Qasim Ijaz - Medical Records and Default Passwords

we've got lightness on pentesting in the medical field thank you I'm just waiting for my coffee over there can I have coffee man it's before noon thanks Mindy government big one - all right um let's double check this works awesome so you're here to hear about all the good things that happen in healthcare field I'm Q or kasam if you can pronounce it otherwise just go back to Q I work with coal fire labs it is a pen testing division of coal fire systems and I lead the pen test team in Atlanta for our office I used to work in health care field I used to work as systems engineer at an EHR vendor and then I moved on to

doing HIPAA and high trust assessments and then I realized I like going to the dark side so I started doing pen testing so most of my plant testing has been focused on health care and that's my Twitter handle I don't talk about InfoSec I talk about politics so don't follow me or follow me at your own risk so let's talk about healthcare IT this may be a refresher for a lot of you for those of you who don't know a lot about this so basically the idea is you've got the EHR database as a center of the healthcare IT environment that's where all the devices are sending data you've got your smart beds you know be used to

be back in the day a clinician would be sitting next to you all night observing you very creepy lis being all creepy and I'll just just taking down notes how often you turned on your side what positions you'd like to sleep in well now the devices do that for you all right the bed is doing that for you then you've got your pharmacy you've got you know people used to steal medicine and we like to make everything smart so now we've made the medicine cabinets smart I used to work at Cerner's I bus line one which was the Artic station the idea was the moment they divide the medicine is taken out record it okay and

you can take the medicine out unless you've got prescription well I digress a little bit they caught a serial killer that way they were impersonating a nurse going into hospitals and or dosing people and they didn't realize they were using this medicine cabinet so they sign in and to get the medicine out go kill you know their daily job they didn't realize that the device was actually recording who took that medicine out and how much they took out and that's why they caught that person but back to security all these devices are sending what's called you know well first of all the EHR database or the application is sending what's called an order send me the SPO to send me the heart

rate of this patient with a patient ID and then device is sending back whatever the results may be right costume is about to die so here's the result or whatever the reason may be you've got your reporting and scheduling also built into the EHR now so you have this one application that's not only dealing with the medical data but also scheduling people into you know this should be in this room right now because that's the room that's available okay and then on top of that you've got these smart displays outside their rooms they let the clinician know who is in this room and then you've got inside the picture room the TVs that not only now

show you old movies that nobody wants to watch anymore but also give the patient their medicine schedule write your prescription schedule and who your nurse is who your doctor is and the team will also help them kind of plan out their transition after so it's all the medical record is now available in patients TV is bishops room TV all of that connected to the EHR database then you've got the third parties connecting through VPN you've got the remote employees connected through VPN patients connected through VPN and whatnot all right all through maybe portion patient portals employee portals like Citrix Crystal we all still love Citrix right so that's still being used all right this is what a typical the

amount might look like this is just a free picture picked up from Wikipedia so you've heard me use two terms EHR EMR EMR is that one patient record and that one clinicians office right it could be specific to a device then you've got the EHR electronic health record that is you know your health record your medical record from all across every single doctor's office might be into one big application maybe data from your MRI being put into this one medical record that now becomes EHR health record because it's got multiple types of records in there all right so talking about all the boring stuff let me give you some good all these devices if I go back with screenshots

they're all communicating most likely plain text using hl7 and coding all right I said encoding not encryption y'all know what the difference is in coding plain text all right so most likely I'll show you another protocol later that actually does encrypt a little bit but it'll salmon by default is plain text all right so they're all communicating over plain text you could just do mer in the middle and look at vision data alright and if you have done some research patient records are selling anywhere between 50 cents to $25 depending on whose patient record it is I'm sure beyoncé's would be about 2005 I haven't tried yet all right then you've got the defaults and I've got the

stickers that I've given you out early and I'll give you out at end of attack also these have been out since 2007 there are some in here there are newer but most of them have been out since 2007 if you're pentesting a hospital these are the two credentials you should start with and guess where you should start VPN citrix email because these are Active Directory credentials alright these are ad credentials these are not just specific to a device they are device credentials but I guess devices also need email accounts all right so these have been out for a while there was a presentation at Chaka Khan that talked about a lot of these that's where

