Patient data and where to find it - Stuart Kurutac

um so yeah my talk is on patient data and where to find it um we're going to sort of go over uh the differences between sort of Enterprise and clinical um uh environments and what the differences are and I'll also talk about various different medical protocols and technology that specific to healthcare and Inter disperse between that some security issues uh that that they suffer from and also some relatively safe things you can do um to uh you know extract some juicy patient data um and then finally just uh go over a few existing uh tools that are out there and if there's any time some questions uh so yeah first of all uh my name is Stuart kurach I'm a senior

consultant uh I've sort of worked my way up through it over 16 years starting off as a service desk analyst and then onto various s and then basically brute fors my way into becoming a pentester um and over the past four years on and off been looking at uh Healthcare Technologies and stuff and research in that uh so a lot of this is going to relate to what we' talk call sort of network penetration test so when you're looking at uh assets on the inside of a network so when we're looking at sort of standard Enterprise networks the kind of things that you're going to see in there are going to be you know desktops

laptops servers like Network switches firewalls and some mobile devices and that's generally what you're going to see uh across the board but when you go to um say like a hospital or any sort of healthc care environment there are going to be additional things in there um such as like medical devices so like think you know patient monitors uh infusion pumps um there going to be labs in there pharmacies there's like ambulance sort of networks for communications um and then other Healthcare specific systems that deal with like patient data so there's a you know there's a vast amount of additional technology that is completely different to your standard Enterprise um uh devices and a lot of

the tools that you use as a pentester they are like really well fine-tuned to what you'd expect to see in Enterprise Network so you're not going to necessarily pick up on a lot of these other things and really in a live environment you you want you don't want to be causing any disrup in those environments CU um you know they could be quite old and you know uh uh could get knocked over by the slightest of scans and things like that so you know generally want to be careful um so when you're doing say your normal Network pen test in a Enterprise environment you're as a pen as a standard penetration test what you're trying to do is find as many

vulnerabilities as possible and you assign uh you know a risk rating on that that technical risk rating depending on you know how severe it is how easy is to exploit what the kind of impact is um when you are say doing this similar test in a healthcare environment you maybe want to shift your focus so the ultimate thing that you're thinking about is what can affect patient safety so it might not be that you know like enterprise software that's got a vulnerability that's got cbss scoring of like 9.8 it could be something like seemingly a lot less uh severe than that but could cause you know huge impact across the board sort of on a flip reverse of that um

some uh researchers from ma Cafe did a uh you know found like a CVSs scoring so like you the a common vulnerability scoring system score of an infusion pump which got 9.8 so they could like remotely control this thing and deliver a a deadly dose of whatever was in there you look at the NHS website for uh that and their sort of their own sort of impact score and on that and they they put it down as a low so you know technical risk doesn't always assign or relate to clinical risk H so that's just something to be aware of and you know the reverse is also true as well uh so some protocols uh well some

of these are technically standards but these are things that you'll see in healthcare environments so we've got hl7 V2 so that's uh developed by an organization called Health level s and that's a clinical messaging standard it's to do with sending all sorts of messages to do with the administration of like patient care and things like that then we've got dcom which is a medical imaging standard H so you know you think if you ever go for an x-ray or a CT scan MRI whatever the images get something from that will be using diom probably and we've got next one fire which is fast Healthcare interrup interoperability resources this is also developed by uh Health level 7 and it is

supposedly being designed as a replacement for HL 7v2 and it uses different technology and then finally here we've got this Liss o2- a PO T po 1 A2 and this is primarily used in Labs uh so like if you ever get blood sent off somewhere that's what's going to be in there and the Very in in its structure it's really similar to hl7 V2 and it also has the same security issues so I won't go into that talk but just to be aware of it because uh you it's used a lot so uh little overview of H7 V2 said it's clinical messaging system uh it's sent over TCP it's uses this minimum layer lower protocol um which basically

