securityxploded, profile picture
Uploaded bysecurityxploded
PPTX, PDF892 views

Breaking into hospitals

The document discusses the vulnerabilities in hospital cybersecurity and the various attack vectors targeting healthcare institutions, including insider and outsider threats. It highlights the significant risks posed by unprotected hospital infrastructure and the misuse of medical devices due to inadequate security measures. The author underscores the urgent need for improved security protocols in the face of evolving cyber threats.

Healthcare
Related topics:
Information Security

Embed presentation

Downloaded 18 times
Breaking into Hospitals Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer. -- Anirudh Duggal
About me • Senior software engineer with Royal Philips • Speaker at Cocon, HITCON, Ground Zero, Nullcon • Hack anything • Sustainability enthusiast • Play guitar in free time
Menu! • Hospitals • Why attack hospitals? • Infrastructure inside a hospital • A reality check • Indian perspective • Changing threat scenario
Hospital • A hospital is a health care institution providing patient treatment with specialized staff and equipment.-- wiki
Why Hospitals? • Cyber war / Terrorism? • Privacy • Financial – a medical record fetches 8x of a credit card record • Physical?
Infrastructure inside a hospital
Range of devices Cost: Rs 250 115 (50% off) Fits in pocket Cost: can reach up to 3 million $ Size: about the size of a truck (don’t ask the weight ;) )
And the memory A hospital data center… A simple DIY device
And………. • Patient monitors • Insulin monitors • Pacemakers • Heart rate devices • “smart bands” • Home monitoring solutions
And……….
Healthcare centers and hospitals HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls NAT / Bridged network Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Security systems
Really? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
So where’s the problem? • The infrastructure is not supposed to be “public” • Most of this infrastructure is not prepared to be Public
Attack Scenario • Outsider attacks -> fingerprinting and attacking hospitals • Name, medical equipment, EMR systems, HVAC systems, control systems, routers, security systems • Insider attacks – network and medical devices • Public vs private networks, finding HL7 implementations, • Finding obsolete hardware / software
A reality check • As an attacker i Found 2000+ vulnerable hospital servers Found 200+ hospitals from major hospital chains Found HVAC controls Discovered many entry points in each of them Am updating the number of live EMR systems I found Still findings lots of hospitals and healthcare devices and solutions…
Indian perspective as an attacker • Found many major hospitals (40+) • Was able to fingerprint major hospital chains • Found FTP, Telnet, IIS instances (unprotected) • Found suspicious activity • Found hospital networks have open Wi-Fi Connections e.g. Hospital admin and hospital networks • Need security now!
Outsider attacks • Recon using shodan
On the basis of EMR solutions
Fingerprinting chains of hospitals
Infrastructure – besides medical devices
Unknown hospitals
Insider attacks • WiFi networks – guests • Stealing information from employees– privacy • Evil staff – using existing infrastructure to launch attacks • HL7 and FHIR
Medical devices
Potential entry points • Wifi / Lan • Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire • Protocols
What is HL7? • Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989 • FHIR is the next gen
HL7 2.x • Most popular HL7 version • New messages / fields added
HL7 2.x HL7
Things to know • || is a delimiter / field • MSH – message header segment • The standards define the messages – not the implementation
An HL7 message MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F Patient identifier Message type and HL7 identifier Message fields
Demo Time!
FHIR • FHIR is a new specification based on emerging industry approaches, but informed by years of lessons around requirements, successes and challenges gained through defining and implementing HL7 v2 , HL7 v3 and the RIM, and CDA . • REST based
Sample FHIR request { "resourceType": "Query", "text": { "status": "generated", "div": "<div>[Put rendering here]</div>" }, "identifier": "urn:uuid:42b253f5-fa17-40d0-8da5-44aeb4230376", "parameter": [ { "url": "http://hl7.org/fhir/query#_query", "valueString": "example" } ] }
Applications
New threat landscape • BYOD • Cloud Based attacks • Targeted attacks
Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Geethu Aravind Archita Aparichita Sagar Popat
Questions?
Thank you

