Don't Be a HIPAACrite

right so as was mentioned I go by Q or I'd like to say uh just say awesome but a k before that uh but that's got an old so I just go with Q um not because of GM spot or anything um I just it just somebody started saying it and stuck and uh just stuck with it so I'm talking about don't be a hypocrite uh I've got stickers that say that uh but too bad we are doing this remote otherwise I would have brought them maybe one day I'll see you all and uh hand you some stickers the idea here is to talk about some of the issues in healthcare security that blue and red team will

benefit from from knowing it from figuring out ways to combat those issues I'm not trying to bash Healthcare it I'm not trying to um you know just just talk about all the wiins uh instead what the talk I'm trying to give is to inform the blue and red team how can you Pawn a healthcare organ ation on the other hand uh if you're a blue teamer what to look for all right so uh let's move on to who am I well uh like I mentioned I go with Q I used to work at qualif Labs uh not as of yesterday uh free Ag and now I'm not going to do wink wink hard to see that with these classes uh but

I've been largely focused on Healthcare clients be it small to large Healthcare organizations uh be it uh Health Plan providers I started my professional career as ass systems engineer at Cerner uh which is a pretty big Healthcare software company uh did some Hippa and high trust assessments where I learned more about Microsoft Excel than I learned about hippin hydras I learned that Excel is really the tool of choice in that um and that's my Twitter handle I talk a lot about politics uh complain a lot so you might not learn a lot about security just by following me uh but if you want to just hear somebody complain it's right there all right so before I talk about

the issues I want to introduce what that Healthcare it environment looks like right so uh in most commonly what you see in healthcare environments you are going to have the EHR database the electronic health record database which is the source of Truth for all Healthcare data that's where everything is going and that's where everything is coming from um you have the billing reporting scheduling charting servers that are doing all the metrics that are showing all the data to clinicians to folks who are sending you that $50,000 bill for just one pill um they're all using that and is pulling that from that EHR database it's not always just one database because IA requires you to have

the archived data for a while and then there are some other contractual requirements it's just good practice to not forget who your patients were 5 years ago a lot of organizations are going to have all the HR databases as they move to different electronic health records go from cner to AIC from epic to massin from massin to eclinical works or whatnot you will see those old applications and the databas is related to them still in the environment a lot of times it's Oracle um or Ms SQL MySQL has started to become quite common I know s ibus that I use to support um uses MySQL for that then you'll see some connectivity engines so these could be Microsoft Windows servers

these could be small obuntu devices what they're doing is they are facilitating the conversation between the medical devices be it's your smart beds your uh ventilators the bside devices um there conversation with the reporting apps and with the EHR database a lot of that conversation is hl7 and coded we'll talk about that later but what it means is um using H7 en coding to make sure that other apps other databases can understand what's being sent and received often times it may be encrypted over htps uh but more often than not will be unencrypted okay then you've got The Outsiders right your your third parties that you're working with could be the university uh Medical Center working

with the University or the research center it could be through a third party uh like an EMR vendor uh sunar for example when I used to work at the data center we hosted the data for about 20% of the hospitals in the US so a lot of that was done through the tunnels and thean connections and whatnot you have remote users nowadays with covid a lot of doctors clinicians have gone to work remotely then you have patients logging into their patient portals that are sitting outside that EHR database all right um sitting outside that internal Network to provide the output from the EHR database in there uh internal users and admins um working with that environment working

with those devices uh with the databases and whatnot you may also have uh what uh I like to call lack of segregation well everybody calls it that uh so there's lack of segregation in there between the internal admins the patient portal and other devices and that's pretty common um a lot of organizations are still trying to figure out where their medical devices are because a lot of those medical devices are connected to your um Network be it through Wireless often times with we uh be it through wired networking or Bluetooth of times so a lot of them are still trying to figure out where those devices are so they can segregate them and we'll talk about later how that

comes into play when you're doing pen testing um so this is kind of the the overall View and there a lot of unencrypted communication in that Network outside communication is very much encrypted nowadays uh it may not be the cipher you like it may not be the TLs version you like uh may not be the ik version you like but it's getting there and it's getting much better on the outside so I mentioned EHR um so you hear two terms EHR and EMR electronic medical record versus electronic health record the health record um is going to be everybody all the hospitals you've been to all the Care Providers you've gone to all different tests you've

