SERVICE: INFOSEC; Internal Attack Penetration & External Attack Penetration
A hospital employed SecureState to test its security measures in place for Protected Health Information (PHI). SecureState performed an INFOSEC, Internal Penetration and External Penetration Tests. An Internal Penetration Test seeks to exploit known and unknown vulnerabilities from the perspective of an inside attacker. An External Penetration Test, however, analyzes the security of externally connected systems over the Internet. For example, if the hospital was targeted with a phishing attack, employees of the hospital might be enticed to inadvertently allow malware into their environment. This may provide an attacker with a backdoor entry point into their internal network. A remote attacker then can use this backdoor to locate common vulnerabilities such as unpatched or misconfigured systems and possibly access sensitive information.
Why It’s Important
Approximately 150 people – including both medical and billing staff – have access to at least part of a patient’s medical records, according to the Los Angeles Times (Health & Medicine)(1). Additionally, 85% of administrations’ networks are exploited from the outside, and 100% of computer networks are susceptible to compromise. The Health Information Portability and Accountability Act (HIPAA) were enacted in 1996 to among other things, address the security and privacy of patient data. The Health Information Technology for Economic and Clinical Health Act (HITECH) amended HIPAA with significant changes to data breach notification, enforcement, and penalties. SecureState identified policy and process gaps that resulted in weak security, leaving their PHI insufficiently protected.
What The Consultants Had to Say
Our consultant notified the client of the vulnerabilities uncovered during the penetration test. The lead tester said, “…at this point, we compromised your internal domain.” The client, after a long pause, responded, ”Wait, what you’re saying is you compromised our entire domain in few hours”? SecureState answered, “Yes!” After a longer pause, the client responded, “I’m sorry; I just swallowed my gum.”
The client was shocked at the outcome of the engagement. This is how we did it: “We performed a ‘Reverse Brute-Force,’ a method used to obtain a valid username and password credential using a fixed password.” Often usernames and passwords are stored on the network and can be quickly located. “We found a web application where we were able to find valid usernames and passwords and then used the existing credentials on a separate application which yielded a published Citrix desktop.” With access to a published Citrix desktop, “we were able to launch Internet Explorer and connect to one of our servers with malicious payloads. This enables us to achieve remote access to the network and compromise the internal domain.” SecureState then provided a preliminary report to assist the client with hardening their systems. Once the client hardens their network, SecureState will retest, providing the client confidence that their systems and subsequently their patients PHI is adequately protected.
(1) Foreman, Judy. “At risk of exposure: In the push for electronic medical records, concern is growing about how well privacy can be safeguarded.” LA Times 08 August 2006: Original. Print