Medical Records and Default Passwords

all right everybody thanks for coming I'm awesome cute just go with qqs easier even though well I thought it was easier to hold a Starbucks barista queue and she wrote queu another one wrote goop was a guava that's great so you're here for medical devices medical records and new passwords I've got some stickers of what I was telling you about earlier if you want to grab some feel free to do business cards are there if you're not here for this talk well it's too late I won the pen test team in our grant office I come from healthcare background I used to work for a medical company that builds medical devices and medical software and then I

moved on to be HIPAA and hydro successor and then I just decided to join the dark side as a hike trust wasn't dark enough already but I had to go darker that is my twitter handle if you want to hear somebody complain about everything in the world feel free to follow and the second one is cool part laughs handle we'd release a lot of cool software some exploits and whatnot so if you want to stay in the know of that one of our guys recently released it was a very bad timing he released a CNC framework built on top of slack and the bad timing because you believe that the day slap went public that was not fun anyway I

digress so let's do some homework first let's see what we are talking about first which is your healthcare IT networks and this diagram kind of depicts a typical IT Network you will come across all right the center of everything is the EHR database all right that's the database that every device is going to send the data to or medical records are going to pull data from all right nowadays that database also includes schedules when the doctors are enough what appointments they have patients what rooms are available special rooms in it etc then you've got let me see if this thing works ELISA pointer alright so you've got these devices up here which are your angel 7 consumers and a transmitter of

our centers whatever you want to call it your medical devices right your your children beds smart beds it used to be that you had a clinician watching you sleep see your sleep pattern that got pretty creepy so now they have devices doing that so somebody in Russia can watch me now then you've got your things like ventilators your other smart devices including the smart devices they have in rooms like a display that will tell you which picture isn't here making a TV that tells you what medicines you should be taking and what time along with allowing you to watch movies TV shows then you've got all of these devices sending data through what's called the connectivity

engine okay some of them connect directly to the EHR database some connect through a connectivity engine it's like your gateway alright it's the middle person that understands ethos and encoding and sends it up then we'll talk less emissions 8:07 later some of these devices use TCP watt ACP HTTP HTTP and whatnot I'm talked about scheduling talked about so these devices or applications will how figure out which room a patient to put in and which dr. to assign them this also helps the charge nurse understand you know which room certain patient is in if they're having a code blue you know what conditions they have beforehand all of these can then be connected to you know you've got to an

internal networks in here better hosting maybe a patient portal that could be hosting a software for doctors to remotely work a lot of doctors or your vendors may be connecting through the ends of Citrix or whatnot all right so that's your typical healthcare Network now we see this line over here it's not solid it's not there's no segmentation majority of the time there is no segmentation between really Hospital network and I've seen some where it's a hospital and education institution Medical Center's there have been times I was doing a pen test against the hospital and ended up hitting the educational servers the University because there was no segmentation and we wanted to notify that that so a lot of issues there as

we've already realized so this is an EMR [Music] this is not a real one for sure but yeah this is what they might look like there are some big vendors of EMRs like epic Cerner they're not I don't find them a lot nowadays next-gen is a big player eClinicalWorks is a big player and there are few other ones out there okay so that's what our targets look like what does well one of the good luck all right what do we see so a topic of salmon little salmon is encoding all right it's not encryption it is not caching its encoding the benefit of a toll salmon is the compatibility it creates between different devices and software the

problem with it is it's plain text you can run a wire shark capture and you can see the patient data flowing okay so but but I used to work at this EMR vendor forum we had the ability to use SSL TLS we told our clients about it but nobody wanted to use it because you did not know how a certain device that's ten years old in ICU will respond to it okay I've still got a client in New York that has an ms-dos device all right for those of you who don't know what I must ask is I'm glad you're young so it'll seven you know if it helps you man the middle pretty easily this right

here is my favorite that Lewis admin credential has been out since 2007 alright that's the CDE I think a little bit deep sorry not seven I've known about it but he was out in 2015 it has still not been patched alright problem that happens I actually did help a hospital room change the password form use admin and news background it took them one year a lot of these potentials get hard-coded in devices in software that's been deployed in scripts that been deployed so now people are worried if we change the credential it's gonna take something down we don't want to kill anyone although that's always an excuse that we don't want to kill anyone so we don't

