The case involves Orthopaedics Northeast, which last month suddenly began experiencing serious performance slowdowns with Webchart, a clinical document management system supplied to the clinic by Medical Informatics Engineering Inc., a health care software developer that's also based in Fort Wayne.
MIE, which no longer supports the clinic's Webchart installation, last week confirmed that it is part of the FBI's investigation. But it denied that it was involved in the hacking activities at the clinic, which is known informally as ONE.
The performance problems, which on one occasion caused the Webchart software to become totally inaccessible for several days, were eventually traced to deliberate changes made in the system's underlying MySQL database, according to Todd Plesko, CEO of triPractix LLC, a medical systems integrator that now manages the clinic's IT services.
The database changes were made by someone who illegally accessed the system nine times over a period of two weeks, initially via a back door using a hard-coded username and password, said Plesko, whose company is headquartered in Fort Wayne as well.
Uncovering the intrusion led to the discovery of "a backdoor realm called MIE Private, with a username of MIE, that would completely bypass all of Webchart's front-end authentication," he explained.
Plesko said that in one instance, two numerals were appended to the end of a database query to make it crash. In another case, a print-server directory was deleted from the system.
The hacker subsequently appears to have used the backdoor access to set up or modify user accounts to also allow conventional access to Webchart, said Benjamin Kessler, a senior network consultant at Midwest Network Services Group LLC, a network infrastructure and security consulting firm in Fort Wayne that helped the clinic investigate the incident. Means of Entry
According to Kessler, an analysis of system and firewall logs showed that the person accessing the Webchart system came in via a proxy server at a local hospital. The systems at ONE were connected to the hospital's network via a virtual private network.
The hospital's logs showed that the proxy server had been accessed from a Windows Server 2003 system at another clinic, Kessler said. That system, in turn, appeared to have been accessed from within MIE's network, he added. Tracing the alleged route taken by the intruder "required quite a lot of coordination work with the other entities that had been abused along the way," Kessler said.
MIE and triPractix are rivals in the Indiana health care IT market. In the past, ONE was a major user of MIE's software products. But last November, the clinic decided to replace the MIE products with electronic medical records technology from General Electric Co.'s GE Healthcare unit. Shortly thereafter, MIE stopped supporting ONE's Webchart implementation, Plesko said. TriPractix is a reseller of the GE software.
Eric Jones, MIE's chief operating officer, said that the software developer is fully cooperating with the FBI and that it wasn't responsible for the database changes at ONE or the placement of the back door in the clinic's system.
"We don't use back doors in our software, period," Jones said. "We don't believe in them." MIE officials "are hopeful that the investigation will be wrapped up soon," he added. "We don't expect that anything would come of this."
Raymond Kusisto, the clinic's CEO, said via e-mail that ONE had little to add about the hacking incident beyond the information that was disclosed by Plesko. "Once the FBI investigation is complete, we'll hopefully learn some things that may be appropriate to share," Kusisto said.
An FBI spokeswoman in the agency's Indianapolis office declined to confirm or deny that an investigation is taking place, citing U.S. Department of Justice policies.
The incident highlights the need for companies to pay special attention to the dangers posed by embedded back doors, Kessler said. It also shows, he added, that when IT managers set up trusted VPN connections with third parties, "you are indirectly trusting the people they are trusting."
Locating back doors built into enterprise software can be difficult, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. Lindstrom noted that IT and security managers can take measures to mitigate the risks posed by back doors, such as monitoring systems at the database and application levels, validating the nature and integrity of database queries, and tracking user activity.