The Hacker Mind Podcast: When Old Medical Devices Keep Pre-Shared Keys

Robert Vamosi
November 15, 2023
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

You would think there is a procedure to End-of-Life a medical device, right? Erase personal health info. Erase network configuration info. Speaking at SecTor 2023, Deral Heiland from Rapid 7 said he found that he was able to buy infusion pumps on the secondary market with the network credentials for the original Health Care Delivery Organization in tact. In theory, he could join that network as that device and potentially pivot to other parts of the HDO. No good since there are hundreds of thousands of these devices in use today. 

[Heads Up: This transcription was autogenerated, so there may be errors.]

VAMOSI: This week one of the largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack. This attack during the height of covid 19 lead to the exposure of sensitive information from nearly 200,000 patients. The attorney general of New York, Letitia James, cited in her agreement with US Radiology, the company's failure to remediate a vulnerability, in particular, CVE-2021-20016.


So here’s the interesting thing:  US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed “due to competing priorities and resource restraints.”


The attorney general’s office said "once the threat actor gained access to the VPN, they leveraged 101 additional credentials to access various network data folders over the following week. The Attorney General's office continued by saying that threat actors capture username, password and other session information stored on the SonicWall server through a process known as a SQL injection."


What the state of New York found was that nearly 200, 000 patients had their names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers. In particular this data included driver’s license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers


James concluded with a statement“US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems.”


I mention all of this because healthcare is relatively young in terms of software development lifecycle processes. It’s the latter part about remediation and end of life. The problem for the medical device manufacturers is getting the product certified through the FDA in the US and other agencies in Europe. After that, they typically don’t update the software. And they apparently don’t consider the end of life on the device either. 


In the moment, I’ll share a story about devices that have been discontinued or at least found not longer necessary in healthcare organizations sold on a secondary market place, like eBay. These devices may not have personal identifying information or PII, but they might contain information that could allow a secondary purchaser to find their way back on your network. And who knows what they can do with that. I hope you’ll stick around.


[music]

VAMOSI: Welcome to The Hacker Mind, an original podcast from the makers of Mayhem Security. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m discussing end of life for OT devices, and how their purchase on a secondary market can provide tokens and pre-shared keys that can be used to gain access to your network. 

[music]

VAMOSI: I recently attend SecTor 2023 (Canada's largest infosec conference). If you haven’t been, I encourage you to check it out. It’s run by the same people who run Black Ht but it has a distinctly Canadian flavor, and a lot more engagement. Anyway, I find the talks at SecTor to be technical, just the way I like them. So of course I attended a talk on medical devices and quickly learned that there's often a process or procedure to delete the network configuration once the device goes EOL. Not good since there are 100s of thousands of these devices in use today. So I had to speak to the presenter.


HEILAND:  Yes, my name is Deral Heiland, and I'm a principal security researcher of OT IoT for rapid seven. rapid seven is a security products company and service company. So rapid seven, produces a series of tools and solutions to help organizations manage their security environment, covering everything from threat and vulnerability management, detection, response, application security. We also have an entire fleet of services around penetration testing, covering everything from Wi Fi network web application, all the way to red team and IoT pentesting.


VAMOSI: OT is perhaps new favorite topic these days, and is the subject of my other podcast, Error Code. I’m wondering if Darel has traditionally done pen testing in OT? And wondering if there’s a lot of concern in the OT space? 



HEILAND:  Yeah, I think there's a lot of concern in the OT space. You know, theoretically in the past we all kind of didn't think much of OT. It was all segmented off to be attached to anything but we're in a changing world where people are trying to move data historians into the cloud and various other things, and they want to mesh their networks all together. So now they have to start thinking about how our OT technology or SCADA environments potentially be impacted by that? And how do we better secure them so yes,


VAMOSI: So one area is in medical devices and there's the whole real consumer, but we're going to focus more on what you would find in a health organization. And you were mentioning the connection to traditionally hadn't been connected, and now there's more access being granted to it or added to it. One area in particular that you focused on was insulin, or I'm sorry, infusion pumps.