gotten right so it's going to be a merger of all that versus EMR will likely be just one provider's office or one doctor um think of EMR as like a paper chart versus EHR includes more enriched data that can help for example even billing data and scheduling which doctor you saw which device were you connected to which room you were in this is sunar po chart um Sunner epic massen and nexton are the big players that you'll hear a lot about a lot of new ones are coming out too um a lot of the medical devices will likely have their own EHR for example geuse has its own page where you can go and search uh

for previous patients um a lot of times they're pulling this data especially when it comes to Radiology where you're working with very large sized images um those oftentimes get stored on NFS shares or on Windows SMB shares so that always comes up being an interesting thing to look at see what the um level of authentication and access control is like for that because we found an FS shares that were just no encryption at all uh one of my uh colleagues recently uh found one where there were 13 billion patient records being dumped into this one NFS share without authentication and that was because they had multiple emrs cner epic and few others and they were all just merging

into one big database for archive they just just didn't realize that the N share was UN encrypted all right other things you'll hear we talked about connectivity engine which really is your um connection between the EHR and the medical devices kind of like a you know temporary storage it's taking the hl7 encoded data making sure the database understands it uh so the all the devices are not directly sending things to the database because that could be problematic especially when you're trying to uh provide crossplatform or cross vendor compatibility the medical devices uh have two functions you have the order and you have the result um order and result was a lot I heard while doing my

night shift serner um order really means is the device is being told to do something right so hey device what's the patient heart rate right now uh it would sometimes have a patient ID what a lot of organizations are going with nowadays it's a so iation ID so instead of in the database you seeing an ID specific to that patient you will see an ID specific to the association of that patient with that device during that time so if I visited a local hospital every time a visit and that put me on a device um for whatever reason it will create that Association that encounter and it will have its own record you then have to

cross reference that with another database to find out my name my ID um like medic record number um and other information so if you were able to get the database your hands on the database that stored that medical record result in order all you would generally in in Ideal World see is what the hard it was which device it was possibly which room it was but not my name or not my specific identifier um a lot of lab robots are really just assembly lines uh I've got a uh client well I used to have a client um running an MS DOS robot this device takes orders sends them to the medical devices sends the results back it kind

of functions like the middleman middle person uh simply line and it's running Amar and this is very recent um they just cannot replace it the organization is very small it's a nonprofit Healthcare organization and to replace that specific device would be $5 to10 million that they don't have so they've put in contingencies they've put in comp uh um complimenting controls around it like isolated it uh to avoid and mitigate any risks and we already talked about emrs and ehrs in there so I'm going to skip that so a lot of Jar gun in there let's talk about where the goods are all right and if you don't know which uh where the picture is from um if if you guessed uh

um the Freddy Mercury movie that's also good but it's yeah you should know what that is anyway uh talking about 07 earlier I like I like to call it man the Midler's Heaven that's because the data is being sent in plain text you have encoding occurring that really is working to provide cross um organization and cross device cross vendor compatibility it's not working to to help with the confidentiality of the data or it's somewhat helping with Integrity but that's more with like error checking than really providing integrity at security level it 7 is still being used there's a few versions of it but still being used quite a bit there is a new uh standard

out that we'll talk about later uh but that's not being used um much at this point every device you'll see likely is using hl7 okay and you can run a watch Shar capture if you are positioned in a mandal uh location uh and you can see that traffic going back and forth Healthcare defaults we're seeing a lot especially that Muse admin account is my favorite all right you see me using Muse admin in here to gain access um this has been out since I believe 2015 uh yeah that's the uh cve and it was released at shakacon um from Scott and he did really good work on identifying defaults for GE devices and at this point we've collected defaults

for a lot of different devices having worked at serner and other medical record companies uh I collected some on my time that um working with them on but Muse admin and Muse background are the two accounts if you are in healthcare it take a look at them me tell you a story working with a middle sized Healthcare organization few hundred beds got the domain admin in 10 minutes the path was started by typing in Muse admin credentials in their Citrix endpoint it had Citrix access apparently the Radiology device needs to work from home at some point um got in from there identified a Windows server that had the name name Muse something to do with

