Upload File

breaking into hospitals

43
Breaking into Hospitals Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer. -- Anirudh Duggal

Upload: cysinfo-cyber-security-community

Post on 16-Apr-2017

53 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Breaking into hospitals

Breaking into Hospitals

Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.

-- Anirudh Duggal

Page 2: Breaking into hospitals

About me • Senior software engineer with Royal Philips• Speaker at Cocon, HITCON, Ground Zero, Nullcon• Hack anything• Sustainability enthusiast• Play guitar in free time

Page 3: Breaking into hospitals

Menu!• Hospitals• Why attack hospitals?• Infrastructure inside a hospital• A reality check• Indian perspective • Changing threat scenario

Page 4: Breaking into hospitals

Hospital• A hospital is a health care institution providing patient treatment with

specialized staff and equipment.-- wiki

Page 5: Breaking into hospitals

Why Hospitals?• Cyber war / Terrorism?• Privacy • Financial – a medical record fetches 8x of a credit card record • Physical?

Page 6: Breaking into hospitals
Page 7: Breaking into hospitals

Infrastructure inside a hospital

Page 8: Breaking into hospitals

Range of devices

Cost: Rs 250 115 (50% off)Fits in pocket

Cost: can reach up to 3 million $Size: about the size of a truck (don’t ask the weight ;) )

Page 9: Breaking into hospitals

And the memory

A hospital data center…

A simple DIY device

Page 10: Breaking into hospitals

And……….• Patient monitors• Insulin monitors• Pacemakers• Heart rate devices• “smart bands”• Home monitoring solutions

Page 11: Breaking into hospitals

And……….

Page 12: Breaking into hospitals

Healthcare centers and hospitals

HVAC system

Lighting system

Hospital servers

Waste management

systemsMedical devices

Hospital computers

Monitoring devices

Tablets / phones

Water controls

NAT / Bridged network

Other hospitals Vendor servers

“service portals”

Vendor servers

Intranet

Internet

Security systems

Page 13: Breaking into hospitals

Really?

HVAC system

Lighting system

Hospital servers

Waste management

systemsMedical devices

Hospital computers

Monitoring devices

Tablets / phones

Water controls “service

portals”Security systems

guests

Internet

Page 14: Breaking into hospitals

So where’s the problem?• The infrastructure is not supposed to be “public”• Most of this infrastructure is not prepared to be Public

Page 15: Breaking into hospitals

Attack Scenario• Outsider attacks -> fingerprinting and attacking hospitals• Name, medical equipment, EMR systems, HVAC systems, control systems,

routers, security systems

• Insider attacks – network and medical devices• Public vs private networks, finding HL7 implementations, • Finding obsolete hardware / software

Page 16: Breaking into hospitals

A reality check• As an attacker i

Found 2000+ vulnerable hospital serversFound 200+ hospitals from major hospital chainsFound HVAC controls Discovered many entry points in each of themAm updating the number of live EMR systems I foundStill findings lots of hospitals and healthcare devices and solutions…

Page 17: Breaking into hospitals

Indian perspective as an attacker • Found many major hospitals (40+)• Was able to fingerprint major hospital chains• Found FTP, Telnet, IIS instances (unprotected)• Found suspicious activity• Found hospital networks have open Wi-Fi Connections e.g. Hospital admin and hospital networks• Need security now!

Page 18: Breaking into hospitals

Outsider attacks• Recon using shodan

Page 19: Breaking into hospitals
Page 20: Breaking into hospitals

On the basis of EMR solutions

Page 21: Breaking into hospitals

Fingerprinting chains of hospitals

Page 22: Breaking into hospitals
Page 23: Breaking into hospitals

Infrastructure – besides medical devices

Page 24: Breaking into hospitals
Page 25: Breaking into hospitals

Unknown hospitals

Page 26: Breaking into hospitals

Insider attacks• WiFi networks – guests• Stealing information from employees– privacy • Evil staff – using existing infrastructure to launch attacks• HL7 and FHIR

Page 27: Breaking into hospitals

Medical devices

Page 28: Breaking into hospitals

Potential entry points• Wifi / Lan• Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire• Protocols

Page 29: Breaking into hospitals

What is HL7?• Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989• FHIR is the next gen

Page 30: Breaking into hospitals

HL7 2.x• Most popular HL7 version• New messages / fields added

Page 31: Breaking into hospitals

HL7 2.x

HL7

Page 32: Breaking into hospitals

Things to know• || is a delimiter / field • MSH – message header segment• The standards define the messages – not the implementation

Page 33: Breaking into hospitals

An HL7 messageMSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

Page 34: Breaking into hospitals

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

Page 35: Breaking into hospitals

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

Patient identifier

Message type and HL7 identifier

Message fields

Page 36: Breaking into hospitals

Demo Time!

Page 37: Breaking into hospitals

FHIR• FHIR is a new specification based on emerging industry approaches,

but informed by years of lessons around requirements, successes and challenges gained through defining and implementing HL7 v2 , HL7 v3 and the RIM, and CDA .• REST based

Page 38: Breaking into hospitals

Sample FHIR request

{ "resourceType": "Query", "text": { "status": "generated", "div": "<div>[Put rendering here]</div>" }, "identifier": "urn:uuid:42b253f5-fa17-40d0-8da5-44aeb4230376", "parameter": [ { "url": "http://hl7.org/fhir/query#_query", "valueString": "example" } ]}

Page 39: Breaking into hospitals

Applications

Page 40: Breaking into hospitals

New threat landscape• BYOD• Cloud Based attacks• Targeted attacks

Page 41: Breaking into hospitals

Thank you Minatee Mishra Michael Mc NeilBen Kokx Jiggyasu SharmaSanjog Panda Pardhiv ReddyAjay Pratap Singh Neelesh SwamiGeethu Aravind Archita AparichitaSagar Popat

Page 42: Breaking into hospitals

Questions?

Page 43: Breaking into hospitals

Thank you


Breaking Into Prison:Art Education In Action

Breaking into the PR Industry

Breaking Into Futures with Curt Wagaman

Hacking - Breaking Into It

Breaking Factors into Smaller Factors

breaking into Europe

Breaking into the U.S Liquor Market-Presentation

MergedFile - Dalhousie University · breaking research, taking innovations out of the lab and into our hospitals and communities, informing public policy, and advocating for forward-looking

Breaking Into Wall Street_RE Valuation

Breaking Into Japanese Literature

March 2014 B2B - Breaking into info sec

Breaking Into the Engineering Industry

UX'ing Breaking Into UX

8 strategies for breaking into recruitment

BREAKING into CYBERSECURITY

Breaking Into Joy

Breaking into the Non-Fiction Market

Breaking Into the Retail Industry

Breaking an hour into 4 themes

Breaking into front end development (

Breaking Into the World of Work

Breaking Into UX

#1NWebinar: Breaking into Social Media Advertising

Breaking Into Risk Management In Banks

Breaking Into Supply Chain

Breaking Into The Trade Game · Breaking Into The Trade Game: A Small Business Guide to Exporting can assist your company’s international efforts. The fourth edition of Breaking

Breaking into commercial photography

Breaking Into The Database Business

Breaking Into Startups

Breaking into the consulting industry

Breaking into hospitals

Breaking into Product Management - General Assembly panel

Diving into Overuse in Hospitals toolkit

The Supply Chain’s Role in Making or Breaking Hospitals ... · PDF fileBreaking Hospitals’ Margins, Competitive Edge ... The retail and manufacturing industries are continually

TV directors breaking into feature films