a bit of a wrapper that goes around the the the message body there are different message types so these can be um that like for example there's like ADT Oru these denote what types of clinical message they are so I'll go into that in a sec um it's an old uh protocol it's been around since the 80s uh but according to HL 7's website it's still in use in like 95% of us Healthcare facilities um it's also not typically sent on a standard Port even though there is an an assigned one so that would be 2575 uh there's there's no hand fast rule about stick on any port you want as with most things but this is more common

uh with hr7 it could be on anything so it makes it a bit more difficult to sort of identify on a networ so I said got the message types we've got two of the common ones there ADT which is for admit discharge transfer which you can imagine is for messages where you admit patients discharge them and transfer them then you've got these observation result messages which are also pretty common um so that's when you are send in a result from like a lap test or something like that um and the these are usually just sort of they're one way communication so you're you're sending data to somewhere and that endpoint is then receiving it with the exception of uh query messages

which is the only type where you can uh extract it from somewhere uh but as of I think it's 2.7 version 2.7 that's uh been removed so this is like an abstract representation of what a message H7 V2 message would look like so they're made up of segments um of of text and uh each segment is just like say imagine like a line of text on like notepad or something and they all start off with three three uh characters and uh they denote what that segment is about so msh is message header and that is on every single one um and then below that you see we've got pit which is patient identification and each segment is made

up is then uh consists of what called fields and these are separated by pipes and they contain all sorts of stuff like this now this is what it would this is what a typical hl7 message look like so you can see we' got the msh bit small so apologies if you can't see that that first line there is msh and then you've got those the the uh the four characters there their uh Escape characters and those ones are always in every single uh message then the fields from there like the the sending application the sending facility then it's receiving application the receiving facility then date and then as you can see it kind of drops off the end

here so eight so that's the ADT that's a message type A1 which is a patient uh admission type of message then the uh excuse me the uh H7 interface that you're sending that to will generally resend this example response below which is an acknowledgement so again it's got obviously the um sending and uh sending application and facility with the receiving ones at the top and so on and so forth so this is a wi shark uh screenshot so it's a network packet capture for those that don't know uh it's basically what the traffic looks like on the network so I've intercepted a request here and luckily uh why shark has a hl7 filter on there so you tap

that in and it shows you uh this whole message so when I said before about MLP that minimum lower layer protocol it's basically those bits highlighted in Red so it's got to start by z b and then uh an end and a carriage return which is 1 c0 D that's all it is and then the rest of it is just clear text in the middle if you see on the left hand pane that's all the different uh segments there listed so you got msh EV which is event type appear patient identification next of kin uh and then at the bottom you've got you can see there a1s which are allergy information okay and then that's just

highlighting the message header on its own there and then this is just the uh acknowledgement that you'll see again with the uh MLP bites highlighted in Red so what are some issues with that well it's sent in clear Tex in fact the stand doesn't even facilitate encryption it basically says in it that's your problem you need to sort it out kind of thing um there's no authentication so if you're on a network you manage to identify one of these things you can just send it a message don't by the way that's really bad um with those two sort of things combined it's really sub to man in the middle of tax um research by Dallas from

Suns Institute he did this a while ago he shows it in detail about you know uh conducting that attack and then later on at defcom one year uh some researchers uh took it a bit further and they in real time intercepted and changed these messages on the fly so you know really bad there's no way of like sort of detecting these man the middle attacks um so what can you do safely if you're ever in that environment so this largely boils down to being on a server or a host you conducted just doing a file search so if you're doing like an internal Network pen test and you find an open file share or something like

that commonly people like you know search for users passwords things like that um in a healthcare environment search for the msh pipe and then the uh Escape characters maybe you'll bring back a load of files that uh have been sent in logs and things like that because those log files FES um may contain these messages and there's and in some uh hl7 messages there will be um an OBX segment which is an observation type segment and in there quite sometimes you can have base 64 encoded uh string of say a doctor's uh letter or note about you know a certain patient and this is something that we seeing internally uh on on an engagement where we found a share with those in