Muse Muse admin as the name refers is local admin on that box that box was set up by it uh which at least the person who set it up had domain admin access So within 10 minutes went from being external to gaining the domain admin privilege Muse background I'm seeing a lot of it uh but not as much as Muse admin but these are definitely the credentials to know there's a lot more credentials there are credentials specific to Kronos specific to serner Epic just just knowing them is very helpful because often times organizations aren't changing them now don't just go and tell the organization that they are screwed and they have to change this right away the reason I say

that is often times it's very difficult to change these credentials this credentials was was put in 10 years ago 15 years ago and it's right now hardcoded in apps and in devices and ch changing it could have patient Health impacts could could kill somebody if the device stops working and something bad happens so as you're working with organizations to help them understand the risk associated with this default do tell them this is pretty bad but just just being realistic it's not going to be an overnight fix especially when any medical devices Associated so yeah uh very commonly you've got uh Muse edmin with um VPN or Citrix access and it works almost every time right

oftentimes when uh my testers are working on a healthcare organization the first question I will ask trying to avoid micromanaging but the first question I will ask is have you tried Muse admin I think I need a poster uh on everybody's cubicle let's say is that unauthenticated VNC is still happening um a lot of it has to do with report management of devices or devices that have computers associated with them um starting to see a lot of password Us in that it's not as prevalent as it used to be but it's still there so do not ignore some of these basic vulnerabilities like unauthenticated VNC and bad passwords because you will find them a lot in this case uh pixes uh and this is

not necessarily in the vendor it's how it was set up by the by the organization um we could at this point dispense medication for us we could also pretend somebody else you know since we had credentials also in addition to this pretend somebody else dispense medication that they shouldn't have lack of authentication um I talked about those 13 billion patient records that we got from an NFS share also seeing on the left here GE Muse web server this organization was no longer using uh that vendor uh but they kept the application running uh due to you know hipo regulations and wanting to go back and look at all data from the patient so as you can see on that border

over there I don't think we've been doing that since '90s back in the day we thought that was cool we don't think that anymore um you have a lot of patient record storage in PL text files in the network shares for example somebody will take notes because the EMR was down or just taking notes on the side and left them in their documents directory thinking nobody else will see it well problem with that is the it has no business knowing that reading that patient record reading that you know the the note about that patient but it likely has access to your documents folder so creating the separation is important and teaching the users to use the EMR for no taking or

use some encrypted apps uh if you are going to use uh take some offline notes put them in Microsoft word. Excel and encrypt it because it does have the uh password capability this is very common in internal networks you don't often see that on external what I did see in external a few times was things like um a help desk and this is one of my best colleagues I think it was actually he he found was the organization's help desk tool was publicly available if you wanted to submit a ticket you had to sign in but you could review previous tickets so one of the things we did was just search for the word password or the

name of the CEO and we found all password resets recent password resets password policy uh quite a bit of uh it notes that helped us gain access to some passwords we shouldn't have access to all right so it's important to think about the authentication and don't just stop at authentication think about authorization too just because you are authenticated you have have the business being in this building do you have the business being in this tool in this application in this share uh often times uh we are seeing uh applications interacting with a network share where the user has to sign in to log into the application but the database the application is using does not really

require that or uh the database credentials are saved un encrypted in C program files folder so the user could just log on directly to the database and that point you know the authentication can of goes out the window

too then of course uh nobody needs a password manager at least I think so uh seeing a lot of passwords stored in Excel files and words documents and notepad um my favorite ones are when it actually says password and like this one right here kind of specifies which website or app it is for whether the username and password is I've even seen uh times where it said critical application passwords or critical application credentials and that was definitely a fun one to take a look at what it gets really tricky as a consultant is when your point of contact the person who paid for the pentest or person who you were interacting with in the pent test is the one storing

credentials in plain text um that's when uh you have to make the Consulting choice of do I tell them or do I tell that specific person um I'm not going to go into ethics of that uh people are much smarter than myself can probably tell you more about it but uh find a balance and um I've done a lot of physical assessment of hospitals especially when I was a HIPPA assessor would go on side to try to find how the organization is doing from Hippa specific rules for example are they posting patient privacy notice uh in public areas are they uh doing anything that will just violate the Fire Marshal rules are the saving data in bad

locations and we found a lot of instances especially with small clinics where you could just walk in and have access to Patient data um just pretend like you're with a patient and walk into a you know a patient room or walk into an area like that we even then I couldn't find that picture here but we even once found um it was a small Clinic they had their server rack sitting on top of a fridge in a kitchen um and it had the EMR it had the uh Network switches and all that and it was not too far away uh from the uh from the syn we also often times saw things like um having the doctor manage it or