More Related Content

PPTX
Fingerprinting healthcare institutions
bysecurityxploded
 
PPTX
Fingerprinting healthcare institutions
byanirudh duggal
 
PPTX
Breaking into hospitals
byanirudh duggal
 
PPTX
Breaking into hospitals
byCysinfo Cyber Security Community
 
PDF
Operations Security Presentation
byWajahat Rajab
 
PPTX
Creating a Security Plan for Your Agency - Laird Rixford
byInsurance Technologies Corporation (ITC)
 
PDF
Wireless Connections In The Or Display
bygreatorrn
 
PPTX
501 ch 9 implementing controls
bygocybersec
 
Fingerprinting healthcare institutions
bysecurityxploded
 
Fingerprinting healthcare institutions
byanirudh duggal
 
Breaking into hospitals
byanirudh duggal
 
Breaking into hospitals
byCysinfo Cyber Security Community
 
Operations Security Presentation
byWajahat Rajab
 
Creating a Security Plan for Your Agency - Laird Rixford
byInsurance Technologies Corporation (ITC)
 
Wireless Connections In The Or Display
bygreatorrn
 
501 ch 9 implementing controls
bygocybersec
 

What's hot

PPTX
Incubation of ICS Malware (English)
byDigital Bond
 
PPTX
501 ch 8 risk management tools
bygocybersec
 
PDF
Introduction IDS
byHitesh Mohapatra
 
PPTX
501 ch 7 advanced attacks
bygocybersec
 
PDF
Intruders
byDr.Florence Dayana
 
PPTX
IDS n IPS
bySAurabh PRajapati
 
PDF
Ccna sec 01
byEduclentMegasoftel
 
PDF
IPS (intrusion prevention system)
byNetwax Lab
 
PPT
Intruders
bytechn
 
PPTX
Computer forensics and its role
bySudeshna Basak
 
PPTX
fire walls
byiqra_ilyas
 
PDF
Cs8792 cns - unit v
byArthyR3
 
PPTX
Leveraging technology to redefine critical data acquisition
byJeffrey D. Dance
 
ODP
Network Security Topic 1 intro
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PDF
File000176
byDesmond Devendran
 
PPTX
Firewall Analyzer - Middle East Workshop
byManageEngine, Zoho Corporation
 
PDF
Decrease Cyber Risk at your Community Bank
byGreat Bay Software
 
PDF
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
byRay Potter
 
PPTX
Introduction to Cyber Forensics Module 1
byAnpumathews
 
PDF
6414 preparation and planning of the development of a proficiency test in the...
byDamir Delija
 
Incubation of ICS Malware (English)
byDigital Bond
 
501 ch 8 risk management tools
bygocybersec
 
Introduction IDS
byHitesh Mohapatra
 
501 ch 7 advanced attacks
bygocybersec
 
Intruders
byDr.Florence Dayana
 
IDS n IPS
bySAurabh PRajapati
 
Ccna sec 01
byEduclentMegasoftel
 
IPS (intrusion prevention system)
byNetwax Lab
 
Intruders
bytechn
 
Computer forensics and its role
bySudeshna Basak
 
fire walls
byiqra_ilyas
 
Cs8792 cns - unit v
byArthyR3
 
Leveraging technology to redefine critical data acquisition
byJeffrey D. Dance
 
Network Security Topic 1 intro
byKhawar Nehal khawar.nehal@atrc.net.pk
 
File000176
byDesmond Devendran
 
Firewall Analyzer - Middle East Workshop
byManageEngine, Zoho Corporation
 
Decrease Cyber Risk at your Community Bank
byGreat Bay Software
 
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
byRay Potter
 
Introduction to Cyber Forensics Module 1
byAnpumathews
 
6414 preparation and planning of the development of a proficiency test in the...
byDamir Delija
 