want to use a good password but in this case I find that to be a real scenario or real threat that if we just go ahead and change the password we don't know what's gonna happen alright so that's when you end up in a need for inventory find out which devices are using it so you can start changing it alright now this has given me the opportunity to get domain admin in ten minutes reason for that is use admin and use background credentials our Active Directory credentials right they connect to the databases using ad they connect to servers using ad devices using ad there are also local admin credentials on ge-mu servers which are usually

almost off the time windows servers who are also connected to a tee and guess who sets up those servers its helpdesk right so you jump on them using these financials and you just dumped productions remembering now most of the time about 99% of the pentest I've done these credentials were also valid with Citrix and VPN maybe the devices need to work on hope I don't know but they were valid through VPN eccentric salsa so 10-minute da through these then you've got a lot of VNC systems and this is nothing against your fusion you know it's a good software and a lot of these vendors do publish advisories to let the clients know don't use these bad

practices we recently found some vulnerabilities with some software in a client environment and turned out the client just tagged it missed and figured would be the case here - but VLC especially B&C is one of the common ways we get credentials in healthcare environments somebody decided to set set of VNC to troubleshoot something to help a nurse to help a doctor or to just remotely manage a device and just never turn it off alright or never to set a password on it so if they've already logged in with that 80 credentials you could do quite a bit with it on attendee gated access to bhi so you've got credentials stored in plain text files like Excel files text files the top

screenshot black that was an open NFS share all right how many people here know what NFS P is all right that's a good number usually people don't know I've found this quite common in interviews I deal with candidates and turns out they don't know what NFS is this was the case with this client they were using NFS they just didn't know what it was they were monitoring for SMB shares they were not monitoring for NFS because they didn't know what it was that was 13 billion patient records all right there's not that many humans in the world so there was just copy of copy a copy of different EMR records into one into one folder all flat files now you

might say well maybe unique ones would be a million but when it comes to the Office of Civil Rights which enforces HIPAA that is still 13 billion all right so they're gonna impose fines based on that even if it was a million I would sell them for a dollar each so millionaires right I did have to one of my guys who found it I did have to talk to him and have a seat of stock with him and said please do not sell them this a lot of money minded bottom Starbucks $4 does it alright so Pat latex but also playing that passwords okay it is very difficult to use password managers even for us who

are security folks all right imagine a clinician loses their LastPass password that would be chaos for them it's chaos for me when I use my life might lose my last last password but for somebody who is not educated in IT security and has a high-stress job it could be quite stressful well so that results in passwords that exe passwords that Excel x1 father found it was called sensitive applications usernames and passwords app txt so this you find in IT shares in clinician shares and user shares quite a bit then you've got the physical goodies to put in there I couldn't find it it was this client had their network rack sitting on top of a

fridge in a kitchen alright it was not just switches there were said words in there alright I had a client it was somewhere in black side of Mississippi a small clinic and they don't have an IT person their doctor was the IQ person so we asked a doctor I was a Hydra successor at the time I was like a doc how old do you set up your systems what's your secure configuration standard and he goes I just go to the Best Buy and just buy a computer coming plug it in but good I just make sure I install antivirus on it so what you he's doing what he's taught to do he's doing what he understands to be a good thing

when you can buy a computer for home all you do is you go buy from Best Buy make sure it's up to date and install AV on it but he had done the same thing with the EMR which was now publicly accessible without grinning many passwords on it this is my favorite this is a visitor area that is their main internet connection right there there's a chair next to it okay and if you wanna know the results of all these things and how maybe maybe Hospital next to you there will see outreach portal is the place to go do this without glass of wine I don't drink but I'm letting you know you should probably so what happens is if

you've got a breach of 500 records or more all right duplicates also count as individual record if you've got more than 500 records breached you have to notify OCR the Office of Civil Rights right away if you do not if your breach was 499 records or less you do not notify OCR right away you wait till another year submit your report with them but you do have to notify the patients so these are all the ones that were 500 records are more scary stuff up here so after all the bad things what can we do you guys remember hit by right I love it when people yes when I was a pastor and I was