I got some of them some research done afterwards the vendor thought about it the problem is the vendor came in ten years ago they set up a device let's say it was GE Muse right they set up a device and it works so why break something that works a lot of these credentials are hard-coded either in the app or in the device sometimes the device needs the credentials to talk to the EMR and those were set up in the device ten years ago five years ago what not well you don't want to mess that up right you don't want an outage well you also end up with situations like this where that Muse Emma credential has

worked for me more than 90% of the times and I've done hundreds of pen tests all right the muse admin credential has gotten me domain admin access it was ten minute domain admin for me I used muse that men through Citrix I got in and I got inside the network and muse admin usually runs on ge-mu server we were just usually a Windows server ad connected guess who set up that server helpdesk how desk also had da so within 10 minutes again da over here alright unauthenticated B&C still exists it's actually gotten quite smaller footprint nowadays but still exists and I don't blame healthcare for this I blame the vendors a lot of times this is set by

the vendor they came in they said they were starting up how to troubleshoot the used VNC for God to disable it there have been instances where I worked with a client I did some pen testing found actually once I found ad domain inside the client environment that was set up with Windows Server 2003 and I'm talking about 2015 atop the client hey I just got da on this domain doesn't look like you guys IV see some of us yeah I have no idea what this is so he calls in the IT director IT Director had no idea where this is she calls in biomed while mint is the department that deals with medical devices they have no video this is after

further investigation turns out it was the EMR vendor and it was actually no they had put that information in the contract but nobody bothered to tell IT nobody faster Dell security about it so you'll find a lot of B and C inside the medical environments and - Floyd has a VNC scanner you can use to find out these things I believe I witness also screenshots VNC so you can confirm on earth on you get any access to be a chai so this is one of my favorite things are here the top screenshot which is in black one of my colleagues found an open NFS share alright and this is 13 billion patient records they found how many

people are in there in the world billion with a be 13 billion now according to HIPAA every record is separate its counted separately so if you've got a copy of our patient record now that's two records alright because it doesn't matter if somebody steals the copy or original still counts right so yeah 13 billion I had to talk to him send him down black promise me you're not gonna sell this because this is 13 Billy this is about at least half a billion dollars on the dark web at the bottom of screen shot that's notepad of course notepad then that is GE Muse look at the border of that table none of mine you have something I was

the last time you use that in your application early two-thousands so the client was no longer using this GE Muse EMR but they were archiving it they had the archived data so that kept the EMR the older version and was never updated Cody I think is your screenshot and this one was unoffending gated access all right fun stuff and hooli is a password manager password dot txt password Excel X and I don't again I don't really blame the clinicians in this because they've got fish analyzed to see if all right but I think this is something that needs to be built into clinician training not just security training but also clinician training just like you don't

punch a patient in the face you should also not do this right but this would build in the training there but it we're still lacking in that because the clinicians who if I became a doctor 20 years ago I spent so much time in school I don't want to deal with your new technology and we make password managers so difficult nowadays if you forget your password managers password good luck it's gonna even me as a security professional it takes me few hours to figure out what to do now imagine the you know a clinician who has no idea about any of this stuff who just started using password manager because IT forced them to and they lose the password it's

gonna take them days to figure out what to do about it even though the password may have been spring 2019 physical so that's some you know medical equipment along with their EMR server sitting in the same place I couldn't find the screenshot I really wanted the screenshot I really wanted was this hospital this clinic had their medical record equipment the server and the switches sitting on top of a fridge in the kitchen and it they had very low budget they didn't have IT their medical professionals would also like to be professionals alright so that's also something you run into where they don't have the budget to implement security and then you've got our prioritize of

course you're gonna prioritize the medicine or security some modem in a router sitting in a visitor area the nice chair next to it alright so who here knows about OCR all right I'm gonna explain this to me go ahead what's OCR all right what did they do

yeah I think that surprised were they right there so yeah OCR a piece of civil rights is part of Health and Human Services Department and they enforce their enforce HIPAA all right and if you have a breach or CR it's gonna be in your business now there's definitions of breach you've got reportable breach we just talked about which is if you have more than 500 records you need to let OCR know right away but if you only had a breach of less than 500 records wait till the end of the year you have to notify the patient's right away but you don't have to notify the news and the Office of Civil Rights so OCR breach Bordelaise but you can go

