 So good afternoon. Everybody hear me all right? OK, great. Plenty for the introduction. I've been doing hacking for a while. I've been working for Metatology Services and focused strictly on health care. I've done about 50 different hacking engagements for medium to large health care providers. So that's what I'm going to focus on today. And we're going to talk about the different themes that I'm seeing as a health care hacker and the weaknesses in health care. So overview, health care providers are really struggling with the basic foundational security. I'm going to get into a lot of these things in this talk. I used to do hacking in other industries. And when I came back and started doing hacking again and came into health care, it was really like 10 years ago in some aspects, just kind of seeing a lot of really weak security out there and just things that some of the technology that was out there 10 years ago. There was some close in those gaps. A few are mature. They have mature programs. But you have to also think about health care environment. In health care, there's servant patients. People can walk into the facilities. There's all types of devices everywhere, computers everywhere. So it's kind of an open doors. It's not like a financial institution where you keep the employees, keep everything inside, keep everything behind doors and build that perimeter up. So you have that as well as just a lot of different devices that are being connected to the network. All these medical devices now are getting IP addresses, getting connected within there. And the culture overall, security has always been an afterthought in health care. In that mentality, it's starting to shift, especially with all these breaches and ransomwares that are happening. But I'll get into that in this talk here. So real quick, it's why is health care target, obviously a lot of different data points that are out there, electric medical records, financial data, this data is just being hoarded kind of in hospitals, especially the health care information and with that information, you can do a lot of types of stuff with it, right? So you can do insurance fraud, prescription fraud, blackmail, ransomware, just steal the data and sell it. So a lot of different things. And as well as just as a higher impact, we're dealing with people's lives here, the privacy of their information, but as well as being hooked up to different medical devices, being for the hospital system to develop, to serve the patient and give them correct care. Easy efficiency, and like I said, I'm gonna talk a lot about the security weaknesses in this talk. A few of the screenshots here, I have a lot of screenshots throughout here and I'm gonna try to pepper in some of my kind of stories. The first one here on top here is just an HR system. The second one is a pointed sale system in a cafeteria. I always like to hop on that before I get lunch, make sure I can get something. So we're just doing that and then grabbing some keystroke login on that system there, just some of the screenshots showing. So health care is a target 30% more likely than financial industry. 2017 alone, the most amount of reportable breaches have been in health care. We're seeing that uptake every year. Some, just some listing some of the big breaches that have happened in the past couple of years here. All these screenshots I have in here are actually from health care engagements. I've redacted them so there's no sense of information, but these are a lot of different screenshots that we've taken, get it into different devices and systems within health care environments. So health care key industry weaknesses. I'm going to talk about these different topics today. Some are near and dear to my heart, so I'll probably spend a little more time on them and skim through a few others. First thing here is unpatched and outdated systems. Health care, it's interesting, like when we're out there you actually see a lot of old systems still sitting on the network. You know, it's an example of Windows 2000 servers, always a handful of those. I've seen everything from Windows NT to one client having Windows 98 still out there on the network. I mean, it's crazy in this day of age to see some of that that's out there. You know, what's happening a lot is there's a lot of just different systems out there and a lot of times these are vendor systems sort of not being managed by the security of IT. They're unaware of them and they're sitting out in some corner somewhere and they're just, you know, never been updated, never been patched. So these are just showing up top a couple of exploits. Top one is just a common Microsoft exploit MS0867, if you're familiar with that, we usually find a few of those that are out there, right? It's just a J-BOSS vulnerability that we use to exploit those, get local admin, then dump the passwords in memory and escalate that from there and usually pretty quickly we got domain admin to the network. Bottom right hand corner is just what we do with some of the proof of concepts of once we get access. It's taking some webcam pictures of some of the different workstations that are out there. So in healthcare there's these things called workstations on wheels, right? And so they're used around, the clinicians are moving around, bringing them into exam rooms. They got webcams on them. We pop on those. I mean, we've been able to take pictures of nurses in exam rooms examining somebody and monitor them while they're getting examined. So you really talk about some serious privacy issues that are happening with this, you know, as you get hacked and it's just some of the stuff that somebody could actually do, you know, with getting that type of data. Insufficient user awareness. So I think about this, you know, primarily speaking about social engineering, fishing and some bad security practices that are happening from fishing, from our fishing assessments. What we've seen here, and if you see it in here in the left hand corners, it's kind of a tally of people who fell for the different fish that we sent. So 27 