際際滷

際際滷Share a Scribd company logo

Sean Whalen - How to Hack a Hospital

Download as PPTX, PDF
C
centralohioissa

By 2014, medical facilities nationwide implemented Electronic Health Records (EHR) as mandated by congress. Today, most of these systems are still using shared kiosk Windows accounts. This talk explores the risks of shared accounts, and alternatives that can provide much greater security and accountability, while maintaining ease of access.

1 of 25
Download to read offline
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital
Sean Whalen - How to Hack a Hospital

More Related Content

Editor's Notes

  • #6: How many times have you been left alone in an exam room, waiting for a doctor? Ill bet there was a computer in there too. My last primary care doctors office actually started playing smooth jazz overhead in the rooms. Imagine trying to talk to your doctor about something serious over Kenny G.
  • #7: Often, staff will lock or secure the EHR session, but will leave the actual workstation/Windows unlocked. Look for this the next time you are in to see a doctor. Ive seen this happen in primary care offices, specialist offices, and ERs. If you did that chronically in defense or finance, you would be fired. EHR systems like Epic Hyperspace (Its customers hold medical records of 54% of patients in the U.S. and 2.5% of patients worldwide. If your provider offers MyChart, its using Epic Systems) provide a false sense of security by stating Session is Secure when users lock the application session. To make matters worse, the USB ports are often reachable with a little effort. The situation is so common that I found a picture of this exact scenario by Googling Computer in exam room. What could someone do with that access? Every time I go to a hospital and start looking at their computers, then they always wonder why my blood pressure is so high.
  • #9: This device mimics a keyboard. It can be programed to do things like open notepad, write a script, save it, close notepad, and execute the script in seconds, bypassing controls on removable media (which are still a must-have). I can even temporarily disable the default script execution restrictions, then write and run a spying script.
  • #10: Its much easer to write complex malware in Python, and distribute it as an exe with pyinstaller, but PowerShell ships with Windows, and is allowed by many application whitelisting schemes.
  • #13: Unfortunately, I dont have access to an EHR system to demo with, so I made a very simple mockup in a web browser. Its not very fancy, but the basic weaknesses apply. Unless you have taken appropriate countermeasures (more on these later), any EHR software is vulnerable to this kind of attack (i.e. not just Epic).
  • #15: In case youre thinking My next-gen firewall or DLP would stop that.