having the doctor manage security um one at one time we were interviewing this um clinician who was managing it in that clinic so when it came to configuration management it came to Asset Management he was the person to talk to and he was a gamer um not a security person not an IT person trying to do the best he could the way he was doing things was he would go to Best Buy and grab the best laptop or desktop he could find um within the budget come and set it up and that's it that is the configuration management that is the asset management we're doing I'm just writing down the serial number on a piece of paper and sending it to it

incorporate this person for whatever reason was also responsible for managing the local small EMR app they had and that EMR app I remember he was a gamer he had forwarded the ports from outside to the EMR makes sense right you're running a web server but he did not think about encryption or pass the EMR was publicly available at that point so anybody could log in or they could just scan the IP space and find that EMR right there without authentication they did not have a lot of patients it was a rural area uh so the disclosure wasn't in millions or anything like that but it was still pretty big deal and that brought us back to thinking how many

other places in this organization is that happening do not ignore the visitor area all right right uh that right there is their networking device sitting in visitor area as you can see the legs over here for the chair for the uh visitor chairs so we just plugged into it we had network access right away they don't need to do any social engineering they didn't need to do any lockpicking or anything like that just uh set there plugged in and now we have internal access now let's go and find other vulnerabilities that might affect them one place keep an eye on to to to look at is the OCR breach portal office of civil rights uh is responsible for

enforcement of hipop if you mess something up they're the ones you got to report to and they report to the Health and Human Services office uh HHS and the OCR is who you report to when you have a breach and then they put that on their website there are some other rules or out breaches we'll talk about later but this website OCR portal. hhsom C is where you can go and look what breach your local provider may have had so this is uh Colorado providers um what type of breacher was were location so for example you know in this case it was a network server hacking it theft uh this right here is a straightup theft of an

electronic device so somebody maybe walked away with a mobile phone that had Phi on it or walked away with a with a drive um or a laptop has stolen um you've got a lot of um paper and file exposure too uh because the paper is still used even though you have the electronic medical record paper is still being used quite a bit uh one reason could be the EMR is down for whatever reason another reason could be uh the patient wants paper records they're still also using CDs um they haven't uh upgraded to MP3 players yet uh but CS are still being used because they're low cost they just work all right um so lot of that could

also be stolen you have a lot of um the the a lot of organizations are using vendors like Iron Mountain and others to store tapes and whatnot but they also use shredding companies to come and take away the sensitive paper to shred and get a certificate from them to prove that things were shredded but one of the things we found while we were doing a lot of those hipop walkthroughs was you would find filled up uh shredding bins or you know the the secure disposal bins sitting on the dock with nobody around to take a look at it so you can just walk away with that bin it's pretty easy to break the lock in fact the bin is

plastic you don't even need to break the lock or you can just reach in and grab the paper and walk away with that you may have something fun in that right so this is that's what you see sometimes in paper and films type of theft in there all right so I talked about a lot of bad things a lot of things that the reason I try to avoid going to doctors although I'm kind of concerned with Shaman's looking for electronic payments now so it's not like I can go to them too um but let's talk about some of the good things that that could help that are trying that that we could improve upon and make things somewhat

better just going to pause here for a second when I was uh interviewing folks when I was a hiring manager for Hippa and hyrus one of things I looked at was if somebody's talking about Hippa experience how are they spelling it is it hi PPA or hi paaa all right um and the reason for that is it's health insurance portability and accountability act so it's hipa um the idea around Hippa was to make the data portable and offer privacy that was one of the main reasons for the EMR the electronic medical record revolution in early 2000s that really went on pretty strong till 2015 um really offering you the ability to move away to a different doctor and

still have your health your information with you uh but also providing privacy so your information is not being used for example for marketing without your approval and without it being deidentified or your information is not being sold and Hippa security rule that came on later on uh talked about how to implement some safeguards around that patient information right so you've got the administrative safeguard for example there should be access management we should uh evaluate our our safeguards or security policies often this is where around like policies and procedures um around uh identity and access management then you have physical safeguards such as uh do not let anybody just walk through the patient area without showing some identification

without actually be having a reason to be there put a lock on your front door uh putting some physical access controls where you can also monitor them right and then there are some technical safeguards like encryption and authentication now a lot of them is all that is where I have my gripes with hipop um and that is a lot of times when Hippa talks about good things like encryption and Pen testing it says if reasonable and appropriate in my experience and I'm in no way an authority on hipop uh but in my experience the office of civil rights is not doing proactive enforcement they're not make um you know making you do encryption they're not making you do