decoded the basics for and sure enough it's like really sensitive you know patient information it's like get rid tell them straight away um on sort of like firewall reviews if anybody's ever done one of those they can be pretty boring but very very necessary um one of the things that you might call out is uh uh administrative or clear Tex services so things like HTP tet FTP have a search for anything that's add don't on Port 2575 or hl7 and you can say right you've got some clear text this is an Al this is also clear text in there if you've compromised the host or managed to get on one somehow check for the running services and see if you can

see um a hl7 interface config on there you're unlikely to find it by doing like an mmap scan just because it can't be uh most of the time sorry it's never assigned to a specific Port uh and M not clever enough to identify it uh otherwise you can um and also the the disruption that you could possibly cause to it as well just just not worth it um so one other thing to do and then if you're ever in a situation where you're doing a test like this is do some PC so proof of Concepts on your own um machine to demonstrate the issue because it because it's it's these are a you know the um the extraction of patient data is

a really severe issue in the hospital or any facility like that so you can um you do r boofing t to uh you know show you man in the middle of attacks and you can do that really easily by using for anyone use you know got any experience in uh coding with python use a H7 apy is a python module that allows you to do do that so lots of examples of how you can set it up so you know really easy to do really highly recommend that you have a play around with it and have these as you know a a a ready to go sort of issue that you could use in those

situations um dcom so dcom uh is a standard as well uh dcom files would be the sort of images that you get from MRI machines things like that but it's not just the Imaging they have a load of information in there lo metadata in there and these are like data sets which are basically a huge amount of data um that's separated into like individual elements called Data tags um the standard also describes a network protocol and an API as well so it's not just about the construction of the file itself it's also detail gives you details and describes how to send those files across the network so this is a example of a dcom image

you can see some in that top right hand corner there is a patient ID and that's the patient name there so that's only this is just an example of what's displayed on this particular web viewer for this uh D server and then in the same D server this is all than by the way it's open source um uh this this also displays in in one of the areas of the application as well so as you can see you've got these numbers on the left hand side is it left yeah if you're looking at it's left uh so these uh these here there they're hex representations of the of the data tag so the first four are the uh data tag

group and then the last four are the data tag element um and the the group sort of signifies what it you know what it uh what it is so 0000 one0 at the bottom are all sort of patient related as you can see there's the patient name there and a patient ID there's loads More Than This by the way if you just search like dcom data tags there's like a a library or website and there you can just search through them all uh so here's just a snapshot of this script that some scripts that I've got so I search for the T all tags containing the word patient that's not all of them that is about a third maybe

a quarter of them but just to give you an idea on the right hand side there's all uh tags that are to do with Physicians so um what's really worthwhile having a look at is if you've ever ever had a scan ask for your scans um and when they gets sent to you just look at them in a dcon viewer and there's loads of free ones out there um and there's tons of information in there like I I got mine and it had loads of details about me obviously but it also had details about my uh the uh surgeon uh the doctor that ordered them the person that took the images there was also the IP address of the workstation

it was on the uh software name and version of that as well so I mean you could technically build a two or three issue report for for this by just getting your your your dcon uh images um some of the security issues with these then uh typically the common ports uh that you see are 104 and 11112 these are clear Tex ones there's a couple of other ones so 2762 is sent over TLS um there's weak paer authentication so unlike with hl7 there is actually a way to restrict access to dcom servers or packs which is picture archiving communication systems basically same thing really uh one way to restrict access is by IP but again you can spoof

that um another one is by using application en titles or aets and it's basically the name that you give to the server there is a 16 character limit on those in the standard so you could potentially Brute Force those as well um and then there's there's been a few uh examples of injection where you put you know malicious payloads into those data tags um and one of the more interesting things are that the dcon file uh can be used uh to create a polyblock which is basically a file that is multiple different types of files in one there's this 128 bit Preamble by preamble to the start which is used to be able to tell non dieon uh systems