Viewers also liked

PPT
Introduction to SMPC
bysecurityxploded
 
PPTX
Reverse Engineering Malware
bysecurityxploded
 
PPTX
Automating Malware Analysis
bysecurityxploded
 
PDF
Buffer Overflow Attacks
bysecurityxploded
 
PPTX
Anatomy of Exploit Kits
bysecurityxploded
 
PPTX
Partial Homomorphic Encryption
bysecurityxploded
 
PPTX
Bluetooth [in]security
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
bysecurityxploded
 
PPTX
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
PPTX
Basic malware analysis
bysecurityxploded
 
PPTX
Hunting Rootkit From the Dark Corners Of Memory
bysecurityxploded
 
PPTX
Defeating public exploit protections (EMET v5.2 and more)
bysecurityxploded
 
PPTX
Hunting Ghost RAT Using Memory Forensics
bysecurityxploded
 
PPTX
DLL Preloading Attack
bysecurityxploded
 
Introduction to SMPC
bysecurityxploded
 
Reverse Engineering Malware
bysecurityxploded
 
Automating Malware Analysis
bysecurityxploded
 
Buffer Overflow Attacks
bysecurityxploded
 
Anatomy of Exploit Kits
bysecurityxploded
 
Partial Homomorphic Encryption
bysecurityxploded
 
Bluetooth [in]security
bysecurityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
bysecurityxploded
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
bysecurityxploded
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
Basic malware analysis
bysecurityxploded
 
Hunting Rootkit From the Dark Corners Of Memory
bysecurityxploded
 
Defeating public exploit protections (EMET v5.2 and more)
bysecurityxploded
 
Hunting Ghost RAT Using Memory Forensics
bysecurityxploded
 
DLL Preloading Attack
bysecurityxploded
 

Similar to Breaking into hospitals

PPTX
Medical device security_anirudh
byanirudh duggal
 
PPTX
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
PPT
DC617 Medical Device Presentation
byMatthew J McMahon
 
PDF
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
bywarezjoe
 
PDF
(In)Security of Medical Devices by Florian Grunow - CODE BLUE 2015
byCODE BLUE
 
PDF
Privacy on FHIR Demo at HIMSS!5
byagropper
 
PDF
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
byapidays
 
PDF
APIsecure 2023 - All #FHIRed Up, John Moehrke
byapidays
 
PPT
Sensors for medicalcare
bynaveen kumar
 
PPTX
Fingerprinting healthcare institutions
byCysinfo Cyber Security Community
 
PPTX
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
byshawn_merdinger
 
PDF
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
byAPIsecure_ Official
 
PPTX
HL7 Health level 7
byMaham Yousuf
 
PPTX
Demand connected medical devices to improve military EHRs
byShahid Shah
 
PDF
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
PDF
Security and Privacy Protection of Medical Sensor Data of Patient using IOT
byIRJET Journal
 
PPTX
SMART on FHIR by Scot Post van der Burg
byFurore_com
 
PPTX
SMART on FHIR by Scot Post van der Burg
byFHIR Developer Days
 
PPT
Healthcare and Cyber Security 2015 :Is India Ready?
byApollo Hospitals Group and ATNF
 
PDF
APIs, data formats and the growing might of FHIR
byVlad Stirbu
 
Medical device security_anirudh
byanirudh duggal
 
Fingerprinting and Attacking a Healthcare Infrastructure
byPositive Hack Days
 
DC617 Medical Device Presentation
byMatthew J McMahon
 
Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...
bywarezjoe
 
(In)Security of Medical Devices by Florian Grunow - CODE BLUE 2015
byCODE BLUE
 
Privacy on FHIR Demo at HIMSS!5
byagropper
 
APIsecure 2023 - FHIR API Security, Grahame Grieve (Health Intersections)
byapidays
 
APIsecure 2023 - All #FHIRed Up, John Moehrke
byapidays
 
Sensors for medicalcare
bynaveen kumar
 
Fingerprinting healthcare institutions
byCysinfo Cyber Security Community
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
byshawn_merdinger
 