pentesting until after you have had a breach when you had a breach they will come in and they'll ask you why you didn't do encryption they will ask you why you did not evaluate your technical safeguards but generally until then um you know there's there are pretty easy ways to be Hippa compliant Hippa also in very detail talks about risk and risk management and risk analysis and this is where it takes a lot from Nest uh a lot of Provisions in Hippa and a lot of uh ways organizations do Hippa analysis or Hippa based risk assessments is based on Nest so when we talk about encryption uh however weak the hippot rules on that may be it is still based on n so you

still have to think about thees is not going to work I have to use AES right so yeah because of HIPPA you know the first rule of nursing home do not talk about nursing home so uh Hippa minimum necessary principle is another thing to think about when you're looking at pentesting and or just any security analysis or just trying to secure the information in hospitals is to identify ways that enforce this minimum necessary principle of any use disclosure or request of the protected health information your health record should only be um done when it's minimum necessary to accomplish the purpose of it what that means uh to to break it down and to give you a good

example of it is if you are um in the um ICU right uh Intensive Care Unit and you have nothing to do there's no reason for a labor and delivery doctor to have an interaction with you they're not assigned to you they should not be looking at your information if you are a doctor yourself you should not be looking at your own Sons or your own daughters or your own uh parents information without actually you know working with them without being assigned to them so it boils down to handling the health information on need to know basis many organizations are going to use tools like fair warning or Splunk to alert on who accessed what data and did

they have a reason to access it um a lot of hospitals when dealing with uh celebrities will put a VIP flag on the health record of That Celebrity and monitor all access to it to make sure that you do not have some nurse or some doctor in a different department or different location taking a look at that cele that health record and leing it to Media all right um a lot of common things they look for the rules they look for is was it the same address as the staff that they looked at was it the same last name as the staff VIP status in different departments with the person from labor and delivery look at ICU

patients data did somebody from nursing home take a look at somebody from icu's data and if they did that's likely not what they should be doing

sorry I had to make Knock Knock jok in there it's not my meme though somebody else's meme so if you don't like it don't blame me all right so we talked about breaches earlier I kind of showed you some statistics on that so um Hippa high-tech breach rule what it talks about is the notification of it is uh first of all you have to Define right what the breach is and then according to hipop uh according to the OCR uh the definition of breach is the unauthorized acquisition access or use or disclosure of Phi which compromises the security and privacy of that Phi all right so it has to be unauthorized it has to compromise the security and privacy of

it uh there has been some debate on if ransomware itself is uh a breach uh especially when there is no evidence that the data was looked at by somebody else there's no evidence of data being excelerated uh but lately the guidance has been that it is a breach unless Prov one otherwise if more than 500 records were breached and before I talk about that let's talk what a record is it could be in each row in the database it could be every health record of you every visit you made to the hospital and if there's a copy of it let's say I went to a hospital uh of course the hospital should keep backups there should be

backups of those backups if the backups were also uh disclosed then that also counts as a separate record so we have 500 records but you also have the backup tape of those records and those are also disclosed that is a thousand records in total even though they're not unique so when I talked about those 13 billion records earlier uh those were not unique 13 billion records but they all count when it comes to the fines when it comes to enforcement so if the more than 500 records are breached then you have to report within 60 days to the patient to the fellow government which would be the office of civil rights and also if you

had a large breach you have to go to the media uh if it's less than 500 then you just notify uh the OCR on annual basis but you still have to let the patient know though so part of the reason for that is you don't want to be uh writing reports to OCR for every record breach you may have you might have just one record breached uh let's say it's once a day that's still going to be a lot of forms to fill so you're going to combine them into one big notification at the end this is the best use of HIPPA for me that I like right allows you to Wi those uh conversations with pesky family

members all right uh so uh something is if data was disclosed but it was encrypted um well still kind of a breach but you are not able there's no disclosure to be to be technical about it all right the unencrypted Phi Phi that has not been encrypted could technically be um Hippa compliant but if it's not encrypted and you got a breach then you're going to have a huge problem and and to be fair though um if you read more the rule you are not they're not necessarily saying that you just say well I don't need encryption and that's it uh they're still looking for reason why you don't need encryption right we try to address

the issue what controls you have in place that make it reasonable for you to not have encryption the phf is shredded uh in a way that makes it unreadable uh not necessarily a breach right um or you may have issues like for example um a nurse um or you know somebody in a physician's office let's say a nurse or a doctor um accidentally gives a medical summary to wrong patient who immediately sees it that's not hers and returns it back um that is considered and then the rule disclosure to a person unlikely to retain that information so if that's the case if you can prove that's the case then it may not be a breach then again not a HP