and find out which hospitals recently reported something so if you want to be depressed this is a place to be okay because you'll find all kinds of things in here so we talked about all the bad things that exist or some of them at least what do we do about it well first you got HIPAA all right first of all if you're applying for a healthcare security job don't misspell HIPAA it's H IPA a not 2-piece although the whisper announced right so you got HIPAA the whole idea was started was Insurance Portability and Accountability the idea is if you've got a doctor in Augusta and now you move to Atlanta your record shouldn't stay in address done it

should be transferred to your doctor in Atlanta well it also then brought in through hi-tech rule some information security for the EMRs and the user free Amar's electronic medical records and it talks about pen testing you should do pen testing if reasonable and appropriate and that gets interpreted all kinds of ways depending on which consulting firm you hire or depending on how strong your seaso or risk Assessor is into strong-arming people into understanding it differently but again this if reasonable same thing goes for the encryption all right so full disk encryption you have implemented if it's reasonable now here's a good thing though about OCR if you had a data breach a laptop was stolen

and if it was not encrypted you are in trouble okay they give you some leaving in the beginning when you gotta implement these things but if you don't implement good things and you have a breach you get in trouble all right I'm just gonna hold here for a minute I mean I think that's a pretty good use of HIPPA all right so then it came hi trust everybody here's I trust I used to be a Hydra successor I hated a but there are really good things about alright it's very difficult to go through but it requires you to have the policy it requires you to have processes in place and then implement them and you get

scores based on that it used to be that the policy process implementation will are there are 25% but they finally realize you know if you if you've got policy and process but you haven't implemented it that is already matter than at that point we had a client that told us by policy we do not allow Linux in our environment somebody you guys pentest you're gonna have to use Windows systems or like alright I'll find out we walk in with Linux were connected alright so and also because they had implemented the policy on the paper of not using Linux they weren't monitoring Linux and they were the ones who had that NFS share with 13 billion records

because we don't have Linux years well you do now you found out but hydrous gets technical alright it requires things like you should have DNS SEC records alright it goes quite technical in there it actually requires pen testing what are the ready management things like that and also with hydro so you can show you are actually you know certified or something because if somebody sells you they pass certification they're lying to you there is no such thing as HIPAA certification and I've seen that sold a few times are like no unlike OCR is coming in and doing something for ya this is not the certification all right so high trust can helps on top of HIPAA to become

secure although it's quite annoying then you've got fire fire is a replacement for hl7 fire has the ability to interact with devices over a RESTful API is alright it can take data in Jason so it can use this and web tokens it can use OAuth alright it allows you to use GS and digital signatures so if you were to replace hl7 complete duel with fire you have a lot of capabilities when it comes to authentication authorization and encryption but again if the device has been working for 10 years who's gonna replace it ok a lot of times they're expensive to replace I have a client that they have an ms-dos device alright but the vendor is no longer in

business so what are you gonna do about it it's gonna cost them 10 million dollars to replace that device we're never gonna replace it so they've got a lot of compensating controls around it ok so while this is a really good things it's gonna take a while before this gets implemented ok so you're still gonna be able to just pull up Wireshark and see the data go through okay anybody seen fire implemented anywhere where if you don't mind time that's awesome specific vendor that's implementing it alright so where are the crown jewels any questions before I move on yes

so you have to the way hydrous works is you've got a third party let's say coal fire I'm not shameless plug in but coal fire whatever it is performing the hydros assessment for you they'll come in review the evidence for that certification period and then they will send that to hydrous then hydros reviews on top of that so it's like twice you reviewed so that's the process for that I think this price will be anything else any other questions yes anybody who wants to be certified Oh so sorry the question over there was earlier I answered was is high trust I forgot yeah is it a periodic review and that is annually all right so annually you get the hydro

certification and your question is who's being certified so you've got the hospitals all right the covered entities but then if you want to do business with heart over the hospital you're called business associate because you may have access to pH I then you might also certify for example United Healthcare requires you to be hydro certified if you want to do business with them a lot of organizations are doing that now I believe human a does that if you want to do business with them you have to be hydro certified alright so some of the local hospitals might also be doing that okay all right let's move on so we're the crown jewels well first you got the

