 Is that really a thing, the state, can you call it the state of security if there isn't any? It's more of a gesture. Next up we have the state of security in the medical industry. By Billy please give him a warm Torcon welcome. Hello and good afternoon, afternoon. It's morning for some people. Who stayed up way too late last night? Hello, yeah, I'm amongst you. I tend to be a little soft-spoken sometimes, so if you guys can't hear me in the back, just yell at me and tell me to speak up, please. Find something to throw. So thank you for joining me. This is the state of security in the medical industry. I am Billy Marsh. I am also known as Cannibal on Twitter. It is the history on that entirely benign, so feel free to come up and ask me any questions that you feel. It's basically from taking apart objects or pulling the components out of them and repurposing them or cannibalizing those things for other stuff, so please. Ask me questions. The worst thing I'll subject you to is my terrible humor. I spent 10 years in the medical industry. I stood up and led the device security team for a large medical vendor and I handled a bunch of incident response when hospitals started getting hit with ransomware. Now I work at the Phobos Group. We do security posture analysis, phishing training, threat intelligence, but we specialize in attack simulation. For this, we simulate a real-world motivated attacker, spending weeks to months on the engagement to really test the client's defenses. I also recently contributed to the PowerShell Empire open-source project. We needed a tool that would maintain persistence on laptops after they shut it. When you shut the laptop, your shell goes away. We basically built something to restore that shell on a Power Command once the laptop opened back up. It is now in the main repository. This is just hopefully a little bit of inspiration to try your hand at something new. You might surprise yourself at what you can accomplish. I'm not a programmer by any means, so this was my first foray into tool building. A lot of fun. The original purpose of this talk was to bring awareness to some of the major issues plaguing the medical industry, but WannaCry beat me to that punch. However, it painted a much better picture for the public than I ever could. I had to change my talk quite a bit from what could happen to what did happen. This major event has told us some pretty critical things. There is a lot of risk that isn't being addressed. Regulatory compliance is not a good baseline for computer security, and HIPAA is not enough to protect patients' safety or data. What is HIPAA? We hear this term thrown around a lot. Let's do a quick look into what HIPAA actually is. Back in 1996, Congress discovered computers. Congress felt that everyone should be using computers, and the goal of HIPAA was actually to get administrative data into computers and away from paper. Thus, the Health Insurance Portability and Accountability Act was born. HIPAA is mainly focused on covered entities and business associates. A covered entity consists of healthcare providers, health plans, and healthcare clearinghouses where a business associate is kind of like a partner. Where on the behalf of a covered entity, they create, receive, maintain, or transmit patient health information, you're a business associate. HIPAA compliance, the term that it often gets thrown around in security terms, is often what's in Title II of the HIPAA regulatory. It is the Fraud and Abuse and Medical Liability Title. You can look it up more on your own if you really want to torture yourself with this stuff. It's really dry, very boring, and there's a lot to it. I will mention real quick, if you search for the HHS breach report, it'll bring you to their portal to see who has reported an incident. This is basically the HHS HIPAA wall of shame. You can even export it in various file formats, which is super nice of them. Very handy tool. Definitely use this more than it's being currently used. In a recent conversation I had, it was mentioned that HIPAA has no fangs. HIPAA does rely more on the obligation to the industry rather than enforcement. It relies on reported events from consumers. If you're a patient and you don't say something, there's not going to be an audit that really happens for these hospitals. If there's a HIPAA violation and someone doesn't say anything, it goes unnoticed. The Office for Civil Accountability is introducing an audit program, which is a great step forward until you realize that Phase 1 started way back in 2011, and Phase 2 is nowhere near completion. OCR, HHR, and HIPAA are a huge machine with a lot of complex gears, and they're still trying to figure out where the clutch is. However, someone that does have good auditing together is Jaco or the Joint Commission of Hospitals. They accredit over 21,000 organizations in the United States alone and are required for Medicaid and Medicare reimbursement. But it costs approximately $26,000 on average per facility, and it has to be re-upped every three years. It's also worth noting that no other entity certifies the Joint Commission, so they're kind