the demographic of home health care.
Malware on clinical computing systems. Because payment software for smart card readers are prone to targeted malware, requiring this software installed will increase the exposure of clinical computing systems to malware. How many systems will be exposed to malware? Over 1,058,469
"Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the de-vices temporarily inoperable. ... malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards." ("Com-puter Viruses are Rampant on Medical Devices in Hospitals," MIT Technology Review,
All hospitals struggle with reducing the amount of malware reaching their critical care systems. The malware often spreads via webmail accounts, networks--and USB sticks that circumvent all .rewall controls. Medical device manufacturers often disallow the use of anti-virus products. Thus, clinical computing systems can suffer from severe consequences when infected with malware. Downtime can lead to delayed patient care (e.g., transporting seriously ill patients waiting for a time-critical angioplasty from a cath lab infected with malware that renders the surgical equipment unavailable) to faulty sensor readings. A cath lab is one USB stick away from a terminal connected to a smart card reader.
Because malware has spread from a chip and PIN smart card to the payment terminal, health care computing systems will likely become more vulnerable to malware that can steal or tamper with medical information.
Questions
There are several questions on smart cards for
1. Given that bene.ciaries already share their paper cards, what would disincentivize these same bene.ciaries from sharing a smart card and PIN?
2. How likely would a patient over 65 forget a smart card, give the smart card to a friend, or write the PIN on a sticky note and let a home health care provider hold on to the smart card?
3. What is the clinical impact of introducing extra procedures to the critical path of the delivery of patient care if the card must be scanned "at the point of service and use it to verify services received by placing into a reader, entering their PIN, and con.rming the transaction"? One of the greatest sources of medical errors leading to patient harm is a complicated clinical work.ow. There could be bene.ts or risks, but the answer is unknown.
4. Who pays for the materials and time spent by health care professionals when a smart card vulnerability necessitates a reissuing of smart cards or smart card readers before the antic-ipated replacement date? What business will legitimate providers lose if the billing systems are unavailable or reverted to paper?
5. Who is responsible if a patient is harmed by malware spread to the clinical environment as a result of vulnerabilities in payment process software that connects to each smart card reader?
6. Who guards the guards? How bribable are the guards? When a smart card is lost, who has the authority to replace the card? In the case of the hospital where I worked, I had the authority to issue new cards to health care professionals. My salary at the time amounted to approximately 1 1/2 large pizzas per day.
Recommendations
The expected bene.ts of smart cards need to take into account the full costs and risks shouldered by the non-fraudulent providers and bene.ciaries. I would recommend the following:
1. A pilot study should include a security analysis and penetration testing of the system by a neutral third party, as well as tests designed with clinical engineers and health IT specialists to measure the impact on patient care.
2. A pilot study should measure fraud in comparison with alternatives. For example, it would be useful to know to what extent a less expensive photo ID would reduce fraud compared with a smart card because other countries are increasingly adding photos to bene.ciary cards to curb fraud n32.
3. A smart card pilot should measure the impact on fraud while controlling for fraud reductions due to fraud detection systems and strengthening of provider enrollment. That is, the smart card bene.ts should not be con.ated with the bene.ts from other fraud reduction mecha-nisms.
4. There should be a period of public feedback coordinated by a neutral third party who has no .nancial interest in the outcome of the selected technology. NIST may be a logical choice given that the proposed legislation refers to NIST standards.
Conclusion
It is important to reduce fraud, waste and abuse in the
A key lesson from modern cybersecurity research is that security technology alone will not solve a security problem unless there is effective policy implemented to control fraud. Without .rst plugging the policy loopholes that lead to
Thank you. I am happy to answer any questions you may have.
n2 http://secure-medicine.org/
n3 http://spqr.cs.umass.edu/moo/
n4 http://thehill.com/blogs/congress-blog/healthcare/191277-a-smart-approach-to-medicare-reform
n5 One may wish to avoid viewing submitted testimony in a vulnerable PDF reader.
n6 http://www.armytimes.com/news/2012/01/military-common-access-card-chinese-virus-011812w/
n7 http://www.yourtechtv.com/viewVideo.php?video id=213&title=Cloning RFID Tags
n8 https://spqr.cs.umass.edu/publications.php?q=vulnerabilities
n9 http://www.nytimes.com/2006/10/23/business/23card.html
n10 http://www.bbc.co.uk/news/technology-19559124
n13 http://www.cs.ru.nl/~rverdult/Dismantling iClass and iClass Elite-ESORICS 2012.pdf
n14 http://www.nytimes.com/2012/10/24/business/hackers-get-credit-data-at-barnes-noble.html
n15 http://www.wired.com/threatlevel/2012/10/barnes-and-noble-pos-hack/
n17 http://www.americanbanker.com/security-watch/bluetooth-skimming-1042020-1.html
n18 http://www.pcmag.com/article2/0,2817,2327898,00.asp
n19 http://www.schneier.com/blog/archives/2008/01/dutch rfid tran.html
n20 N.B.: the proposed legislation in H.R. 2925 would also not include photos on bene.ciary smart cards. However, including photos for the
n21 http://www.frenchentree.com/france-lot-quercy-services-contacts/DisplayArticle.asp?ID=18469
n22 http://www.connexionfrance.com/news articles.php?id=797
n23 http://plus.lefigaro.fr/note/france-faces-rise-in-identity-fraud-20111114-598540
n25 http://www.chinapost.com.tw/taiwan/local/taitung/2009/09/09/223867/Prosecutors-charge.htm
n26 http://www.taipeitimes.com/News/taiwan/archives/2010/05/29/2003474144
n29 http://www.smartcard.co.uk/articles/NHSLosesContact.php
n30 http://www.zdnet.com/au/legal-woes-for-ibms-e-health-contract-7000006359/
n32 However, obtaining photos for the
Read this original document at: http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/Hearings/Health/20121128/HHRG-112-IF14-WState-FuK-20121128.pdf
Copyright: | (c) 2010 Federal Information & News Dispatch, Inc. |
Wordcount: | 4660 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News