Photo from Unsplash

Originally Posted On: https://medium.com/@nathan_73891/careless-code-reuse-likely-caused-medialabs-software-flaws-3ad1c7f14c79

 

Before MediaLab became a healthcare company, its software backbone was in continuing education which may be the reason the system has so many exploitable flaws today, developers say.

MediaLab, a US-based quality management system (QMS), was revealed through whistleblowers to be deploying poorly written software that is full of potentially dangerous security holes.

The software allows doctors and healthcare professionals to manipulate files, impersonate other users, adopt credentials they have not earned and many other questionable actions.

While the whistleblowers did not offer any concrete evidence that MediaLab’s software has led to the manipulation of healthcare records by medical professionals, they did point out that the system seems specifically designed to facilitate such manipulation.

Indeed, precisely because MediaLab’s software allows for direct record manipulation, it would be next to impossible to discover instances of fraud since anyone using the system can easily cover up their mistakes.

After showing MediaLab’s software to a handful of computer developers, these professionals explained how the central problem with the technology appears to be that the company has re-used code from a prior software platform that had nothing to do with securing protected health information (PHI).

But even further than this, some of the capabilities of the software appear to be far too complex to be the result of careless corner-cutting and could only have been written to facilitate the manipulation of health records.

Faulty from day one

One developer — who wished to remain anonymous due to his professional proximity to MediaLab — said that before the firm pivoted to medical records at the turn of the century, it was a continuing education platform.

Continuing education is an all-encompassing term for a variety of formal and informal learning activities and methods that presents courses and certifications to enable people to develop skills and knowledge in specific areas of a profession.

He said this initial use case explains how the features in MediaLab’s Document Control program were set up for medical professionals to answer a short quiz before undertaking a procedure.

Such tests are mandated by US State and Federal healthcare laws. They are meant to show that a doctor, nurse or surgeon is mentally prepared for a procedure and is aware of any critical regulations pertaining to the upcoming procedure.

“Continuing education platforms are generally considered the little brother of QMS in that often no one pays much attention to the honor system in these platforms. If a student fails a test, they can just redo it. That’s not a problem.

“The way I see it, not being your best self isn’t going to kill anyone. But not being able to prove knowledge of healthcare procedures might. That’s the difference,” the developer said.

By re-using code to build the new Document Control healthcare system, in some instances (such as the quiz and authentication sections) the only thing that changed was the color scheme and MediaLab appears to have simply built new screens on the old system rather than building it from scratch.

“[MediaLab] probably just wanted to make money, but the way they’ve built it is not a coincidence. There’s really nothing coincidental about software. To say someone accidentally coded a function is not possible, there are many lines of code in even the simplest function.

“It would be like saying you can accidentally write a novel,” he said.

The developer added that he knows the founder of MediaLab, Paul Fekete, is considered by the US medical community as “the guy you would call” about building healthcare software and is a “little suspicious looking at this.”

“For instance, the function of assigning actions to other users is clearly meant to obscure records. No system should have the ability to alter those records, as MediaLab’s software does.

“There’s also no way to tell if the timestamps on an entry are right or wrong. If I type in that a procedure was correct two years ago, it’s possible that it was, actually, correct. But because this is basically a manual system, there’s no way to know,” the developer said.

Code re-use

Atlantic.Net vice president Brett Haines voiced similar concerns about re-using code from different software packages — not just in the case of MediaLab’s software, but across the healthcare sector where it can lead to enormous challenges and danger for patients.

Established in 1994, Atlantic.Net provides an array of hosting services, including cloud, dedicated, colocation, private virtualization and managed hosting with data centers in New York, London, Toronto, San Francisco, Dallas, Ashburn and Orlando.

Haines said the biggest danger of re-using code is the risk from system vulnerabilities built into the code.

“The only way to combat this is to perform extensive vulnerability scanning. Any vulnerabilities must be fixed even if this requires updating the developer’s tooling kit. Due to the effort required, it may be easier to build from scratch,” Haines said.

When asked if MediaLab’s code was built to facilitate medical fraud, Haines can’t be sure without looking at the source code itself.

He said any reputable software developer would not “intentionally” create the kinds of loopholes in MediaLab’s software. But he has seen it happen before.

“The worst example I’ve seen is a software vendor leaving a ‘god mode’ account on an application server. Thankfully this was not related to healthcare, but it is evidence that backdoors can exist.

“As part of the software delivery handover process, you would expect the developers to clean their code to ensure it is production-ready. Properly vetting the developer is critical in the healthcare space as there can’t be an ‘oops’ in coding since there are such severe ramifications,” Haines said.

The US has many regulations and key legislation to guarantee healthcare software is well-built and its developers held accountable for the systems they construct.

For instance, software developers must comply with the rules of HIPAA (Health Insurance Portability and Accountability Act) when creating healthcare apps and sign an agreement like a Business Associates Agreement or similar. This binds a developer by certain terms and liabilities.

Other administrative safeguards include internal policies and procedures meant to maintain data integrity and highlight how data can be stored, accessed and disclosed, such as in the requirements of the Privacy Rule, the Security Rule, the Enforcement Rule and the Breach Notification Rule.

“In the MediaLab case, it appears every one of these rules has been broken,” Haines said.

“Perhaps the vendors were not aware of the severity of punishment handed out by the HHS. Breaching these conditions is a significant concern that can lead to severe penalties.

“At a minimum, the development team (or anyone responsible for updating the app) should be appropriately trained in the correct handling of health data,” he said.

Is reform possible?

Haines added that it may still be possible for MediaLab’s software to be reformed to align with the industry standards.

If the MediaLab software system needs to connect with the internet), he said it should have controls to ensure only relevant data is displayed to the relevant patient and that PHI cannot be altered or accessed in any other way. This includes system administrators.

Presently, the MediaLab software appears not to account for any of this.

Haines said medical data should be fully encrypted both in transit and at rest. Applications should have automatic logoff features with physical safeguards to protect the integrity of the backend infrastructure.

This might include data center access controls, 24–7 security, locked server racks, CCTV and environmental protections such as redundant power and cooling.

Any fixes to the MediaLab software would also need to pass several tests relating to the Physical, Technical and Administrative safeguards of HIPAA compliance. Technical safeguards must also be implemented to protect the integrity of PHI such as a unique user authentication ID along with biometric authentication using fingerprint or facial recognition software to enhance security.

“If the software can do all this, it could have the added benefit of making the app more user-friendly while also protecting data integrity,” Haines said.

The anonymous developer added that while the ambivalence towards government healthcare regulations is ubiquitous among the “older crowd,” this problem is diminishing over time because younger medical professionals are being taught that rules exist for a purpose.

“The person who owns MediaLab is clearly in the camp of technically being okay to walk around the regulations and believing that the problem is Big Brother.

“The idea behind modern systems is that you can’t cheat because doctors aren’t special people who magically don’t cheat. There are tens of millions of people in the medical field and some of them will cheat. Any system should not make it possible for people to cheat,” he said.