HEILAND:  Yes. So when you get into the whole medical world I've done. I have a long learned past of doing pen testing. So I've done a lot of pen testing to hospitals and organizations. And when you start thinking about those environments, and the medical or the when I say medical environment, I'm speaking about the environment where critical care is given. This is where patients would be hooked up to infusion pumps and medical devices and all those type of things. Historically, there hasn't been a lot of good segmentation in those organs in those areas. So the business network of the Medical Hospital and the critical care, we're all kind of attached together. So when we started thinking about that, we started thinking about the potential impact of patients that have devices connected to them for their health and safety and administration of medical care. It becomes quite scary, and very concerning. So that's what kind of led to the whole research project around medical devices, mainly infusion pumps, it was about how do I get to that point where I really have a good understanding of the medical environment. I have the historical experience doing pen testing, but now what about medical technology and how is it impacted? So the goal of the research project was to expand my knowledge and help rapid seven expand its knowledge in medical device technology and security.


VAMOSI: So bringing network capability to these devices. I'm wondering if the lack of segmentation is an artifact of that, that there was a rush to get these devices connected in some way and there wasn't a process where they were looking at logical segmentation let alone physical segmentation of these devices.


HEILAND:  I think it was a progression from you know, network technology comes into the hospital decades ago, okay. And then we progressed forward, we had the business aspect of it, we have the ability to record taking care of records, patient medical records, all of that type of stuff. And then we have medical devices that are on the network and through the progression over time. We start making the devices network aware. For many purposes, it's for you know, management, it's for gathering data as like it feeds back into the medical, electronic medical records. So we can keep track of you know, hey, doses of like infusion pumps, doses that were set for a patient, how long were they on it? All this data can feed back into the medical record system for maintaining a historical environment. And we kind of progress from not having any devices on a network to just gradually to the point where we wake up one day and it's like, oh, wait a second. We have a lot of critical care devices that are attached to a network and those networks are not segmented. They're not maintained. We really don't think about it. And and that's where we're at right now. And how do we move forward and I have to state a lot of hospitals and organizations are aware of this and they're kind of moving forward around that segmentation. When I was doing pen testing, six plus years ago, I rarely seen segmentation. But now it is a topics that we're all aware of are all moving in that direction. And then they're also trying to get up a big understanding of what's the risk of these medical appliances on the network and trying to figure out how do we manage these from a vulnerability standpoint, how do we manage these from you know, stored capabilities, especially infusion pumps, you just don't know where they're at. They they're they literally can be scattered all over the place. One individual device can end up anywhere within that hospital that's or multiple floors of a hospital, multiple areas of different hospitals and stuff like that. So there's this whole level of complexity that comes into play. When it comes to medical devices, especially these. Most of these medical devices are mobile. They don't always stay in the same location.


VAMOSI: So that brings up a good point. How do you get access to an infusion pump that you want to do a pen test on?


HEILAND:  Well, the thing was infusion pumps is and a lot of medical devices are very much like the old, typical ot SCADA environment. You don't buy something and then three years throw it away. It's not like that. So they stay around for a while. So they easily go to secondary market so you get your hands on secondary market devices. Often the software is kept up on them in the hospitals at least that should be kept up. So when they get rid of get rid of it, you can go to the secondary market and purchase these devices. And just because they're in secondary markets, doesn't mean they're not being used everywhere else also. So they may be used for another five, six years and based on the financial status of a specific organization or hospital, they may keep these devices for much longer than certain hospitals that have the financial means to update the newest and greatest stuff. So there you go, the secondary market and you purchase devices. And from there you can lab them up as I've done with two or three different models and get a chance to play with them and work with them and learn to understand them. I also I can't mention who but I also worked with a couple medical organizations who gave me access to talk to biomedical managers that run biomedical networks. I've sat down with biomedical teams that actually do maintenance and repair and test the gear and recalibrate it and gone through all of that with them. And I've talked to hospital security people on this project, so I've had a chance to not only work with the medical devices, but also sit down and talk to hospital and medical personnel about these devices and what it means to them. What are they concerned with? And where do they see this going? So it's been a very broad research project, besides just looking at hardware, which I think is very important. We always need to go beyond just hacking on the hardware. Let's talk about the big picture and how that plays out.


VAMOSI: So I want to briefly do a tangent on the secondary market. It didn't occur to me that that was such a robust area for some health organizations. To pursue devices. The FDA just changed its guidance around devices such that the manufacturers have to continue to provide updates through the life cycle of that device. Secondary market is going to complicate things is it not?


