Sunday, February 23, 2014

An Apple (Security Flaw) a Day Keeps the Doctor Away?

Unless you're living under a rock, you've probably heard of the critical security flaw across various Apple computing products ranging from web browsers and mail programs to certain versions of MacOS and iPad/iPhone/iFoo products. Apple has started to release patches, but they probably have a rough weekend in Cupertino. I am wondering if this flaw will change how hospital CIOs and CISOs think about BYOD in the operating rooms, clinical care, electronic health record management, etc.

Today at the HIMSS symposium on Medical Device Security Risks and Challenges, I had a conversation about physicians who demand BYOD products like iPads for delivery of patient care. Nothing fundamentally wrong with considering the benefits of BYOD, but what is wrong is blind faith and overconfidence in the trustworthiness of software. This conversation is all in the context of the critical security flaw across several Apple products, and for which Apple is scrambling to patch. The flaw allows a network adversary to mount a "man in the middle" attack, effectively defeating the security normally provided by SSL (layperson speak: that little lock symbol in your web browser). You can go to with your web browsers to test this particular flaw. Some organizations are recommending that people not use Apple Mail or the Safari web browser on wireless networks until Apple releases a MacOS patch.

The consequences may range from invasion of privacy (network adversaries reading your sending and receiving of mail and web browsing) to security issues (capturing long-term secrets, authentication cookies, and passwords transmitted using an unpatched device). What might be most disturbing is how fragile our computing systems are. A single line of code appears to have led to this flaw that effectively turns secure SSL-protected communication into unprotected communication. Things to ponder:

  • All software has security and privacy risk. Consider the consequences when the rug is pulled out from under your feet.
  • Failures are rarely independent. A single flaw can affect multiple product lines, causing havoc with continuity plans.
  • "reasonably secure" and "completely insecure" are indistinguishable at the surface. Manage the risk.

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.