that it's an image and that they can see it so you could put you know a diom image in like paint or something you'll still see the image just not the metadata um and one researcher named this their version of this pedicon so they use that preamble to uh point to different data tags that were essentially an executable so it was it was still a dcon file but you change the extension or just run it directly from the command line and it would be a Windows executable so pretty nasty this as you can see is just a two screenshots of uh Showdown search for dcom on there they're taking a week apart so not a huge massive increase but

you know you can see there's currently 5 a half thousand exposed points on the internet 2 and a half thousand of those are using the well-known Port 11112 which is clear Tex and then you know nearly a couple thousand more 104 442 third one down incidentally is the default port for all F The open- Source One uh so depending on which version it's running is susceptible to like some pretty nasty vulnerabilities so what are some safe things you could do again file search but um you could search for the extension which is DCM but you might get some false positives because some windows files depending if it is a Windows host so I typically would search

for the soop U ID so that's service object pair it's basically just a a numerical ID to tell the standard what type of file it is and how it was stored um again with firewall reviews look for dcom look for ports 104 11112 there's clear text that's an issue um the C command uh something that you can do fairly uh safely with these so this is the network protocol um some of the main ones would be like C C echo which is basically like Ping um it's just to sort of say send a c Echo request to a server and he goes yeah I'm here uh using dcon networking protocol the C find C get so find is like

searching for a a a file get is retrieving it there's also store um and these these can be protected on an individual basis so you could say that you're restricting access using aets or IPS on say the C store but not on C EO so anyone can send C EO but only certain ones can you do c store or whatever one so yeah just an example of me doing a search on my virtual hospital for the soop ID well part part of the SOP ID that's returning all the that images there this is um python using a python module called pinet dcom they have an inbuilt um SCU so that's service class user that's basically a client that's using

to find seu just pointing it at the in my lab this IP address the port the query level which is patient if you set that to series you'll probably get more and then a patient name of star so you can imagine you send that off and it gets all these hits now this I've seen this quite a lot I've not done loads and loads of uh you know Healthcare uh pen tests but on each one I found it on them so you know worth worth a shot if you're doing that but just don't do star or control C straight away because everything now the amount of information it's retrieving here that's hard coded in the pinet dcom uh

module find seu you can change that if you just write your and they've got examples of how to do it so you can include all that other juicy data like you know system software version blah blah blah if it's on you know if it's been set in the file it will return it so and then yeah some other things that you can do in there is the P again have a look at these like open source software figure out how to do PC like proof Concepts on that uh with the injection types and using pi dcom pet dcom and all thanks so all than the uh open source server so with the types of injection you do do things like xss

which is something that found on allank previously this has been fixed now obviously this is from quite a while ago um and this is only in the web view module of it uh so you know it depends on what's what's available at the time but how you do that is quite simply as you can see under patient uh patient ID just got the simple payload there that executed so worth doing things like that as a proof concept and then again that's just that being fired off so fire uh fast healthare interprop resources this is sent over using HTP and HPS it's got different formats using Json XML it's basically just an API so this is uh still in development really

so you probably won't see it much um and this is just an example of what a patient resource might look like so at the top there I don't if you can see that first line is resource type and then patient so um that could be like anything like you know doctor scans whatever according to the Json so again with this sort of repeat myself but file search because these things can get logged so you maybe search for Strings like resource type and patient and you can probably find a bunch of that it's and you want to follow your standard API testing methodology for this um so one bit of uh um research that was done a

few years ago by list and Knight um was uh looking at a fire API in point for ha um Health uh information exchange thing so one of these big things in America and typically it' been set up you know all good authentication required but there's no segregation in there at all so once you've authenticated you could access any patient data in there and it was self-registered as well so you know basically open there's one thing to mention here which is a capability statement which is open to everyone by by Design um and is basically just a big um metadata Endo which lists out everything about that fire interface so sorry yeah this is the file search and