of on their own. Normally, I would go into omnibus and other regulatory topics, but this is a 20-minute slot and this is a talk that I kind of compressed down from about an hour, so we're just kind of burning through these real quick. You're free to message me on Twitter or any other means. Come talk to me after the presentation. You're welcome to come say hi or if you have any questions or anything. I'll also tweet out the link to that HHS wall of shame in case you're looking for that. So let's take a quick look at some of the reasons that hospitals get targeted. Medications are a large one. They're worth quite a bit of money. People are often addicted to these medications as well, so they're looking for themselves and they want to swipe them or they want to take them and resell them. A lot of times this is done by internal staff. Every now and then you will see a random off the street come in and try and seal one of these medication vaults. Mostly, though, it's done internally. It's pretty standard. About 40% of insider threats are where these are coming from. There's also equipment and consumables that are also really valuable, little trinkets and one-time use like syringes. It costs quite a bit if you're trying to buy them on your own, but they're just basically just strewn about in hospitals. Very easy to find and make them disappear. There's a lot of the same equipment in hospitals. Take 50 devices in one hospital and multiply it out by a thousand hospitals. That's a pretty nice bot nut. Some drug companies are also without scruple in the furtherance of their own ambition as we have seen in recent news. It's very easy for them to hire someone to change a medical record for how their medications are performing in the field or change a competitor's medications if they want to push somebody else out of the market. Making somebody overdose on medication could also be a motive. You could change the prescription that's assigned to that particular individual at the hospital. Someone's going to administer some medication to someone. There are some other checks and balances, but it's pretty trivial to bypass those. Or they could just hack directly into an IV pump or a ventilator. It's usually in the news, there are people of interest and they mention, oh, so and so had this incident, either they were in a car accident or they just had a regular health problem being sent to this hospital. That's basically all you really need in order for an attacker to attempt something like that. Doctors could also hire someone to falsify medical records. Physicians win 80 to 90% of the jury trials with weak evidence of medical negligence and approximately 70% of the borderline cases. Doctors trying to protect their livelihood. This would be pretty good incentive because they're that close to losing their license and they're probably already doing some kind of shady stuff if they're at that point anyway. Intellectual property theft is huge, especially for small businesses. They incur pretty high costs in research and development, be it for medical devices or medications. There have been a few different cases where those companies have been breached and a competing product comes out on the market a month or two later at a price that they don't have to recoup those R&D costs so they can totally undercut them and basically drive the original company out of business. Ransomware is another huge one. Hospital is arguably one of the most time-sensitive businesses and one of the first examples was Presbyterian Hospital of Hollywood. They were the first ones to publicly disclose that they'd been ransomed and in less than 24 hours they paid $17,000 to get their systems back and in doing so they basically opened the floodgate to say, hey, here's an industry that's super easy to compromise and they pay. So that's kind of best case scenario for an attacker. Lots of patient information is stored at hospitals. An attacker can use the gained information to fish or spearfish individuals. They have basically everything that they need and they know which medications they would potentially be looking at so they can send them an email basically saying, oh, look, we've got this discount on Lipitorer. We noticed that your prescription is ready. Click this link to, you know, whatever text you want. Also worth noting that a complete medical record with a credit card can go for about $50 a piece. So that's a brief look at some of the reasons people go after medical. On top of the medical industry being a treasure trove it is also a target-rich environment. The attack surface is absolutely massive. There's a lot of old infrastructures, like decades old infrastructure, old equipment, XP-2000, pretty rampant. The networks are also super old. Imagine trying to push a gig of software updates to 100 machines on a 10-base-T network. Yeah, it hurts. There's no network segmentation. A good example is if I jump on the guest Wi-Fi I should not be able to see the equipment in radiology. This is a gross oversimplification of a hospital network. If you believe the earth is flat this is kind of the right architecture for you. I never