Authority on this you still should work with um your compliance department they are really the ones who understand these things very well and again you know in the end whatever the government says goes so if there was a breach what's going to happen well the office of civil rights will be in your business all right they'll come in they'll require you to conduct a risk assessment they will um require you to have a corrective action plan for whatever issues were identified they may even sometimes do surprise on-site visits to make sure you have good physical security and take a look at your papers um in addition to Hippa nowadays there is high trust um I have yet to find somebody who loves H

trust um but to be candid there's some really good technical rules in hust that that I like uh being technical um hitrust is kind of a mixture of your ISO 270002 Your hipop Nest fedramp PCI a lot of uh things like segmentation it takes from PCI it's got three different levels of requirements not every hospital is created equal so they're not always going to have to be the same requirements for everybody um every requirement needs to be rated for is there a policy for this is there a procedure in place that talks about it how well are we implementing it and then are we measuring the success of this requirement being implemented and if there are issues how are we remediating

them so hydras goes in a lot of depth to that and this is kind of the reason why a lot of us Consultants do not like hydras because it does cause a lot of work we talked about uh uh hl7 earlier so let's talk about fire right fire is the next Evolution it still is uh to some extent you know you're trying to encode the information to make it cross Fender compatible but it supports restful apis it supports oo and Json tokens right so it also supports digital signatures so it brings in the confidentiality integrity and availability of the data that we like like to get to uh it is not being enforced quite a bit yet it's not

being used by new devices and to be candid if the device is still working the hospital has very little reason to change it often times those devices can cost Millions uh or it can be you know even if it doesn't cost a lot of money to buy the device it could cost a lot of money to train people to use it to train organization to implement that device so where are the crown jewels we talked about uh how I've been getting in we talked about some of the issues we've seen uh once you are as a pen tester you are looking at in organization youve got domain admin or you've got access things you need to look for are especially Epi

electronic PR protected health record the you know things in the mrr database uh patient information and notepad files and whatnot count it if you can get to a number above 500 you will really be scaring some people and that's a good thing all right you need to uh be able to talk numbers with the executive leadership um do not try the webcam shots um speaking that from experience um one of my former colleagues the guy who actually taught me pentesting currently lives in Boulder um him and I we used to do a lot of webcam screenshots and they have been times when I just wish I had not done a webcam screenshot but there are

sometimes organizations that want that so they can show risk all right look for if you're doing physical look for printers fax machines copers right the unsecured uh unlocked uh bins I talked about where you can just snatch the paper out and uh that would be you grabbing access to a Phi so when I'm doing the internal Network tests I'm looking at sometimes often times starting with a responder I know a lot of us um feel too Elite to use responder but broadcast Protocols are there may as well use them right don't don't try to complicate the pentest if you don't have to so a lot of medical devices and services are going to use broadcast protocols to do their

work especially when you have uh dental emrs and uh other applications that are using SMB shares to do their work they're storing data on S SMB share and pulling it uh I'm a big fan of CME crack map exact thanks marello uh um use the ad defaults I the link I provided in the slides back there from shaon has a lot of medical device defaults in there many of them are ad accounts especially Muse admin all right tattoo this write it down somewhere whatever way you like to do your password list this right here is a really good credential to use use MW or whichever tool you like to look for unauthenticated VNC um instances is look

for M SQL um one thing be very careful do not lock out the EMR database I've been through that I've seen that happen um the client still brought us back but it was not a fun thing to go through when I was working at serer I went through some of these issues where the EMR database is no longer working or EMR is just down there's an outage and that creates a lot of friction between it and clinicians that is not healthy for the security of the organization also means the clinicians now have to go to paper they have to write everything down and then they have to once the EMR is back put that information back in the

