Presented by Anirudh Duggal in SecurityXploded cyber security meet. visit: http://www.securitytrainings.net for more information

1. Fingerprinting Healthcare
Institutions – EMR systems
- Anirudh Duggal
Disclaimer: All the views / data presented are my own and do not reflect the opinions
of my employer.

2. #whoAmI
• Work with Philips healthcare
• Hack anything
• Sustainability enthusiast
• Research on healthcare security – protocols, devices, infrastructure
• Play guitar in free time
• Speak at conferences
• Hospitalsecurityproject.com

3. Agenda
• Why healthcare?
• Beyond phishing – targeted attacks
• How to fingerprint?
• EMR fingerprinting
• Fingerprinting beyond servers
• Q&A

4. Why healthcare?
• Easy targets
• High payoff
• Still to mature on terms of security
• Less awareness

5. Posted on 13th Feb 2016

6. Overall
• Healthcare institutions are easy to fingerprint
• They are “considerably less protected”
• Many entry points
• Quite many targets

7. What to expect?

8. And…

9. Inside a hospital

10. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
Network 1 Network 2
Healthcare centers and hospitals
– ideal situation
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Monitoring
devices
Computers,
phones,
tablets
Water
controls
NAT / Bridged network with an IDS / IPS
Other
hospitals Vendor servers
“service
portals”
Vendor servers
Intranet
Internet
Encrypted communication
Encrypted communication Encrypted communication
Computers ,
phones,
tablets

11. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
But what do we get?
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Hospital
computers
Monitoring
devices
Tablets /
phones
Water
controls “service
portals”
Security
systems
guests
Internet

12. Basics of fingerprinting
• Find unique but common headers
• Be consistent
• Use multiple tools – shodan, censys, matego
• Verify manually
• Use google

13. So what can you fingerprint?
• Medical devices
• Routers
• Data center
• EMR software
• HVAC controls
• Lighting controls

14. Finding hospitals
• Generic searches
• Name searches
• Hospital name searches
• Sometimes the name is too generic
• Narrow down search parameters

15. Generic hospital searches
• Hospital
• Hospital*
• Healthcare
• Healthcare*
• <name of the hospital>
• <name of the software / protocol>

16. Generic searches

17. Narrowing the searches to regions
• Narrow down searches by
• Country
• Technology (HTTP(S), NetBIOS )
• Type of infrastructure (VPN, cloud)

18. Healthcare “chains”

19. Narrowing down
• Narrow down to FTP servers ;)
• Port 80 will show interesting
results

20. But…
• Sometimes the names are too generic
• Narrow down technology
• Look at other parameters – don’t fall into honeypots
• Use google - Search for address and verify

21. EMR solutions
• “goldmine” for attackers
• Easy to attack
• High point of impact
• Ransomware attacks

22. A typical hospital scenario
EMR
(electronic medical
record)Patient
monitors /
healthcare
devices
LAN / WIFI/
Bluetooth/
Doctor's PC /
Secretary PC
Doctor's Mobile/
Nurse mobile
Other hospitals

23. Fingerprinting EMR solutions
• Use shodan / censys / maltego
• Searches vary on what you're trying to find
• How I started
• Create a list of 200 popular EMR solutions
• Start searching by name
• Look for characteristics – deployment scenario, url constructs, technology
• Look for manuals
• Change language – Chinese, Russian
• Find bugs ;)

24. Shodan
• Can search using name
• Less false positives
• Shows ready exploits for OS

29. Search by exploring EMR structures
• Look at unique parameters
• Filter by name

32. Problem
• Results not constant
• Need more access to data
• You can’t find some systems

33. Thinking beyond Shodan
• Shodan (Shodan.io)
• Easiest deep web tools
• Cache information
• Due to the paid nature, results may vary
• Lacks multi lingual capabilities
• Censys (censys.io)
• Provides raw data for research
• Support Regex and can concatenate different parameters
• Maltego (thick client)
• For advanced recon
• Can fingerprint infrastructure

34. Searching by names

35. Multi – lingual search -Russian

36. Multi – lingual search -Chinese

37. Multi – lingual search - Arabic

38. Using censys efficiently

39. Combining searches with google results
• Google gives better results with specific headers

40. Running Maltego

41. When everything fails
• Some systems could not be found at all
• Find the manual!

44. Easy way - visit the vendor website site ;)

45. Logging on the PACS system

46. Cloud based EMR
• Easy to find
• “scalable and reliable”
• Many entry points – web, mobile, IOT devices
• Google is very effective in searching such solutions

47. In a nutshell
• Finding EMR is easy
• Your EMR might be secure, other infrastructure might be not
• Attacks go beyond your audits and process

48. Besides servers

49. Routers and internet access points

50. Cams – smile ;)

51. HVAC controls!

52. Insider attacks
• Generic system attacks – MITM , BSOD , Network exploits
• HL7 exploits

53. Defending hospitals
• Secure networks
• Have Public and Private networks
• Harden routers and firewalls – have a patching policy
• Look out for shodan and censys
• Assume the network will be compromised
• Isolate high value components
• Encrypt and Backup
• Know your devices –vendor management

54. Thank you
Minatee Mishra Michael Mc Neil
Ben Kokx Jiggyasu Sharma
Sanjog Panda Pardhiv Reddy
Ajay Pratap Singh Neelesh Swami
Archita Aparichita Sagar Popat
Narendra Makkena Kartik Lalan
Pratap Chandra Ashish Shroff
Swaroop Yermalkar

55. Questions?
• anirudhduggal@gmail.com
• Anirudh Duggal – facebook
• @Duggal_anirudh– twitter ; @secure_hospital
• Hospitalsecurityproject.com

56. Thank you