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
byAPIsecure_ Official
 
HL7 Health level 7
byMaham Yousuf
 
Demand connected medical devices to improve military EHRs
byShahid Shah
 
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
Security and Privacy Protection of Medical Sensor Data of Patient using IOT
byIRJET Journal
 
SMART on FHIR by Scot Post van der Burg
byFurore_com
 
SMART on FHIR by Scot Post van der Burg
byFHIR Developer Days
 
Healthcare and Cyber Security 2015 :Is India Ready?
byApollo Hospitals Group and ATNF
 
APIs, data formats and the growing might of FHIR
byVlad Stirbu
 

More from securityxploded

PDF
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
bysecurityxploded
 
PPTX
Malicious Client Detection Using Machine Learning
bysecurityxploded
 
PDF
Understanding CryptoLocker (Ransomware) with a Case Study
bysecurityxploded
 
PDF
Linux Malware Analysis using Limon Sandbox
bysecurityxploded
 
PPTX
Return Address – The Silver Bullet
bysecurityxploded
 
PPTX
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
PPTX
MalwareNet Project
bysecurityxploded
 
PPTX
Reversing and Decrypting the Communications of APT Malware (Etumbot)
bysecurityxploded
 
PPTX
Dissecting BetaBot
bysecurityxploded
 
PPTX
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 8 - Introduction to Android
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 5 - Reversing Automation
bysecurityxploded
 
PPTX
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
bysecurityxploded
 
Malicious Client Detection Using Machine Learning
bysecurityxploded
 
Understanding CryptoLocker (Ransomware) with a Case Study
bysecurityxploded
 
Linux Malware Analysis using Limon Sandbox
bysecurityxploded
 
Return Address – The Silver Bullet
bysecurityxploded
 
Malicious Url Detection Using Machine Learning
bysecurityxploded
 
MalwareNet Project
bysecurityxploded
 
Reversing and Decrypting the Communications of APT Malware (Etumbot)
bysecurityxploded
 
Dissecting BetaBot
bysecurityxploded
 
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
bysecurityxploded
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
bysecurityxploded
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
bysecurityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
bysecurityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
bysecurityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
bysecurityxploded
 

Recently uploaded

PPTX
GRADE 10 Unit 4 Health Career Planning.pptx
bypatrickmarvel18
 
PDF
A Brief Introduction About - Antonial Marbuery Cleveland Ohio
byAntonial Marbuery Cleveland Ohio
 
PPTX
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
PPTX
ACUTE ISCHEMIC INTESTINAL LESIONS ASSOCIATED WITH SARS COV2 INFECTION
byAbhishekPathak281910
 
PPTX
anatomy of esophagus and details of anatomy
bySanjayB17
 
PPTX
TRENDS IN DEVELOPMENT OF NURSING EDUCATION IN INDIA.pptx
byDinesh S
 
PDF
CASE STUDY on Healthcare ; Auroville, Bangalore
byaishwaryag2304
 
PDF
XRAY FILM Intensifying screens & films.pdf
bysaravanak0076
 
PPTX
Pneumonia By medicine final yr mbbs.pptx
byManashBaskaran
 
PDF
The NABH Entry Level Assessment Companion – Questions, Evidence & Best Practi...
byDr Jitu Lal Meena
 
PPTX
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
PPTX
Find Your Focus:The Tolerance Window Guide
byUtkarsh Srivastava
 
PPTX
COPD Management with pharmacologic and non pharmacologic approach to treatment
bysarahahmed321934
 
PPTX
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
PPTX
A Comprehensive Guide to Behavioral Health Billing
byjoannajohn1234
 
PPTX
ED Treatment: Causes, Lifestyle Factors, and Holistic Care
byDr. Digvijay
 
PDF
Erik Lannen - A Devoted Nurse, Christian Leader, And Adventurer
byErik Lannen
 
PDF
Top 10 Pharmaceutical Consulting Companies for Growth Acceleration
byk kumar
 
PPTX
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
PPTX
Nipah Virus Infection prevention and control.pptx
byAyemuSaan1
 
