Attacking Patient Health: The Anatomy of Hospital Exploitation presented at bsidesdc 2016

by Jacob Holcomb,

Summary : This research results from our assessment of numerous healthcare related facilities and several medical devices and health applications that remote or local adversaries could target in an attempt to compromise patient health. Through extensive analysis of these facilities, devices, and applications, we identified dozens of critical security pitfalls that endangered the integrity of hospital networks, patient medical records, and most importantly, patient health.
Our technical research efforts focused on the identification and exploitation of fundamental security misconfigurations and implementation flaws (i.e., zero-day software vulnerabilities) that could ultimately result in the harm or death of hospital patients. Our research demonstrated that a variety of deadly remote attacks were possible within a hospital, and is substantiated through successful execution of these attacks and the cooperation of 12 healthcare facilities.
The predominant focus of this presentation is the technical "know how". In other words, we will be defining and dissecting various technical attack anatomies that real world threat actors could execute in order to compromise patient health. During the dissection of each unique attack anatomy, we will be discussing and demonstrating the exploitation of numerous security pitfalls (i.e., software vulnerabilities, infrastructure misconfigurations, and human factors).
By the end of this briefing, the weaknesses of hospitals will be made abundantly clear, and attendees will understand how malicious threat actors can exploit them to induce harm to patients.