breaking into hospitals
TRANSCRIPT
Breaking into Hospitals
Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
-- Anirudh Duggal
About me • Senior software engineer with Royal Philips• Speaker at Cocon, HITCON, Ground Zero, Nullcon• Hack anything• Sustainability enthusiast• Play guitar in free time
Menu!• Hospitals• Why attack hospitals?• Infrastructure inside a hospital• A reality check• Indian perspective • Changing threat scenario
Hospital• A hospital is a health care institution providing patient treatment with
specialized staff and equipment.-- wiki
Why Hospitals?• Cyber war / Terrorism?• Privacy • Financial – a medical record fetches 8x of a credit card record • Physical?
Infrastructure inside a hospital
Range of devices
Cost: Rs 250 115 (50% off)Fits in pocket
Cost: can reach up to 3 million $Size: about the size of a truck (don’t ask the weight ;) )
And the memory
A hospital data center…
A simple DIY device
And……….• Patient monitors• Insulin monitors• Pacemakers• Heart rate devices• “smart bands”• Home monitoring solutions
And……….
Healthcare centers and hospitals
HVAC system
Lighting system
Hospital servers
Waste management
systemsMedical devices
Hospital computers
Monitoring devices
Tablets / phones
Water controls
NAT / Bridged network
Other hospitals Vendor servers
“service portals”
Vendor servers
Intranet
Internet
Security systems
Really?
HVAC system
Lighting system
Hospital servers
Waste management
systemsMedical devices
Hospital computers
Monitoring devices
Tablets / phones
Water controls “service
portals”Security systems
guests
Internet
So where’s the problem?• The infrastructure is not supposed to be “public”• Most of this infrastructure is not prepared to be Public
Attack Scenario• Outsider attacks -> fingerprinting and attacking hospitals• Name, medical equipment, EMR systems, HVAC systems, control systems,
routers, security systems
• Insider attacks – network and medical devices• Public vs private networks, finding HL7 implementations, • Finding obsolete hardware / software
A reality check• As an attacker i
Found 2000+ vulnerable hospital serversFound 200+ hospitals from major hospital chainsFound HVAC controls Discovered many entry points in each of themAm updating the number of live EMR systems I foundStill findings lots of hospitals and healthcare devices and solutions…
Indian perspective as an attacker • Found many major hospitals (40+)• Was able to fingerprint major hospital chains• Found FTP, Telnet, IIS instances (unprotected)• Found suspicious activity• Found hospital networks have open Wi-Fi Connections e.g. Hospital admin and hospital networks• Need security now!
Outsider attacks• Recon using shodan
On the basis of EMR solutions
Fingerprinting chains of hospitals
Infrastructure – besides medical devices
Unknown hospitals
Insider attacks• WiFi networks – guests• Stealing information from employees– privacy • Evil staff – using existing infrastructure to launch attacks• HL7 and FHIR
Medical devices
Potential entry points• Wifi / Lan• Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire• Protocols
What is HL7?• Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989• FHIR is the next gen
HL7 2.x• Most popular HL7 version• New messages / fields added
HL7 2.x
HL7
Things to know• || is a delimiter / field • MSH – message header segment• The standards define the messages – not the implementation
An HL7 messageMSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
Patient identifier
Message type and HL7 identifier
Message fields
Demo Time!
FHIR• FHIR is a new specification based on emerging industry approaches,
but informed by years of lessons around requirements, successes and challenges gained through defining and implementing HL7 v2 , HL7 v3 and the RIM, and CDA .• REST based
Sample FHIR request
{ "resourceType": "Query", "text": { "status": "generated", "div": "<div>[Put rendering here]</div>" }, "identifier": "urn:uuid:42b253f5-fa17-40d0-8da5-44aeb4230376", "parameter": [ { "url": "http://hl7.org/fhir/query#_query", "valueString": "example" } ]}
Applications
New threat landscape• BYOD• Cloud Based attacks• Targeted attacks
Thank you Minatee Mishra Michael Mc NeilBen Kokx Jiggyasu SharmaSanjog Panda Pardhiv ReddyAjay Pratap Singh Neelesh SwamiGeethu Aravind Archita AparichitaSagar Popat
Questions?
Thank you