database or in the EMR which doubles the work also now you have paper records that you have to worry about securing so don't lock other the databases if um try avoiding MMA SQL if you can until you have good credentials um maybe just try one password uh with a list of multiple usernames so look for E Epi look for credits uh especially take a look at the SMB NFS shares you'll find a lot of stuff in there uh iends and peping Tom have been really helpful for me to identify unauthenticated web apps that I could log into well get no login that I could get to and get patient data and again count the patient data you receive

right so if you are in Ms SQL you know do a select count all uh if you are um walking in doing a physical still count how many paper records you got because the number of Records you were able to breach uh is what will really help the security team get the funding privilege escalation look for clinical application binaries that have bad permissions on them so you could do something with you know with with the PowerUp you can exploit them look for configuration files inii do config files that are sing and C program files or other specific application folders or even on network shares um often times the way the application is installed on the share

and then access is just because you have access to the share to read the Phi the data and the config file is also stored in the same share you may also be able to read passwords for the database from the share at that point you know the Access Controller goes out the window look for the environment variables a lot of organizations a lot of um uh software vendors due to the security concerns of configuration files just being out there are moving to environment variables uh which still depending on your access you could read for external I like to uh still use Muse admin on Citrix and owwa on the VPN right uh grab some weak passwords with

using Harvester go after some portals uh this is a Google dork I've found to be very useful uh to find patient portals where patients will log in to find their patient records just be careful sometimes there are third party hosted so you'd want to make take a look at the uh scope some common passwords you want to try uh some variation of Welcome um very recently we found an organization where we had uh over 6,000 welcome one passwords or welcome one to three if kind of just went from one two and three every 90 days as they were changing the password uh organiz the MIM monic is often very common in the passwords not just specific to healthcare but

everywhere else the change of the EMR is generally an overnight event it's a very extensive event um which leaves a uh an impact on people's minds they remember it and the event is called go live you're going live with serer or epic or whatnot so that ends up in a lot of passwords and of course you've got you know the Corona virus or covid happening and that impacts um um what passwords are being used all right complex medical terms they're easy for the doctor to remember they I think they're not easy for you to try but if you put them in a password list really it's not hard to uh try them um always try the digit and

first uppercase letter because special character is not being used a lot still as you are performing the pen test uh it's important to try and avoid hitting the EMR or EHR right away at least don't scan it don't put NASA scans at it um and if you're going to do that work with the organizations to understand how they do it so you're not going to just take it down on day one try avoiding scanning medical devices or battery backups and as I mentioned early a lot of organizations don't know where their medical devices are many might not even know what IP scheme their battery backups have so helping figuring that out during scoping exercises is pretty

good idea look out for uh you know the MS SQL Server accounts ad service account medical device accounts um talk to the client and understand what they're concerned with uh do not lock them out because locking them out would mean you don't come back also if when you cause an outage and say you and I've done that I've done in the past where once this one very uh common EMR I typed in a percentage sign in the username field it thought I was trying to log in as every user all of was were trying to do was find SQL injection or something like that but it locked out every user because I thought I was trying to log in

as them so try avoiding that because that will create a lot of friction the security is already seen as a blocker right as something that prevents you from patient care uh that's a very common excuse I've heard is that two second that is taking me to type in my 2fa is taking time away from the patients so try to be as easy uh as uh collaborative as you can right collaboration is the key word in there and as I mentioned earlier try avoiding webcam shots uh if you can as we are scoping again you know of find places where you should not be doing a Nessa scan or quala scan or an expo scan because you don't want to take

things down um look for sensitive devices is a network that you should not scan and also look for how the organization's network is laid out because that map I showed you earlier it's all flat a lot of healthcare organizations are still flat organizations flat networks so it's very much possible if you're pentesting University Health Center and you're hired by the health center to pentest them your nessus scans could very likely or your nmap scans could very likely be hitting the university which is not in scope so figure that out in the scoping exercises all right um identify any uh password lockout policies if you can if the client doesn't feel comfortable telling you because it's not a pentest

it's a red team well go and look for that in Google use Google dorks you can find the password policy very commonly um so you do not lock out clinici accounts because they may be in middle of some very sensitive care they may be working with an anesthesia machine at that point right so be very careful with that um what could the organization to figure out the vulnerability scanning schedule especially if it's a pentest and you have to do vulnerability scanning um try to figure out if there's a if they want you to do heavy lifting heavy activity after hours now one question I often follow that up with is if I am working after hours to do this