this here is uh the capability statement of um uh openms that I've got set up in the lab so I've just extracted a few bits in there what you might not be able to see is it's tells you the server software the version what version of fire it is and what resources are available on there so this is by Design to help people be able to create apis but it's still a bit of information leakage so you know worth having a look at and that will be that endpoint is called is metadata always metadata uh okay not too bad for the time so with some moving on to sort uh Healthcare technologies that you might

see in there there's the epi which is say electronic patient record or it could be the EHR electronic health record or EMR electronic medical record basically the same things there are some nuances between them but yeah they're they're essentially where all the patient data will be my personal favorite is the integration or interface engine uh which facilitates interruptibility um you know there's there's a long-standing issue in healthcare organizations where there's so loads and loads of devices none of them want to talk to each other so someone came up with one of these basically allows you to have an interf receive an interface you can do some magic in between and it spits out you know the a different

message that's compatible with the receiving device and you've got uh lists it's a laboratory information system there's lots of ises as well so there's like a RIS which is Radiology information system a hiss Hospital information system or HS Hospital information management system um basically overarching like uh systems for each part of the hospital in there and then obviously you've got medical devices so like these are point of care devices like I mentioned before like uh patient monitors and whatnot so with epr I said these are the main system where patient data is held there could be multiple of these in hospitals I guarantee you they are not going to want you to test against these

certainly not in a live environment you never should um they're so complicated you know there's there's lots going on with them so you know the potential to inadvertently changing like healthcare data in there is just is just too great they're so so complicated they've been attributed to burnout in in doctors something like I don't know one statistic a while ago was like tons of people are quitting just because of the implementation but again there's an open source ver versions of it um I'm using images of open EMR here just not because it's inherently rubbish or anything but because it is the easiest to set up that I've come across it like just get it running guide you through it

and it pretty much never fails um so yeah once you logged in it's kind of what it would look like not not the prettiest of things but you get the idea there's you know menus in there menus and menus that's one of the smallest menus as well uh so you can imagine how sort of complex they are that so you know what do you do with these well essentially you just apply your application methodologies to them always be thinking about how you're extracting patient data and how you'd impact patient safety never be thinking about sort of like I want to get the you know like the admin or whatever I mean yeah still a good goal to have but like

you might not need admin to to do this you could have like a low-level user and just like absolutely rinse all the data out of it and that's way worse them striving to get admin with the same results basically with the integration engine I said it facilitates communication with lots of different devices it's highly configurable so you can put like Java in there and make it do all sorts of mad things and and it's also used to automate workflow so it could be like multiple steps involved um now it's when you it m connect is an open source one uh again so there's lots of Open Source options for everyone to go out and have

a little play around with these things um it uses it's it's written in Java there's a Java client that you need to in like uh interact with it with its full with all its full capabilities it does have like a a web interace but it there's very few functions that you can do on that so if you logged in uh to one of these like doesn't default configuration doesn't have multiactor authentication or anything like that there there is facility to do that with it though um and I've I've seen these in networks where it's just admin admin so you know these are things you need to look for so this is like the dashboard and it shows you what's running on there

and these all these things here are called channels so if you go into the the channels bit then these are all the things that you configure to do all the the magic um and this one I've highlighted here this is something I configured after going on a search online just to see if I could get you know something working and I came across a comment which was oh yeah we just use it to like directly input to the backend like the database of the uh of the EHR so you know you could have all the security you want on your ehi it's got you know ARB back MFA lock down and all this but then you've got like this

interface engine that's just like admin admin and it gives you effectively the same access so this channel is configured with a source for TCP listeners it's got MLP Max connections there 10 that's default so you could probably just dos it really easily as well um and then on the destination tab on there as you can see it's a database right there going straight into the the uh the EP EMR database and you could do all sorts with you know it's got a username password in there and just use your imagination go wild um obviously not in a live environment um so this is with the integration engine it's just to highlight how like key this thing is and doesn't

