2. #whoAmI
• Work with Philips healthcare
• Hack anything
• Sustainability enthusiast
• Research on healthcare security – protocols, devices, infrastructure
• Play guitar in free time
• Hospitalsecurityproject.com
3. Agenda
• Why healthcare?
• Beyond phishing – targeted attacks
• How to fingerprint?
• EMR fingerprinting
• Fingerprinting beyond servers
• HL7 attacks (if time permits)
• Q&A
4. Why healthcare?
• Easy targets
• High payoff
• Still to mature on terms of security
• Less awareness
10. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
Network 1 Network 2
Healthcare centers and hospitals
– ideal situation
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Monitoring
devices
Computers,
phones,
tablets
Water
controls
NAT / Bridged network with an IDS / IPS
Other
hospitals Vendor servers
“service
portals”
Vendor servers
Intranet
Internet
Encrypted communication
Encrypted communication Encrypted communication
Computers ,
phones,
tablets
11. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
But what do we get?
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Hospital
computers
Monitoring
devices
Tablets /
phones
Water
controls “service
portals”
Security
systems
guests
Internet
12. Basics of fingerprinting
• Find unique but common headers
• Be consistent
• Use multiple tools – shodan, censys, matego
• Verify manually
• Use google
13. So what can you fingerprint?
• Medical devices
• Routers
• Data center
• EMR software
• HVAC controls
• Lighting controls
14. Finding hospitals
• Generic searches
• Name searches
• Hospital name searches
• Sometimes the name is too generic
• Narrow down search parameters
15. Generic hospital searches
• Hospital
• Hospital*
• Healthcare
• Healthcare*
• <name of the hospital>
• <name of the software / protocol>
20. But…
• Sometimes the names are too generic
• Narrow down technology
• Look at other parameters – don’t fall into honeypots
• Use google - Search for address and verify
22. A typical hospital scenario
EMR
(electronic medical
record)Patient
monitors /
healthcare
devices
LAN / WIFI/
Bluetooth/
Doctor's PC /
Secretary PC
Doctor's Mobile/
Nurse mobile
Other hospitals
23. Fingerprinting EMR solutions
• Use shodan / censys / maltego
• Searches vary on what you're trying to find
• How I started
• Create a list of 200 popular EMR solutions
• Start searching by name
• Look for characteristics – deployment scenario, url constructs, technology
• Look for manuals
• Change language – Chinese, Russian
• Find bugs ;)
24. Shodan
• Can search using name
• Less false positives
• Shows ready exploits for OS
25.
26.
27.
28.
29. Search by exploring EMR structures
• Look at unique parameters
• Filter by name
30.
31.
32. Problem
• Results not constant
• Need more access to data
• You can’t find some systems
33. Thinking beyond Shodan
• Shodan (Shodan.io)
• Easiest deep web tools
• Cache information
• Due to the paid nature, results may vary
• Lacks multi lingual capabilities
• Censys (censys.io)
• Provides raw data for research
• Support Regex and can concatenate different parameters
• Maltego (thick client)
• For advanced recon
• Can fingerprint infrastructure
46. Cloud based EMR
• Easy to find
• “scalable and reliable”
• Many entry points – web, mobile, IOT devices
• Google is very effective in searching such solutions
47. In a nutshell
• Finding EMR is easy
• Your EMR might be secure, other infrastructure might be not
• Attacks go beyond your audits and process
63. Defending hospitals
• Secure networks
• Have Public and Private networks
• Harden routers and firewalls – have a patching policy
• Look out for shodan and censys
• Assume the network will be compromised
• Isolate high value components
• Encrypt and Backup
• Know your devices –vendor management
64. Thank you
Minatee Mishra Michael Mc Neil
Ben Kokx Jiggyasu Sharma
Sanjog Panda Pardhiv Reddy
Ajay Pratap Singh Neelesh Swami
Archita Aparichita Sagar Popat
Narendra Makkena Kartik Lalan
Pratap Chandra Ashish Shroff
Swaroop Yermalkar
This is a chain of hospitals in India and Indonesia.
One of the hospital name that was too generic
This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not.
The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
An arbitrary search on one of the biggest EMR solution provider.
Showing NETBIOS Exposed
Anonymous login successful
Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!
To compare them to an IOT device but with much enhanced capacity, these RTOS devices have a dedicated program and usually does not run an off the shelf OS.