Breaking into Hospitals

Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.

-- Anirudh Duggal

About me • Senior software engineer with Royal Philips• Speaker at Cocon, HITCON, Ground Zero, Nullcon• Hack anything• Sustainability enthusiast• Play guitar in free time

Menu!• Hospitals• Why attack hospitals?• Infrastructure inside a hospital• A reality check• Indian perspective • Changing threat scenario

Hospital• A hospital is a health care institution providing patient treatment with

specialized staff and equipment.-- wiki

Why Hospitals?• Cyber war / Terrorism?• Privacy • Financial – a medical record fetches 8x of a credit card record • Physical?

Infrastructure inside a hospital

Range of devices

Cost: Rs 250 115 (50% off)Fits in pocket

Cost: can reach up to 3 million $Size: about the size of a truck (don’t ask the weight ;) )

And the memory

A hospital data center…

A simple DIY device

And……….• Patient monitors• Insulin monitors• Pacemakers• Heart rate devices• “smart bands”• Home monitoring solutions

And……….

Healthcare centers and hospitals

HVAC system

Lighting system

Hospital servers

Waste management

systemsMedical devices

Hospital computers

Monitoring devices

Tablets / phones

Water controls

NAT / Bridged network

Other hospitals Vendor servers

“service portals”

Vendor servers

Intranet

Internet

Security systems

Really?

HVAC system

Lighting system

Hospital servers

Waste management

systemsMedical devices

Hospital computers

Monitoring devices

Tablets / phones

Water controls “service

portals”Security systems

guests

Internet

So where’s the problem?• The infrastructure is not supposed to be “public”• Most of this infrastructure is not prepared to be Public

Attack Scenario• Outsider attacks -> fingerprinting and attacking hospitals• Name, medical equipment, EMR systems, HVAC systems, control systems,

routers, security systems

• Insider attacks – network and medical devices• Public vs private networks, finding HL7 implementations, • Finding obsolete hardware / software

A reality check• As an attacker i

Found 2000+ vulnerable hospital serversFound 200+ hospitals from major hospital chainsFound HVAC controls Discovered many entry points in each of themAm updating the number of live EMR systems I foundStill findings lots of hospitals and healthcare devices and solutions…

Indian perspective as an attacker • Found many major hospitals (40+)• Was able to fingerprint major hospital chains• Found FTP, Telnet, IIS instances (unprotected)• Found suspicious activity• Found hospital networks have open Wi-Fi Connections e.g. Hospital admin and hospital networks• Need security now!

Outsider attacks• Recon using shodan

On the basis of EMR solutions

Fingerprinting chains of hospitals

Infrastructure – besides medical devices

Unknown hospitals

Insider attacks• WiFi networks – guests• Stealing information from employees– privacy • Evil staff – using existing infrastructure to launch attacks• HL7 and FHIR

Medical devices

Potential entry points• Wifi / Lan• Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire• Protocols

Demo Time!

New threat landscape• BYOD• Cloud Based attacks• Targeted attacks

Thank you Minatee Mishra Michael Mc NeilBen Kokx Jiggyasu SharmaSanjog Panda Pardhiv ReddyAjay Pratap Singh Neelesh SwamiGeethu Aravind Archita AparichitaSagar Popat

Questions?

Thank you