seem to get as much um uh uh like exposure uh in metor and things so it's essentially an allowed man in the middle it's just like yeah it's be winkly because it could be like loads and lo of channels in there that are going off all different systems you have loads of patient data going through it and it's just like yeah this is this is this is the this is one have a go at that um so yeah tooling that's out there not a lot Med audit H7 Discovery and fuzz at all uh I've never actually got it working but you know give it a go um and there's toic which is kind of like uh

wire shark with the hl7 and dcon filters in there uh smart H7 which is a sweeter tools Standalone X's that are your windows only and then more recently hl7 magic uh which was presented Defcon last year I think H SP we extension which allows you to do that man in the middle of H7 interfaces uh not much else um so as you might have noticed there's a few scripts there that I've all shoved into I um it's bunch of my scripts that I've shoved into one tool I was hoping to do like a bit of a Pres presentation on that as well but uh I my house move has gone on too long and all my stuff

has been packed away so I've not been able to finish that but um essentially plue is one that I've been developing and will'll hope to release soon uh any offers of collaborating with that are always welcome and this is my Essential list of reading I can send that out to everybody if you like that's basically everything that I've talked about there with lots of detail juicy detail in there and spefic specifically my favorite one at the bottom is a DNA malware one uh essentially uh researchers from Washington University injected a malicious payload in a DNA strand shoved it into their lab environment and just the the the sequencer readit and executed the payload and they

compromised it with that so cool man like well cool obvious they they they had put it under optimal like condition so they introduced a a vulnerability but like the the idea just the concept of was like wow that's amazing so anyway that's it any questions have we got time of questions no yeah maybe okay maybe one yeah okay [Music] cool oh yeah [Music] go yeah think forc health so so they're like heavily regulated anyway so I think like Hippa um in the US like none of that should be on the network but it is like it's it's it's it's one of the he heaviest regulated Industries but enforcing that regulation is the issue like you every

time you just read like the healthcare sort of Media stuff and you'll see like especially in the US like it's two or three a week be rant somewhere and it's like well if they're hper compant like is it is it the the regulation or is it the enforcement of the regulation that's the issue i' say it's the the latter definitely yeah like over in like NHS in England as well they've got DC b129 DCB 160 they got all the other stuff as well that goes with it but you know they've been like popped quite a few times as well it's the enforcement of it absolutely like the rules are there so that stuff should be

protected but yeah yeah yeah yeah today just use us or what do we use in Britain and Ireland so sorry so the protocols yeah like yeah they're they're us everywhere yeah so that's yeah yeah so is only saying like 90% of us hospitals CU that's what there is on the website but yeah they're over in like yeah all over really yeah like the the the yeah the main sort of like protocols that used basically everywhere yeah anybody else hello anybody who works in Security in healthare service get sleep yeah they don't they don't like it's there's like loads of burnout and people just like stressing all the time it's like awful right yeah but it's you know what can

you do You' got to hope that people just don't pop this stuff because the people who do are like proper low dirty of all the criminals is the dirtiest one to do like there's some some some of the things that I've read over the years like really bad I won't go into it CU it's it's nasty but yeah sorry yeah I shouldn't I our first job is to scrub yeah yeah yeah yeah so we take the DAT and scrub delete and dat with yeah yeah yeah to what you want to be doing like you know didn't do it well yeah if you didn't do it yeah but like you can I can like when I ordered my images it was

from the hospital and it was you know it sent second class no signature needed yeah yeah on a disc with no enp second process right yeah so you're you're obligated right you're part of the supply chain you're obligated to do that you get in trouble it's bad but there's lot lots of other like like companies in that supply chain that you know according to the media and my echo chamber on the internet just don't do it yeah anybody else awesome thank you very much then