in scan that has some little possibility of causing issues do you have anybody working at night because there really isn't a point making the Tester the scanner you know do the scan at night when if something goes down there's nobody available uh to call um if you're doing physical uh try to avoid U you know nuclear medicine or areas like that unless you want superpowers so work with the client to understand which areas you should stay away from um if you're a male you'll likely be asked to stay away from labor and delivery area um and there may have some you know very specific research areas that you want they want you to stay away from if you're Medical sure if

you're on wireless network um you will likely see WEP devices so identifying what the SSS are specific to the hospital and which ones you can go after they might sometimes tell you do not go after this specific device because um you know it's sensitive or something like that also understanding their domains um and this is based on experience uh we were doing a pent test back in I think 2016 um this organization had a an ad domain an active directory domain that we got into with three character passwords and three character usernames it was Windows Server 2003 domain controller and every other server was around that um timeline too turns out because once we got domain ad pretty

quickly couldn't believe it because the the organization looked pretty good otherwise we went and talked to the cisa who hired us and uh they said well I have no idea who this is that's that's very uh scary at that point we have a domain in your network range an AC directory domain with servers and users that you don't know who that is talk to the it manager had no idea talk to compliance they had no idea uh Biomet which is a department that manages biomedical devices uh in the environment they had no idea well that's pretty scary so let's uh bring everybody together and see what's going on we did some research on our own the client also

talked to the contracts department and turns out this was an EMR vendor about five six years ago came in set up the active directory domain for their devices and it was communicated but the person who was communicated to no longer was there it was in the contract so everybody just thought you know it's in there they'll know but of course the client didn't know so inventorying while you are doing the pen testing might actually be helpful um for your client all right so that is it uh uh that's uh not all I want to talk about with Healthcare but this is all uh um as important and I want to talk about in this this time slot um that's my Twitter

handle right there uh this right here is my LinkedIn page if uh anybody wants to go and connect have your talk about anything it also be at Discord uh to answer any questions you all may have I think I can come up with at least one that I'm interested in and one that everybody might be interested in yeah we were discussing open- Source computerized patient records and Clinics off for earlier and we speculated that there was something there's probably some legislative block to that that the big companies managed to get past you are you aware of anything like that uh not specifically but I can tell you those big companies um do have a lot of

lobbying money Healthcare is very lucrative business um for example um if you look at the cost of moving from serner to Epic or epic to cner it's in millions so I would not be surprised if they Lobby against open source emrs and things or open source recognition things like that there are open source emrs that I'm not seeing used a lot either a lot of it has to be with support right because the healthcare organization needs support for whatever tool they're implementing um and they want to make sure that uh they just don't feel comfortable with open source because of that okay and then you said don't do webcam captures unless you want to see something nasty can you give

a high level overview for everybody about what you might want us want to avoid what do I want to talk about though that's the thing in there um once uh so organization um Wanted vcam shots because they want they were the the person who hired us the security organization was just really being pushed against the corner on the budgeting the the CFO and I'm I'm kind of paraphrasing in here but CFO said I have enough money to pay hipop breach fine I don't need uh to worry about security that that was a business decision that the CFO had made and uh the security team that hired us wanted us to prove that wrong they wanted us to

specifically get desktop screenshots and get uh uh webcam screenshots of executive leadership and board of directors um and in that we once we took some webcam shots we saw things that would look really good on a tabloid would not really look good on in a pentest report um another instance similar issue uh we were asked to do webcam screenshots and uh one computer that we did not think because they they had some pretty good naming scheme about which computer is where and we were avoiding any computers in patient rooms but we ended up taking a screenshot from a computer in a patient room um that was not not good to look at um reported that

right away um it was it went through quite a bit of Investigation by compliance and whatnot uh but both of those organizations uh they they of course give more money to security and whatnot but they also uh weirdly reassured everybody a laptop without a webcam which also seems kind of expensive but you know a good idea and uh know epoxy would achieve the same thing but might make the laptop hard to close all right thanks a lot Q we really appreciate you presenting today uh it's fascinating topic and I'm sure there'll be some some questions in Discord if you want to and then if you get a chance if and you're willing to or share your

slides if you get them back to the cfp get them in the Discord if you want and then maybe back to the cfp so we can get them into the YouTube and we share there I'll do both I'll drop the slides in there shortly in Discord and I'll email you guys with my slides too thank you for the opportunity thanks everybody uh forist thank you sir thanks thank you