EPA chai alright so pH is on the paper but EPA chai is in databases a lot of times maybe you're not going to get it quite of quite awkward as plain text hey it's inside our environment its internal we don't have any disgruntled employees we have any bad people in our environment vacuum shots we had a client that wanted us to take webcam shots they were some that I still cannot unsee all right if you're doing a physical pen test you are one gonna want to look at you know the firm desk they may have a lot of stuff you want to look at the medical devices themselves of times these patient monitors that that view into your room like mentalism

what not have pH I actually who walked out with one in the past to see if anybody catches a nurse even held the door open so it depends what you look like I look like a doctor all right back to the real world so look for unsecured skill bills on lobster bands those put a little bills where you put the paper to be shredded well a lot of times they're also overflowing so you can just reach in and grab some pH I okay check for publicly visible EMR or EHR screens right then nurses stations they are looking at monitoring the patient's but they're posted above the wall for everyone to see that happens quite a bit

all right so that's all for today and shameless plug we are hiring for pen testers but any questions yes

all right so a question is as a nurse in addition to not clicking on things that should not be clicking what else can I do to help monitor intrusion attempts well first of all check is this person supposed to be here a lot of times when we do men testing especially for hospitals hospitals like you to come and see if you can walk away with some patient data on paper right another thing you can do is not have patient data on paper sometimes you have to prune things but go and get them right away there have been a lot of times I've gotten thi right from the printer that's it also don't store your data in shares

I've seen a lot of patient data in you know your SMB shares or NFS shares things like that will help you also use the good password we had a client we got in we found about 10 accounts with spring 2019 as a password we told them they burned our access right away they changed all the passwords we got back in with fall 2019 all right so don't store the you know do you use good passwords and it doesn't have to be a complex password or you use a passphrase like Augusta table chair just mix up some words and that's a good passphrase yes

yeah

so I've been searching like that we reformed ransomware so the question is have you as a pen tester have you seen something infected in or some kind of you know malicious where and where does it go FBI what not well in my case when I found the ransomware we were told to just stop don't do anymore pen testing because we want to distinguish between the bad people and good people all right yeah we're good people so we were told to stop they did the investigation and that actually did not go to FBI I think they I went to they just did their own investigation then report it to OCR okay thing with ransomware is it really again

it's not a breach if the data was not stolen the data wasn't taken all right so if you can somehow prove that I may not be a breach now don't take my word on it because there's a lot of interpretations all right well that's just the way you can mold some things so again it depends all right but yes I've been in the situation we were told to stop when but in that case I went to OCR I've not seen FBI involved in that it may be more maybe now if you've got big things going on there could be possibility

right you just saw me laughs because I've got a story to tell you we got this client they wanted us to only test in the nonprofit environment all right because of that did I usually ask them you know where's the EMR I don't want to hit the EMR I don't want to cause an outage I used to work nights in an EMR vendor and I used to deal with outages you don't want to be around when there's an outage so ask questions like that so this client says everything in test environment only great we're testing this application it's a chemo application it's test only start looking at configuration start asking client questions turns out it is right now

connected to a chemotherapy machine that is in use I'm not touching that I am NOT because I'll be fuzzing the application right and I'm not gonna be responsible for killing something or give me somebody superpowers if you believe in Marvel right so the police are don't worry something like that like I was doing a physical walkthrough physical assessment and a local Atlanta hospital and we they behalf actually wasn't around I'm somewhere else in Georgia they have this nuclear medicine area where we should go ask for a map for us look at that but we're not walking in there I don't want to walk out with three arms all right so we identify those things and we try to not interact

with that because healthcare facilities are quite sensitive all right I've been told I got one minute lightning round question yes

right so the question is how do you bridge that gap between clinicians focusing on saving lives and not wanting to waste time on security and security wanting to be you know the top dog and one excutive happening well come to the table and talk my favorite thing is the table to other tabletop exercises and I'd like to have doctors in those exercises all right then the I did a tabletop with a client in New York and we had their chief medical officer we had their HR we had their marketing we had their finance and security and physical security and we started going through these scenarios our scenario was Harambee ransomware right and we just made something up

somebody's mad about you know what happened to her army love our army and they what as we went through the scenarios the medical officer really started to understand the bad things about this because we didn't just talk about stealing patient records we also talked about modifying them there were some research done recently I forget the name but they were able to modify the the archived patient records from arm MRIs and whatnot and basically what the modification that it was oh this person before they had cancer now thanks to computer editing they don't have cancer or they didn't have cancer but now they do have cancer the doctors couldn't tell the difference all right so that's when

they really understand the impact patient data being stolen is one thing we have breaches every day now now we have breach fatigue but modifying those records is what scares people all right well thanks everybody thanks Augusta for being here listen to me I've got stickers here come get some stickers [Applause]