/aug 6, 2020

Live from Black Hat: Healthscare – An Insider's Biopsy of Healthcare Application Security with Seth Fogie

By Chris Kirsch

Healthcare providers heavily leverage technology. In his talk, Seth Fogie, information security director at Penn Medicine takes apart different vendor systems at the “fictitious” Black Hat Clinic. Fogie gives a lot of examples and drives home the point that you shouldn’t just look at network security … you have to dig deep into the applications to ensure the security of your data.

Following the patient’s journey.

patient

Fogie follows the patient’s journey of now geriatric Alice and Bob, our quintessential victims in the security realm. Taking on the perspective of Mallory, the malicious attacker, he goes to town taking apart one system after another.

For example, patient entertainment systems not only let you watch television but also give access to patient data. The first system he looks at provides access to patient health information without authentication and uses client-side authentication for PINs that are easily overcome when using a proxy server between the client and the server.  

burp

A different system, a clinical productivity system, has a backdoor with a daily password that is generated with a pre-determined algorithm.  

Next, he looks at the drug dispensary system, which has an unauthenticated network share. Investigating the binaries, he finds the SQL decryption key. This leads to full system access of the server, which provides access not only to user data but a full table of encrypted passwords that they were able to decrypt using the same decryption key.   

Users

WireShark

Fogie then looks at the temperature monitoring system that is used to chill blood bags, insulin, and other drugs. Using WireShark, he finds a few authentication codes and passwords. (Around this point my head and keyboard start to smoke as Fogie speeds through his results faster than I can screenshot.)

Findings Summary

In the end, he compromises all seven systems, mostly through the use of client software. No vendors are harmed in this presentation as Fogie blurred out all screens. He also worked with vendors to notify them of the security issues. Where software was no longer maintained, he patched the client software himself by setting a unique and complex password for a backdoor he found.  

Managing 225,000 patient records, Black Hat Clinic could have been on the hook for millions of dollars in fines. Healthcare records are particularly popular on the dark web because they often contain a lot of information that helps fraudsters steal the identity of their victims and use their credit.

Findings summary part 2

Red flags to keep in mind: 

  • Default credentials
  • Plaintext credentials
  • Lack of hashed credentials in database
  • Exposed ‘secrets’ via client-side file review
  • Client/server protocol design errors
  • OWASP 101 including APIs
  • Client-side binary review issues (e.g. “backdoor”, decrypt, keys, etc.)
  • Client-side authentication (e.g. debug/patchable authentication)

Don’t just try to get to DC, pentest your apps.

Fogie’s advice is to not only conduct a pentest that is trying to get to the domain controller to take over the network but also to dig deep into the applications that hold your data. At Penn Med, they do a ‘Lite’ pentest of all new products. For fellow practitioners in the healthcare space, he recommends participating in H-ISAC.  

Plea to healthcare application vendors: “Please don’t make our jobs harder.” 

Fogie is asking healthcare application vendors to run security testing on their applications prior to release. Of course, being an employee of application security testing vendor Veracode, I completely agree. At Veracode, we’re also seeing the market shift. Application vendors are telling us that their customers are putting more pressure on them to develop secure software than the regulators.  

Fogie

As an educated software buyer, ask your application vendor about their secure development practices. Rather than picking a vendor that has had a single point-in-time penetration test, look for vendors that follow a secure development process to ensure that they are continually trying to reduce risk and are more responsive to security issues. Some vendors may also have the Veracode Verified seal, an attestation Veracode provides to organizations that follow specific security protocols in their application development.  

If you don’t have the resources in house to run the type of tests that Fogie did in his presentation, please reach out to us to have a conversation. Our automated testing can be plugged into any DevSecOps process, plus we help you with your program management to bring your stakeholders on board and advise your development team on how to fix flaws. We also do manual penetration tests if that’s what you need.  

If you’d like to take your first step in your application security journey, we recommend you download our Ultimate Guide to Getting Started with Application Security.  

 

Related Posts

By Chris Kirsch

Chris Kirsch works on the products team at Veracode and has 20 years of experience in security, particularly in the areas of application security testing, security assessments, incident response, and cryptography. Previously, he managed Metasploit and incident response solutions at Rapid7 and held similar positions at Thales e-Security and PGP Corporation. He is the winner of the Social Engineering CTF Black Badge competition at DEF CON 25.