A Fort Wayne, Ind.-based orthopedics clinic with more than a dozen facilities in the state has called in the U.S. Federal Bureau of Investigation to investigate a hacking incident that highlights the dangers companies can face from the placement of hidden back doors in their software.
The case involves Orthopaedics Northeast, which last month suddenly began experiencing serious performance slowdowns with Webchart, a clinical document management system supplied to the clinic by Medical Informatics Engineering Inc., a health care software developer that's also based in Fort Wayne.
MIE, which no longer supports the clinic's Webchart installation, last week confirmed that it is part of the FBI's investigation. But it denied that it was involved in the hacking activities at the clinic, which is known informally as ONE.
The performance problems, which on one occasion caused the Webchart software to become totally inaccessible for several days, were eventually traced to deliberate changes made in the system's underlying MySQL database, according to Todd Plesko, CEO of triPractix LLC, a medical systems integrator that now manages the clinic's IT services.
The database changes were made by someone who illegally accessed the system nine times over a period of two weeks, initially via a back door using a hard-coded username and password, said Plesko, whose company is based in Fort Wayne as well.
Uncovering the intrusion led to the discovery of "a backdoor realm called MIE Private with a username of MIE that would completely bypass all of Webchart's front-end authentication," he explained.
Plesko said that in one instance, two 1's were appended to the end of a database query to make it crash. In another case, a print-server directory was deleted from the system.
The hacker subsequently appears to have used the backdoor access to set up or modify user accounts to also allow conventional access to Webchart, said Benjamin Kessler, a senior network consultant at Midwest Network Services Group LLC, a network infrastructure and security consulting firm in Fort Wayne that helped the clinic investigate the incident.
According to Kessler, an analysis of system and firewall logs showed that the person accessing the Webchart system came in via a proxy server at a local hospital. The systems at ONE were connected to the hospital's network via a virtual private network.
The hospital's logs showed that the proxy server had been accessed from a Windows Server 2003 system at another clinic, Kessler said. That system, in turn, appeared to have been accessed from within MIE's network, he added. Tracing the alleged route taken by the intruder "required quite a lot of coordination work with the other entities that had been abused along the way," Kessler said. MIE and triPractix are rivals in the Indiana health care IT market.
In the past, ONE was a major user of MIE's software products, but in November the clinic made a decision to move to electronic medical records technology from General Electric Co.'s GE Healthcare unit. It was also around this time that MIE stopped supporting ONE's Webchart implementation, said Lesko, whose company resells GE's software. According to Plesko, ONE's original plans called for the migration from MIE to GE's software to be completed by June. But that schedule has been accelerated and the plan now is to go live with the GE software next month, he said.
Eric Jones, MIE's chief operating officer, said that the software developer is fully cooperating with the FBI and that it wasn't responsible for the database changes at ONE or the placement of the back door in the clinic's system.
"We don't use back doors in our software, period," Jones said. "We don't believe in them." MIE officials "are hopeful that the investigation will be wrapped up soon," he added. "We don't expect that anything would come of this."
Raymond Kusisto, the clinic's CEO, said via e-mail that ONE had little to add about the hacking incident beyond the information that was disclosed by Plesko. "Once the FBI investigation is complete, we'll hopefully learn some things that may be appropriate to share," Kusisto said.
An FBI spokeswoman in the agency's Indianapolis office would neither confirm nor deny that an investigation is taking place, citing U.S. Department of Justice policies.
The incident highlights the need for companies to pay special attention to the dangers posed by embedded back doors, Kessler said. It also shows, he added, that when IT managers set up trusted VPN connections with third parties, "you are indirectly trusting the people they are trusting."
Locating back doors built into enterprise software can be difficult, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. But Lindstrom said that IT and security managers can take measures to mitigate the risks posed by back doors, such as monitoring systems at the database and application levels, validating the nature and integrity of database queries, and tracking activity logs. "The fact that we know this happened obviously shows that people do get caught," even if they come in via hidden back doors," he said. "It may take a while but its possible to catch this sort of thing," he said.