GRADE 10 Unit 4 Health Career Planning.pptx
bypatrickmarvel18
 
A Brief Introduction About - Antonial Marbuery Cleveland Ohio
byAntonial Marbuery Cleveland Ohio
 
Online Meditation Teacher Training Certificate Course.pptx
byKaruna Yoga Vidya Peetham
 
ACUTE ISCHEMIC INTESTINAL LESIONS ASSOCIATED WITH SARS COV2 INFECTION
byAbhishekPathak281910
 
anatomy of esophagus and details of anatomy
bySanjayB17
 
TRENDS IN DEVELOPMENT OF NURSING EDUCATION IN INDIA.pptx
byDinesh S
 
CASE STUDY on Healthcare ; Auroville, Bangalore
byaishwaryag2304
 
XRAY FILM Intensifying screens & films.pdf
bysaravanak0076
 
Pneumonia By medicine final yr mbbs.pptx
byManashBaskaran
 
The NABH Entry Level Assessment Companion – Questions, Evidence & Best Practi...
byDr Jitu Lal Meena
 
Menopause and Role of Physiotherapy in Women’s Health
byrutujagawande144
 
Find Your Focus:The Tolerance Window Guide
byUtkarsh Srivastava
 
COPD Management with pharmacologic and non pharmacologic approach to treatment
bysarahahmed321934
 
DeLorme Techniques.he DeLorme exercise regime or DeLorme method or progressiv...
byDrTabassumAzmi1
 
A Comprehensive Guide to Behavioral Health Billing
byjoannajohn1234
 
ED Treatment: Causes, Lifestyle Factors, and Holistic Care
byDr. Digvijay
 
Erik Lannen - A Devoted Nurse, Christian Leader, And Adventurer
byErik Lannen
 
Top 10 Pharmaceutical Consulting Companies for Growth Acceleration
byk kumar
 
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
Nipah Virus Infection prevention and control.pptx
byAyemuSaan1
 