really understood why the internet is always portrayed with a little picture of a cloud. We all know the internet is for cats. So this kind of makes a little more sense. Let's pretend this hospital is about 20 years old which is still rather new in terms of hospitals. How many of you know if the hospital that you were born in is still around? There's quite a few of them. So how old is that? And that's pretty average. So in this example the wireless guest network was added in as an afterthought and everything can talk to each other. So let's say someone in admissions decides to check their hotmail and clicks on every link in a spam email. We all know someone like this unfortunately. Their machine gets infected and quickly it spreads and spreads and spreads. This level of access between computers is terrible for any kind of damage control. The amount of trust which is given between vendors, hospital staff and guests is staggering. Any one of these can introduce malware into a network and this has happened in the past. It's not anything that is unheard of. It's not uncommon for staff to run around frantically trying to unplug all the ethernet cables at the first sign of a ransomware outbreak either. Patching is horrible. Hospitals and vendors are both guilty of this. Some vendors swear that patches are not FDA approved. This is absolutely not true. Small clinics and some hospitals have no dedicated IT staff. There's a lot of complex systems which result in misconfigurations if this is being contracted out by a centralized contractor for IT. They usually have no security staff whatsoever. Some of the bigger hospitals, the more for-profit ones will be better about this. Some of the educational hospitals will have security staff but they're by no means the norm. There's a ton of open ports. A lot of open ports from initial setup for a vendor. Sometimes they won't go back and revisit the configs to close things out. There are sometimes doctors that request access to equipment from home. For one example, I'll run across hospitals in Shodown and in one instance there was a hospital that had 41 open ports. What happens when that expensive machine at the hospital is no longer supported because the manufacturer went out of business? A lot of vendors don't give over control to equipment and the hospital has no administrative privileges. What do you do at that point? You can me-me-cat-zero machine, I guess, and try and patch it and hope that you just didn't break a quarter million dollar piece of equipment. The medical industry also has a lot of embedded devices. We're starting to see embedded device ransomware as well. It's like the Internet of Things but with people attached to it. There are TLE devices as well with weak or no encryption. This is basically a CVE that you hook up to your body. There was just a recent report about the pacemakers that just got recalled. There's a whole slew of problems with those but that's for a later talk. Centralized storage, often unauthenticated. If protected, it's easy to brute force. Lots of backup files, also not password protected. Password documents, configs, medical records, all without disconcription. I'm going to speed up a little bit here because I've got like four minutes left. A lot of this can be attributed to budget. There's a big misconception that hospitals are rolling around in cash but they're usually just struggling to break even. Lots of doom and gloom. Let's talk about what can be done to fix some of these problems or at least mitigate them. On the patient side, a few things that you can do with this information is actually required. If you don't have to give your social security number, don't. If there's a spot on the form, it just doesn't mean that you have to fill it out. If you have multiple clinics or providers in your area, call and interview them. Find out what they're doing to protect your data and if they employ any kind of security services on the regular, you can see the HHS Wall of Shame see if they feature in it. The next section is aimed a little bit more at covered entities and business associates. Hopefully one of them is listening. Stricter HIPAA security regulations. More security-focused guidelines will require hospitals to walk a finer line. The hospitals under the DoD umbrella are consistently better off. We just need to like forklift the requirement language and dump it on HHS. I can imagine their initial reaction, but things would improve drastically once civilian hospitals got over the initial freakout period. I know this is a very easy thing to say, but if HIPAA does a slow implementation to mirror their security rules, it would close a lot of gaps. Also check the features that are being pushed or promised in new devices. Sometimes they'll say that they're going to do one thing, but it doesn't actually work the way you think it does. Sometimes they'll say that it's going to be that it's implemented, but by the time you install it, it's not actually a valid feature, and it will be available in a future release. So it helps to verify that those things are actually there. Set up a patching schedule. This should