people posted their credentials in this fishing campaign that we launched, just a sample of employees in the environment. And the red line there is the all industries average. And you see the blue. That is, you know, kind of where they're at. And that's typical in healthcare. We're seeing at least a double, if not more, of individuals falling for fishing when we send them different fishing campaigns. Social engineering, this social engineering is really interesting in healthcare. You know, we've come up with a lot of different scenarios that work a lot. One is opposing as a doctor. So we'll call the IT help desk. You know, hey, I'm doctor such and such. I got a patient in the room right now. I need to get into my system. I don't know what the heck my password is. Can you reset it? And we use that authority. And when we're using that authority and being pretty aggressive with the help desk person, they'll bypass any type of verification. Even if they do, you know, we've been able to work around that and give them some story and get them, you know, they'll usually start shaking a little bit and they'll get nervous. Just because, you know, they're talking to a doctor. We have this projection of authority on the doctors. So they want to give up and give that information. And they also don't want to cause any types of problems or getting trouble. So we take advantage of a lot of that when we're doing this with healthcare. Other things is, you know, calling employees and personating different IT folks. You know, I have a little bit of background in psychology, which is interesting, you know, like social engineering for me is always about gaining trust. It's about building a relationship with somebody and establishing trust. So we'll do some research on the person that we're targeting, gather that information and start giving them that information and build a connection with that person and also let them, you know, we had some information on them and, you know, as we're doing that, we're building trust. We give them, we tell them, this is their password. And, you know, it's not a fake password that we're giving them. And then they'll usually respond and say, hey, that's the wrong password. Oh, can we get your updated? That's what the problem is. You know, we're usually making a whole IT thing out of it. And they're usually okay with that. Or we'll talk them through, okay, we know it's security. You know, 15 minutes later, can you just do this and change your password? And they're usually comfortable with that. You know, in that 15 minutes time, we can use that password, get on and gain access to the network. Another big thing we see is just kind of a lot of scripts out there, IT keeping scripts out there with different passwords in it. Active Directory is a big one. Once we get a user account on the network, we'll go into Active Directory, pull it in the description fields. And we have read-only access with any user, usually typically in an environment for Active Directory. And there's usually a bunch of different passwords sitting in the description field. We found domain admin, service accounts, you know, really simple stuff, really basic stuff that we'd see out there. So this is like the biggest pet peeve in my password management. You know, every year I've read these different like breach reports, Pokemon, Verizon, these different surveys that are going out to the healthcare community and healthcare security professionals that are out there at CIO, the CSSO. And what like I'm seeing is, you know, always on the bottom of their concerns is password, oops, excuse me, is passwords. You know, it's not really making like, they're not really that concerned about it, which for me as a hacker, I'm like, there's really bad passwords out there. And you see in the right hand corner, you'll see, you know, we usually grab the AD database, do some analysis on their passwords. This is an actual healthcare provider, a large provider, you know, 6476 accounts of password one, you know, ABT123, I mean, really, really bad passwords. You know, you see that works password, let's get, this is where you're seeing it, like, and it's here. I mean, this is in, you know, protecting our sensitive healthcare information and our medical devices, everything that's out there on this network, which is just crazy to me. And, you know, single-factor authentication, majority of our healthcare providers are still using single-factor authentication. Most of them haven't moved to multi-factor authentication. You know, with combinations, these weak passwords and that and alloc web access as well as being single-factor authentication, we've been successfully been able to get domain administrator from the internet 80 to 90% of the time. And that's a scary statistic. You know, and we're under a strict budget with this, I'm doing this testing in a week or two. I mean, you know, real bad guys, they don't got those restraints that I have to put on myself to be under contract to do this work. Did some other weaknesses here, landman hashing, we still see quite a bit of that stuff, very easy to crack. So yeah, it's just a huge pet peeve line is password management. Default counts and passwords is another big thing. You know, a lot of those GE type of accounts that are out there, we see those connected to AB majority of the time. They're sitting there, default password. They allow the whole AD database through the VPN. We gain access through that. And usually there's some servers and some other systems on there that those accounts actually have local admin privileges on. So get access to that and pretty easily can escalate up. Other default stuff, SQL databases. Still see quite a bit of that out there. SQL databases sitting out there. That's pretty easy to gain access to and pop a shell on Apache. That's easy to load up a command.asp and get a shell on that as well. Password hints, it's another interesting thing you see sometimes. At a recent client, they had their password self-service out there and they're using security questions. Okay, so I started looking at the