1

Hackers Perspective on HealthCare

.

State of Illinois

Central Management Services

Purpose and Scope

To present a hacker’s perspective on

healthcare

To emphasize the importance of protecting

HIPPA, PCI and other personal information

To learn how to secure this confidential

data and even how to protect your

personal information

2

Juggling Security & Healthcare

Quick Access

To Data

HIPPA

Cyber Attacks

Passwords

Not Secure Too Secure 4

Statistics

Predicted job losses in the US:

Attacks from insider breaches:

Yearly losses due to organized crime, hackers and inside jobs:

Percentage of data breaches from simple ignorance of staff:

Amount of overall cybercrimes reported:

Of the cybercrimes reported, the percent that end with a conviction:

1.5 million

18%

$1 trillion

88%

10%

2%

5

What is Cybercrime?

Cybercrime: Criminal activity that utilizes an

element of a computer or computer

network

Examples include: Identity theft

Cyber-extortion

Information theft

Fraud

Exploitation of children

Intellectual property theft

Phishing and Vishing

Healthcare Breach Causes

1. Cybercrime: 89% of surveyed health care

orgs breached in last two years;

cybercrime top cause

2. Third-party party partner: 41%

3. Stolen computing devices 39%

http://www.scmagazine.com/ponemon-89-of-surveyed-health-care-orgs-

breached-in-last-two-years-cybercrime-top-cause/article/496530/

6

2

What needs to be protected?

Laptop = $1000

SSN numbers - $2 each

Breach notification - $18 - $209 per identity

Bot herders can make $50k per month

Copper - $3.20 /lb

Ransomware - $300 - $1000 to unlock your

data

7 8

Myths

Myths

I’m not a big enough target

They can have my data, I don’t care

We’ve never been hacked

Nobody would target me

My firewall protects us

My password is strong

9

Porn Tricks

Porn codecs

Phony multimedia player downloads or

updates

Porn Blackmail

10

Identity Theft

Who??

Traditional scam artists

Large organized criminal elements

Why??

Low risk, high reward crime

It is all about money

Directly to use your accounts or identity

To resell your accounts or identity on the

black market

Average “take” from Identity Theft is almost 10

times greater than from armed robbery

11

Preventing Identity Theft

Do not give private information over the phone to

unknown callers

Do not send private information through e-mail to

unknown recipients

Shred sensitive documents and junk mail

Check your credit report at least once a year

Only use secure internet sites for e-commerce

Do not open spam

Example (Free AV software)

12

3

13

Spam is Hostile

Spam can be dangerous

Never click on the opt-out link!

Tells spammers they found a working address

What should you do?

Filter it out whenever possible

Just delete the email

Google Dork: “Radiology”

15 16

IamTheCalvary.com/medical

Focused on issues where computer

security intersect public safety and human

life.

17

Other SCADA Vulnerabilities

Dial-ups still being used with new equipment

Use of wireless modems, Bluetooth, web services,

Telnet, SNMP, DCOM, ActiveX, and other vulnerable

applications in new equipment

Infusion Pump Example

Cybersecurity Vulnerabilities of Hospira

Symbiq Infusion System

Remotely control infusion volume

FDA Memo

Disconnect from network

Change Default password

Block default ports

http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

18

4

19

Twitter Password Crack

Used dictionary attack against Twitter

admin= Crystal

Many accounts compromised: President-

Elect Barack Obama's, and Fox News

Prevention

Complex passwords

Account lockout after 5 bad attempts

Limit admin tools to administrators

password = happyiness

20

Ransomware

Ransomware

How does it get in?

Tainted email attachment or infected advertising from a website

What does it do?

Encrypts most documents on local and shared drives

21

Ransomware - Example

2/5/2016 Hollywood Presbyterian Medical Center had their system encrypted with Ransomware ($3.6 Million)

Affected

CT scans

EMR (electronic medical record system)

Documentation

Lab Work

Pharmacy

Email

2/15/2016 paid $17k Ransom

Ransomware

22

23

Step 0: Attacker Places Content on

Trusted Site

Client-Side Exploitation Example

24

Step 1: Client-Side Exploitation

Client-Side Exploitation Example

5

25

Step 2: Establish Reverse Shell Backdoor

Using HTTPS

Client-Side Exploitation Example

26

Step 3 & 4: Dump Hashes and Use Pass-

the-Hash Attack to Pivot

Client-Side Exploitation Example

27

Step 5: Pass the Hash to Compromise

Domain Controller

Client-Side Exploitation Example

www.sans.org/top-cyber-security-risks/#summary

28

Default Medical Passwords

If any of these look familiar, change them

29

24 most-used passwords

1. 123456 9. iloveyou 17. monkey

2. password 10. adobe123 18. shadow

3. 12345678 11. 123123 19. sunshine

4. qwerty 12. admin 20. 12345

5. abc123 13. 1234567890 21. password1

6. 123456789 14. letmein 22. princess

7. 111111 15. photoshop 23. azerty

8. 1234567 16. 1234 24. trustno1

30

Passwords

Password Cracking

Identify weak or default passwords

Verify the use of complex passwords

Characters

(complex)

Estimated

time to crack

7 6 minutes

8 2.34 hours

14 9 hours

15 209 days

6

31

Pick The Best Password

password

Summer13

P@swordCompl3x

juggle13 google

32

Passwords

A strong password is:

8 or more characters

Uppercase and lowercase

Alpha-numeric

Odd character(s)

Non-dictionary

Non-pronounceable

15 or more characters for admin passwords

(recommended)

33

Passwords

Prevention

Set minimum length and complexity through

group policies

Disable LM hashing

Don’t store passwords in plain text

Password Safe (recommended)

Don’t let the browser save your password

Educate the users

Change defaults

Example (Router and password)

34

HaveIBeenPwned.com

Techniques

Social engineering

Social networking

Lock by-passing

Thumb drive sprinkle

Dumpster diving

Tailgating

Out of office message

Black box

35

Once I’m In

Unlocked PC’s & cabinets

Unused network jacks

Keyloggers

36

7

37

Physical Security

Locks keep honest people honest

(720 ILCS 5/19-2) (from Ch. 38, par. 19-2)

38

If You Remember Nothing Else …

Promptly apply patches

Run anti-virus software configured to update

daily, use on-access/on-demand scanning, and

perform a full scan at least weekly

Use a firewall (either software or hardware) and

configure for the most restrictive setting that still

allows you to do required work

Select good, strong passwords and use them

everywhere

Think BEFORE you click!!

Security Awareness Material

www.illinois.gov/bccs/services/catalog/security/

assessments/Pages/awareness.aspx

39