hiring folks for hip assessments if in their resume they misspelled HIPAA I knew I was not gonna hire this person all right so HIPAA is it's good all right it's something it actually does tell you that then that penetration testing if it's reasonable I'm not a big fan of the words if reasonable but hospitals know that if you do not conduct pen testing and if you get breached you have to now tell us ER why it was reasonable for you to not conduct it so it's kind of enforcement in the back end not at the front end which is not great in my opinion but there are quite a bit of good controls in it it is

based on nest I just bother you for a sec I know it's a mean it's a mean so then comes hi trust who here loves hydrous really well are you an Assessor or are you consume okay alright well make sure you have a lot of coffee so hydrous takes in all this good frameworks well good in relative sense your you know NIST PCI I sell and it combines them and it's got different levels of requirements okay if you are a small hospital you may only have to comply to level one if you are a really big hospital maybe level three so it gets more rigorous then the requirements are broken into policy process implementation are you measuring

are you running some kind of you know measuring program like your sin or not and then are you managing and if you choose your eyes are you remediating them so it goes quite technical in that and you can see that becomes quite an argument for the Assessor because you have to look at a lot of things but it does require technical controls like DNS sick and then remember hl7 well now there's fire fire is out there it is supportive it supports REST API so it can do DSN rap tokens it can do SSL TLS pretty well now the question is how many vendors are gonna start using it and a lot of vendors are using it but then

again if your ventilator that cost five thousand dollars is working just fine why would you replace it okay if your ms-dos device that costs five million dollars to replace but it's working just fine why would you replace it so that is a conundrum that you get into if you're in healthcare environment now if I mean I'm doing pen test or eph I of course I looked at their bases relevant to you Mars EHRs after using music min of course you can look at that game shots I did that once well I used to do it a lot the last time I did it never want to do it again it was you can end up being in patient

rooms now that does show a lot of impact to the Board of batteries or what not hey look how get into webcams in the patient room and do bad things with it in this case though once I did that the Cecil got the board of directors to approve budget for new laptops and new laptops had no that man's honor that was his security measure all right for physicals look at printers a lot of times the clinicians will print something or you can look in the skewer disposal bins a lot of times you can just reach in and grab them thi out you guys it's overflowing and the secure disposal company hasn't picked it up yeah my favorite is the nurse's station

you can find these monitors or computers that give her or him or them the view of all of the rooms are the patient's what the blood pressure is like what the name is what the patient record ID is all that stuff oftentimes is publicly visible so there is your pH I there is your breach okay all right four minutes left we are hiring if you want to do this fun stuff if you want to never want to go back to your doctor because you know all the secrets now or you can just you know look at your own records yourself thank you any questions by the way the talk is on github my github handle is hashtag InfoSec

alright I couldn't come up with something better so any questions yes

it's uh it's a protocol alright so first of all the server and the client need to support it and enforce it secondly all the protections it provides it supports them they're not they're not it's not like you're going to implement fire and you'll be secure right away like I mentioned is support JSON it supports web tokens right so it makes it easier to be secure but then again you still have to implement it that way you still have to configure it anybody else yes so monitor monitoring is the first thing you should do educate your users okay but what I think I'm seeing is there's a disconnect between IT and application owners and security our security folks come in high and

mighty and we just want to tell people what to do instead of listening their problems listen their problems understand what problems they're having and work it okay biggest risk I see in healthcare IT is the ite application owners biomed don't understand those security issues they're set in their way so helping them understand that would be a good first step

specialists used to be a bigger issue but now they're moving towards office 365 they're moving towards Google Apps best cheaper than having an IT guy inside so they are becoming much more difficult to get into then bigger hospitals bigger hospitals are still they still have to support it all devices a lot of times if you can't get in the bigger Hospital you get into one of their outpatient clinics and that's how you get if you can't get the the head of the Hydra you know for one the tentacles I'm laughing because I was story found this ad domain a contracted domain in an environment where the seaso did not know this existed cio did not

know it existed nobody liked to do it existed it was set up by the EMR vendor to manage their devices and had remote VNC access all right and the passwords were I kid you not three characters even for the year but a lot of times yeah the more axis exists when I used to work at the CMR vendor we had our own very specific passwords that everybody in that company had access to so it wasn't just the support team has that says everybody had access to it and then you also had passwords that just we just knew that will work and those are on those black stickers all right all rights 1030 I will be outside anybody wants to talk

more anybody wants to hear some terrible stories but thank you [Applause]