UW Computer Security Research and Course Blog

As mentioned earlier in the blog in “Security Review: Electronic Medical Records,” Google has started an electronic medical record database called Google Health.  Today, IBM and Google announced that they have made software to allow PDAs to upload information to health care databases such as Google Health.  Google Health centralizes medical records for its users, by storing records entered manually or aggregating data from other related medical databases; the individual users decide who is authorized to access their records.  The new software can allow doctors to update patient information more quickly, and facilitates information sharing between health care providers.  As well as the obvious applications for sharing information between health care providers, the Computerworld article on this technology suggests that the new software would allow authorized people to keep track of the health of an ill family member more easily, as the doctors add updates to the database more quickly.  From the article, it was not obvious whether or not the software would also allow mobile devices to download records from the databases.

Assets:

• The messages transmitted to the database from mobile devices need to be secure.  There need to be measures to prevent the interception of the contents of those messages, and to prevent fake messages from being accepted as genuine.  The interception of single messages would be a breach of privacy, and the transmission of fake messages could interfere with the doctors’ work (and certain possibly hazardous to the patient’s health).
• The PDAs themselves are another tempting asset.  They need to have some measures to ensure that, if they fall into the wrong hands, they cannot be used to send or receive sensitive information.  An attacker could use an unprotected PDA to add any arbitrary data to a patient’s medical records.  Also, if the PDAs will be able to access the database (and it’s not clear yet if that will be a feature), an attacker might use one to gain embarrassing information (e.g. “You’re actually bald and that’s a toupee!”), or even dangerous information (e.g. a list of allergies).

Adversaries, Threats:

• Some adversaries might be individuals who want to steal medical information about patient.   For example employees of a shady Pharmaceutical advertising company wanting information for targeted advertisements, or a personal enemy of the patient looking for a list of harmful allergies or other weaknesses.  They could attempt to gain access to one of these aggregated medical databases by stealing a doctor’s PDA (assuming that the device is also able to access records).
• There might also be people who want to harm the patient by adding fake data to the medical records  database.  They might accomplish this by stealing the PDA or by imitating a message from a PDA using one of their own devices.

Weaknesses:

• The fact that transmissions will be over wireless makes messages from the PDAs easy to intercept by anyone with the right equipment who is close enough.
• The use of small mobile devices like PDAs for communicating with the databases is another vulnerability.  PDAs would be easy to steal compared to larger computers, and they could be easily concealed by a thief.

Defenses:

• An obvious defense for the wireless messages is to encrypt them before transmission.  This results in security only as strong as the encryption algorithm.
• Instead of allowing users to log in for a session at a time, the software on the mobile devices could require the user to enter a password before each individual database access.  This would be more bothersome to the healthcare professionals using them, but it would help prevent a stolen PDA from being used to get to the database.

Risks:

• With a good encryption algorithm, the danger of messages being intercepted or faked over the wireless connection can be greatly reduced.  Even if an attacker can intercept and interpret some individual messages, that data most likely be harmful, since the attacker cannot choose which pieces of data are being transmitted.  Also, close coordination between doctors involved with a patient might reduce the risk of a successfully planted false entry to the database being harmful.  As long as smart procedures are followed, the risks from using wireless transmissions should hopefully be small.
• The threat of a stolen PDA is a much greater danger.  It is not likely that a defense as inconvenient as the one proposed above would actually be implemented.  This means that an attacker might be able to steal a PDA that is already logged in and use it to alter or possibly read the database.

Conclusion
The ability to access a medical database like Google Health using a mobile device will be very convenient for doctors and will help them coordinate more easily.  However, the risk that a PDA could be stolen for malicious use is serious, and the potential damage could easily outweigh the benefits of convenience.