not be stated. This should already be there, but set up a patching schedule. Hound the vendor to patch their equipment, and inventory the equipment that's on your network, including SCADA and HVAC devices, because if it's got packets, attackers can get into it. So segmenting your network is another large one. If we took our example from earlier and segmented out each area and vendor in the hospital, now each area is contained in case the DERP and admissions wants to infect their computer. That mess will now be contained to that particular segment. While admissions will have kind of a crappy day, it avoids the catastrophe where it to spread to the entire hospital. Each operating room is its own little island, so it's isolated from the rest of the hospital, and if you have a vendor that can't or won't patch their equipment and it gets infected, the spread is contained to that segment. So you can call the vendor and make them deal with their crappy equipment. Egress filtering. Egress filtering is also very important. Review the egress logs as well. That'll tell you quite a bit. Review firewall configs. And if a doctor wants access to a machine, make a VPN in. Don't just open ports. Validate your backups. Don't keep them in the unauthenticated, centralized data storage. Make sure your backups are actually being backed up and then validate that the data is good. You'd be surprised how much heavy drinking can be avoided by doing this. Put an incident response plan in place for different scenarios. I've seen incident response plans that simply say, call Steve. This is not a good incident response plan. And even though a bad plan is better than no plan, it's trivial to set some of this stuff up. This screenshot is from the HIPAA OCR page. Fishing and social engineering are still a huge threat. I mean, that's the kind of surefire way to get into pretty much any organization. Social engineering training for your staff will help them recognize bad emails and help keeping them from clicking on all the things. Decommissioning schedule is also critical. That'll help keep some of the old equipment out of the hospital. Backdoors from the factory. Static passwords. Week default credentials. Shared passwords. Password reuse for clinic logins. Cut that shit out. Seriously, I'm sad that this slide even has to exist. And insist on all your new equipment have 2FA or better. By the way, Malbrook's got this one pretty spot on. 1, 2, 3, 4, 5 ranks in at the number 3 worst password according to SplashData. So test your defenses and retest your defenses. This is something that should be done regularly at a minimum once per year, but ideally every quarter. Getting a security assessment gives you a feel for where you stand, and having a good grasp on security is a highly marketable trait. Vendors, clinics and patients don't want to be part of the next breach. So WannaCry has made it painfully obvious to the public that security is lacking in the medical industry. While HIPAA and high-tech compliance is a good first step, it is not enough to provide the needed security. The medical industry needs to start taking security seriously and take steps that go beyond regulatory compliance. What we covered in this talk is common knowledge to attackers. And that's the wrong group to be best informed on these topics. It has been reported in 2016 that there were 27.3 million patient records breached, averaging one healthcare breach every day. If nothing else, I hope that someone listening right now that works in the medical industry can inform their facility or vendor that Windows patching is outside the FDA software review process, and we can start closing up some of these gaps. There's been a lot of visibility to this issue in the last several months, and I really hope it instills positive change. So thank you for sharing your time with me. Oh, man. Yeah, condensing an hour-long talk in 25 minutes. So you had a question. There is embedded firmware ransomware at this point. So the question was, is it the Windows embedded devices? This is firmware ransomware, hitting a lot of these BTLE devices, and the not BTLE, you said embedded devices. Any other questions? Kenny. So firmware updates might be a bit of a gray area. This is more specifically Windows patches and anything that's not going to affect the functionality of the device. It still needs to be documented that you did your testing and you did due diligence that these patches don't affect your device, but you don't have to recertify through the FDA after you've applied these patches. Right. A couple announcements, folks. There's T-shirts for sale. If you didn't get one, if you want an extra one, they also now have kid sizes. And then as far as the hurricane fundraiser, if you hadn't heard about it, if you can show proof that you donated to any one of the charity organizations for the hurricane relief and you bring it up to the front area where the registration is, they will give you a badge color of your choice. So the white, green, or blue badge, you just show your receipt. Did you put your slides or send them? You can put them on the blue pill or you can send.