security questions. The security questions, I think they were using six and you had to get three correct. But the security questions, some of them were hard, like who's your second grade teacher? That would take quite a bit of research for me to do. But some of them are pretty easy. It's like, where did I go to elementary school? Where did I meet my husband? What town was I born in? 10, 15 minutes, I can do some public profiling on the internet and find out all that information or at least close to it or at least a few cities or something that's there. So sit there, plug away at the security questions. I can reset the password or they're not sending the reset back to an SMS or anything like that. I get it right. I can change it right there on the fly. Get into the network. So a lot of different things. This one actually here is for a point of sale system that I got access to and they had a password hint thing going on and what was your favorite color? My favorite color is blue. That was the right answer. Another big error is just medical device security. And I think there's some other talks and stuff on there and some stuff in the internet and things that you guys can do some hacking I heard on those really cool stuff. From my perspective a lot of times we're going after these after we get access to the network and going after the ones that are connected to the network. They're just crazy. You actually see a picture here. This is kind of funny. We're doing a physical security review of some medical devices in a provider. We actually found a cockroach and I think this is an insulin pump that was sitting in there. So they actually do have bugs real ones. Default passwords, missing patches, configurations, no AV road access. You name it. You can get VNC access as a chase access, telenet access, a lot of different access. Vendor oversight, that's like the main reason behind it. So I'm gonna get into some of these root causes at the end if I got some time for these. But a lot of times what happens is the vendors come in, they put these medical devices in or a bio med or clinical engineering, whatever it's called in the facilities and they're hooking these up. Either security doesn't know about them or security believes that the vendor is taking care of the security of them. So there's kind of this finger pointing, like, well, I thought you were doing it. No, I thought you were doing it and it's been five years, these things being connected to the network. There's a lot of also issues just about the medical devices in general of can they actually be updated? Can they be patched? Can they run an antivirus? There's just a lot of different concerns around it. It really depends on the manufacturer and also how they're connected. A lot of environments, we don't see them segmented out. We have different ways that we do and talk about medical device and building a whole security program out there and building separate network networks for those ones that really we can't secure too well and trying to lock that down that way. Some of the ones that have done that have been fairly successful. But a lot of times we just see them connected right out on the whole network and there's really not a whole lot of asset inventory right now. One of the ones that's actually out there that's connected. So one big thing that we do see a lot probably I'd say about 15 to 20% of the time we still see web networks out there and usually the medical device equipment that's connected to this because they can't run WPA. So it's really, really interesting. The first time I saw a web out there I was like really? I was like that's nuts. I was like this day each web is still being used out there. So kind of this picture down here went around with one of our smartphones and antenna, cracked some web pretty quickly got on the network. That network was directly connected to the internal network. A whole nother entered point right into the network from there. Just some of the other screenshots here are just some devices that we've gotten onto. Some I think ones like a breath monitoring or something or aspiration. Other ones monitoring looks like heart rate and just basic vitals. But it was cool getting on those type of devices that are out there. Then pop it up here. Lack of oversight into vendor security. I already talked a little bit about this. I'll tell a little more of a story about this here. So this screenshot here is actually a patient sleeping. So a lot of healthcare providers have a sleep center for people who are experiencing insomnia having really difficult time sleeping. So they go and stay over a couple nights over at the sleep center and there are video camera and everything else and there's some live streaming of them sleeping. So we hacked into these sleep systems that were connected to the network and just really, really bad security. The password for a miniature was password. We actually tracked down the server in the sleep center and we found a closet. That's a regular closet. No lock on it. The server is sitting on this makeshift desk and then the password is written on a little posty right next to it. So it's really interesting. Another client that I had recently, they had a pharmacy doting network to an hour. One of the vendors came in and put this whole network in, had a domain controller, had about, I don't know, 50 different systems connected to it. Domain controller, no patching. Had J-BOSS vulnerability. We got on it. We started looking at some of the passwords around it. The passwords were all the same as the username. Three characters long. Just really horrendous. We're very easy to get on there. We talked to the security officer about it. He was kind of unaware of it. Some of the IT guys didn't know about it, but like I said, there's just a lot of stuff that's just getting out there and healthcare is just so complex and there's just everybody's kind of sticking stuff on the network. That's just the way it's been. And there's just this stuff that's sitting out there and until they actually do some real testing and having somebody