Breaking into hospitals

  • 1.
    Breaking into Hospitals Disclaimer:All the views / data presented are my own and do not reflect the opinions of my employer. -- Anirudh Duggal
  • 2.
    About me • Seniorsoftware engineer with Royal Philips • Speaker at Cocon, HITCON, Ground Zero, Nullcon • Hack anything • Sustainability enthusiast • Play guitar in free time
  • 3.
    Menu! • Hospitals • Whyattack hospitals? • Infrastructure inside a hospital • A reality check • Indian perspective • Changing threat scenario
  • 4.
    Hospital • A hospitalis a health care institution providing patient treatment with specialized staff and equipment.-- wiki
  • 5.
    Why Hospitals? • Cyberwar / Terrorism? • Privacy • Financial – a medical record fetches 8x of a credit card record • Physical?
  • 7.
  • 8.
    Range of devices Cost:Rs 250 115 (50% off) Fits in pocket Cost: can reach up to 3 million $ Size: about the size of a truck (don’t ask the weight ;) )
  • 9.
    And the memory Ahospital data center… A simple DIY device
  • 10.
    And………. • Patient monitors •Insulin monitors • Pacemakers • Heart rate devices • “smart bands” • Home monitoring solutions
  • 11.
  • 12.
    Healthcare centers andhospitals HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls NAT / Bridged network Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Security systems
  • 13.
  • 14.
    So where’s theproblem? • The infrastructure is not supposed to be “public” • Most of this infrastructure is not prepared to be Public
  • 15.
    Attack Scenario • Outsiderattacks -> fingerprinting and attacking hospitals • Name, medical equipment, EMR systems, HVAC systems, control systems, routers, security systems • Insider attacks – network and medical devices • Public vs private networks, finding HL7 implementations, • Finding obsolete hardware / software
  • 16.
    A reality check •As an attacker i Found 2000+ vulnerable hospital servers Found 200+ hospitals from major hospital chains Found HVAC controls Discovered many entry points in each of them Am updating the number of live EMR systems I found Still findings lots of hospitals and healthcare devices and solutions…
  • 17.
    Indian perspective asan attacker • Found many major hospitals (40+) • Was able to fingerprint major hospital chains • Found FTP, Telnet, IIS instances (unprotected) • Found suspicious activity • Found hospital networks have open Wi-Fi Connections e.g. Hospital admin and hospital networks • Need security now!
  • 18.
  • 20.
    On the basisof EMR solutions
  • 21.
  • 23.
  • 25.
  • 26.
    Insider attacks • WiFinetworks – guests • Stealing information from employees– privacy • Evil staff – using existing infrastructure to launch attacks • HL7 and FHIR
  • 27.
  • 28.
    Potential entry points •Wifi / Lan • Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire • Protocols
  • 29.
    What is HL7? •Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989 • FHIR is the next gen
  • 30.
    HL7 2.x • Mostpopular HL7 version • New messages / fields added
  • 31.
  • 32.
    Things to know •|| is a delimiter / field • MSH – message header segment • The standards define the messages – not the implementation
  • 33.
    An HL7 message MSH|^~&||STISQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
  • 34.
    MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALLARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
  • 35.
    MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALLARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F Patient identifier Message type and HL7 identifier Message fields
  • 36.
  • 37.
    FHIR • FHIR isa new specification based on emerging industry approaches, but informed by years of lessons around requirements, successes and challenges gained through defining and implementing HL7 v2 , HL7 v3 and the RIM, and CDA . • REST based
  • 38.
    Sample FHIR request { "resourceType":"Query", "text": { "status": "generated", "div": "<div>[Put rendering here]</div>" }, "identifier": "urn:uuid:42b253f5-fa17-40d0-8da5-44aeb4230376", "parameter": [ { "url": "http://hl7.org/fhir/query#_query", "valueString": "example" } ] }
  • 39.
  • 40.
    New threat landscape •BYOD • Cloud Based attacks • Targeted attacks
  • 41.
    Thank you Minatee MishraMichael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Geethu Aravind Archita Aparichita Sagar Popat
  • 42.
  • 43.

Editor's Notes

  • #5 To set the context of hospitals by definition.
  • #6 To explain that there is a rise in the security events around the medical devices, besides gaining access to confidential information attackers can harm the patient directly. e.g. the insulin pump hacks demonstrated at blackhat showed how an attacker can hack into insulin pumps. In a hospital environment there are other devices say heart rate monitor, oximeter ; these devices are being targeted now.
  • #7 The insulin pump hack was a hot topic for healthcare security researchers. The pump was remotely monitored by a server. The attacker was able to change the dosage and impersonate the server. The product was banned for sale by the FDA.
  • #9 This is to break the notion that medical devices are just pumps, oximeters, heart rate sensors. The devices can be as simple as a thermometer or as sophisticated as a MRI machine which has many computers working synchronously.
  • #10 To emphasize more on the fact that these devices hold much memory, be it processing or data collection, these devices are evolving very quick
  • #11 Besides hospital environments there are many medical devices that as general population, are not aware of. They may be given on case to case basis.
  • #12 Like other institutions / companies hospitals have automation in their infrastructure. Most of these vendors do not have security in built into their software / hardware. This makes hospitals more vulnerable to attacks. These systems does have we interfaces which seldom run on HTTPS or any secure channel.
  • #13 An expected hospital network (though insecure), this is how most of the hospitals usually look like.
  • #14 In reality it is a bunch of devices in the network connected to the internet.
  • #15 The problem is that the infrastructure is made with the assumption that it will be private / un compromised network.
  • #16 Using intelligence tools one can gather information from the internet one can fingerprint such infrastructure. Using combined searches or tracking systems specific to hospitals e.g. EMR systems.
  • #18 From an Indian perspective over the past month I’ve seen the number of hospitals that are fingerprinted rise in number.
  • #29 To compare them to an IOT device but with much enhanced capacity, these RTOS devices have a dedicated program and usually does not run an off the shelf OS.