kind of go out there and find this stuff and identify it on the network unless they're doing it internally, they just have no idea. Physical security, like I said, hospital doors are open. So pretty easy to walk in, get on the clinical floors. Some of the screenshots here. This is the thing that was in a doctor's lounge on one of the clinical floors. We often find workstations sitting in doctor's lounges, conference rooms, the type of stuff that's just kind of open that you're not supposed to kind of walk into but is open, I don't know what's going on with that. Is that me? Yeah, yeah. Okay, sorry. So this particular workstation, we got in there, we're hanging out, there was a couple of doctors in there. They were kind of cool with us hanging out in there. We asked them, they were nice. The workstation was automatically logged in and there was also, case it wasn't, there was a little postee next to it that did tell you the username and password for it. So we find that stuff quite a bit. Other thing on the far right here, that's actually me, I covered myself up. But that's just hanging out, kind of in a clinicians room, you'll see one of those workstations on wheels. That was a really interesting client. We actually did get caught doing the physical security, but we did get really, really aggressive and we were kind of loopy. I think it was like 12, one o'clock in the morning and we were like hanging out in this hospital and sneaking around. So like one thing we got into, there was a, where people go and make great payments and it was like the cash counter. I had a counter like top like this high or something. We hopped over that, there actually was no gate that was down, we hopped over to that and we were like pulfering through some of the drawers that were there and we found the keys and the combination for the safe and everything that was in there. So like you could open those up, cash, everything. I mean it's just ridiculous. But this particular one, so we didn't get caught with that but we went to an ICU unit and we weren't supposed to go in there, but it's supposed to be bad access but we were able to walk right in. But we got in there, we were hopping on some work stations, pulling some hashes down for some of the work stations. There were some medical devices we were messing around with and there all of a sudden I hear little footsteps and my colleague with me, I see him take off and he's hiding. So I'm hiding too and like eventually we had to come out but there was two night nurses, it was like nurse Greshan and somebody else but they were walking around and they were like, we know you're in here. So we came out, we made up a whole cover story that we're such and such, IT vendor, we're here doing some upgrades. We only do these at night. They were okay with that but we did get escorted out of the hospital. But another instance I can give you that we actually did get threatened with a gun. I'm not gonna get too much into but that was a little bit not of a good section, a good city to be in. So physical security is quite interesting. Just around a hospital, just cause it's such an open access type of thing and people wanna be helpful. That's a big thing with healthcare. People are typically helpful, especially if you're nice. A lot of times we'll wear suits, walk around. We don't look like typical hackers walking around suits. So we have good cover stories so you can get around quite a bit. So the two center screenshots here are just around some of the actual network hacking that we're doing and just getting on some of the physical security devices. So getting access to the camera system that's throughout the facilities. Getting access to badge systems. You wanna make your own badge. On the bottom one here is infant security system monitoring. So if you're familiar with babies, it's actually a really locked down section at the hospital just so nobody can steal the babies. I proposed at our firm to do this type of testing to actually steal babies, I'm kidding. But I don't think that would go over well. I never would wanna do that because people's father and mother instincts would kick in. But yeah, it's a very sensitive area but we're just kinda showing that we could get on some of the systems and monitor that, that we're monitoring those controls. So root causes. There's a lot of root causes. I tried to cram as much as I could on one page. So one is 60% of teams lack information security later. A lot of times what we find is a CIO has a security responsibility or a compliance officer has security responsibilities. No CIO, very shorthanded. Teams are very small. Sometimes one analyst, two analysts at most. Very limited budget. If you look at the financial industry, I think it's like 12 or 13%. Health care, I think it's five or 6%. So half the cost, little more complex of an environment. Culture and leadership, this is still kind of happening. It's this prioritization of security's importance. Like I said, the ransomware and the different breaches that have been happening, it's starting to get more and more like the board is starting to ask a bit of questions about this and what are we doing around security? What's happening? So some of that is starting to shift and it's exciting to see but there's still kind of this whole big thing. Focus on compliance rather than security and risk management. So we do HIPAA, we're good. HIPAA's kind of vague in a lot of areas, not very specific, not real world security. What can a hacker do? What can somebody do in our network? And like I said, and this whole talk is really about the basics. I see a lot of times like, hey, we're gonna buy this tool, we're gonna buy this next generation AV. But at the same time, like I'm like, you guys haven't taken care of the basic stuff, right? Password management, patching, old systems, just taking care of that stuff goes a long way. Default accounts out there, looking for your SQL databases, looking for applications that have defaults that are sitting out there. You know, it's stuff that takes time but it's very cost effective. But like that basic stuff really needs to be done before we go and bring in these tools that we don't have enough people to run and look at anyway. Expansive systems and upgrades, so just huge HR implementations, that type of stuff takes away from the security, old systems. I talked about that. I'm slowly running out of time so I'm just kind of trying to skim through some of these things here. Healthcare systems require high availability, patient first mentality. Security's always been an afterthought. Security's delayed. I spoke quite a bit about vendor management, understanding the assets that are out there, responsibilities, risks. They're definitely the weak point of entry. A lot of times we're getting in through those routes. And then just the vendors overall. So it's been its lack of secure development life cycle. You know, I'm actually pretty excited to see the FDA. Oh, I'm starting to put out these different standards around there. They're actually getting some of these devices secured before they get implemented. And this whole process around disclosing vulnerability, sharing the different processes around that. And it's the business associations, associates that are all connected into the network and getting those guys secure as well. So that is my talk. I think we got, maybe I could like. We don't have enough time. Don't we don't have enough time? Okay. Oh, we do? Okay. So yeah, if anybody has any questions, good? If you have questions, please walk up to the mic. What if I talk like this? How do you scope, like when you're like looking at medical devices? Like for me, I would be like, okay, I'm in a hospital, there's an IP address. That could be a respirator? Like how do you be careful and not kill people? Like what? Yeah, it's a very, you know, it's definitely one of the big issues in healthcare and we have to be very sensitive and we're usually put ourselves under a lot of restraints when doing this. We work with the IT teams and we really identify, you know, one, you know, is there things you don't want us to touch at all on the network? Is there items you want us to be sensitive around? You know, if we're doing medical devices, a lot of times we may ask for sampling, some sample type of things that we know that, you know, they've done. We talked to them too, are you doing vulnerability scanning? Have you done that? Have you touched these type of things that are out there? There's a lot of considerations that go into that, but yeah, we definitely want to be cautious as well as like, when we're getting on those, a lot of times we're doing very more passive type of stuff where like, you know, if it's got SSH, we're just trying to connect to that. We're not trying to run like some X-ray code or something on it, so we're really cautious around testing those things and just the testing and working really with, you know, as much as the IT and the security teams know, you know, what's out there and what's connected. That's a good question, yeah, thanks. Okay, I was expecting, so I've come to discover that I'm actually a physician, so like, I'm just saying it's a really important form that you give us, if anyone's interested in testing after this, I'll be very curious. Okay, thanks for coming, yeah. I was just curious about Bluetooth and IoT type things. Has it changed at all, all these other frequencies and stuff and things that are limited range, do you have to do more scoping and trying to venture around to try to find these limited broadcast systems? Yeah, you know, a lot of times, you know, my work, we have another guy that is a lot more around the medical device stuff that, you know, it's be specific and come in and look at that type of stuff. A lot of times what I'm getting engaged for is to look at the entire network and find the weak point of entries and just do some general threat hunting around it. So a lot of times I'm not going after that type of stuff. You know, if the environment's really challenging, then I'll start like kind of pinpointing more of that type of stuff that's going out there, but usually there's so much stuff to go after and I only have such a time frame that I'm just trying to get in and show as much access as I can get, what could I do? You know, but yeah, there's a lot of risks with that type of stuff. I guess my only question is on like, when you're trying to exploit a certain target, have you ever accidentally gone to another hospitals network or anything with any database that they're sharing or anything that they're using the same group or anything like that? Yeah, not trying to think off the top of my head. There was one client that did give us some IPs from the external one time that they scoped it wrong and we got into some, I think, there's some camera systems out in the internet of some like daycare thing, but it wasn't them. But anything major now, we haven't gotten into anything that was like totally something else. I mean, on the network, everything's kind of game that's in scope for them. So there's vendor stuff sitting out in the network. We usually should go after that and then they'll work with the vendor to secure those type of things. But yeah, nothing. So you haven't noticed that there are any use of, say, cloud type stuff where they're actually using external resources that are unsecure or anything like that? Or is it generally internalized at the local site? Yeah, it depends. There is a lot of movement in the cloud and sometimes we're engaged to target some of those things. It's more from the business associate level that are developing apps and different things that are sitting out in the cloud. But typically we're not going after those things specifically in an environment. We'll find, we definitely do find user names and passwords and that type of stuff that's external, like all their banks and different things, all that type of stuff. Anything that's external, we find big sheets and stuff with all that type of stuff in it. But yeah, we try to keep it contained in what our scope is under contract. Right, okay. Thank you. Thank you. Thank you Kevin. Okay, thanks.