HEILAND:  The way I see the secondary market, there's different components of the secondary market. There are medical appliance companies that actually purchase devices and completely refurbish them and recalibrate them and do the whole nine yards in those cases, and then there's the eBay version of that. Now the high end ones will actually sell stuff on eBay too. But you can buy parts and functioning units and it's a cheap way to get repair parts. Because of the devices, from what I understand when they go into the hospital, the hospital's biomedical teams, biomedical appliance teams are going to maintain the gear. That means they're going to patch it, they're going to repair it, they're going to upgrade it. They're going to calibrate it. So pulling parts from one device and putting them in another device is not, in my opinion, problematic. It's just a matter of are they calibrated? Are they tested? Are they in compliance to function properly, and long as an organization's doing that doesn't really matter where they particularly get these devices? I don't think it is. I think that's a great means for devices that aren't necessarily being sold by the manufacturer anymore. Because a manufacturer even though he may quit selling a specific model will often continue to maintain it and maybe need to re maintain it for a given period of time by the FDA. These devices are already going into the secondary market probably within three or four years or even sooner. I've actually seen pumps that are currently being marketed by manufacturers on the secondary market already. So it may be you know, an organization a medical organization goes defunct goes out of business. Where do these devices end up they go into the secondary market and are purchased by hospitals organizations that don't have endless funds, they can buy them on secondary market, calibrate them, get them working, put them in the operation and do it much cheaper than it would cost to buy them brand new. I hope that explains it. Yeah, no, that's my vision of it. From what I see. I have not talked to an organization or hospital that has gone through the process of purchasing one secondary market, but it seems from what I've looked at out there on eBay and the companies that sell on eBay and other third party companies that are available over the internet that are selling used equipment seems to be very robust market.


[MUSIC]


VAMOSI:  Okay, so you've obtained your Fusion pump and you've brought it home with you. There's two methods generally there's the non destructive and the destructive. Walk me through some of the non destructive tests that you did and some of the stuff you discovered.


HEILAND:  So yeah, so when it comes to trying to get what I refer to as a firmware or the data that's actually stored on the device, there's the struct of math, I just tear the thing apart, pull the flash memory chips off and off I go. The other one is the non destructive I was still working after the fact. One of the examples was the Baxter infusion pump which is where I have to put all the great things about Baxter. They were great to work with an excellent organization and we work with them pretty closely when we publish several advisories on their product. But as an example, they has a battery unit that's also Wi Fi so you can upgrade the units to newer latest greatest Wi Fi but just changing up the battery. It plugs into the back of the device. The battery would actually end up containing data like Wi Fi credentials, but the main unit would too. So anytime you'd stick a battery on there it would transfer the data to the new battery. So a non destructive means was to put a shim between the battery in the unit so that you can tap into those communication lines and listen to him so when you power it up, it transfers that data over to the battery you could capture. That's a nondestructive method. On the Alerus pump, very similar. There is a console plug in the back of the pump where you can maintain software where they go through calibration and testing and all that stuff. From there. You can also do backups of all the configurations. And data off the pump. In this case they within the application maintain security of that data. That means you can't see the raw data like keys, passwords, all that stuff. And when you pull it off to store it, it has you encrypt it, so versus coming out and coming out and figuring out how to crack that encryption and figure out what the encryption was. We just listened to the communication between the software on your desktop and the device when it actually backed it up. And we were able to see it come across the cable in clear text and were able to gather that data. That's another example of being able to be non destructive and then then there's also not completely non destructive but you're not going to destroy the device and that is actually tapping into the circuit boards. Through debug ports, things like JTAG debug ports with debuggers and from there you connect into the main processes on the device and you can make requests to the device to go give me all the firmware and it'll actually let you dump all the firmware. And that's another non destructive method. But none of the devices don't necessarily have a simple open up the device and find a plugs, plug the plug in. Sometimes it takes a little more digging into the device to figure out how to connect to it and that's where it gets on the edge of destructive non destructive when you got to start soldering wires and stuff onto a circuit board you potentially could actually destroy the device in that process.


VAMOSI:  And I understand that one of the things you found were pre care pre shared keys that were not updated with updates. Yeah, so


HEILAND:  So when I started this project, we we started looking at the Baxter and the VDS Aleris pump backs are similar in the VDS Aleris pump. But during this process of buying pumps and and going through testing them and pulling data off of them the figuring out how they work and all that stuff. I started noticing that there was like data on this devices that shouldn't have been there. So that's when we kind of stepped back after the initial phase and go hey, let's dig a little further. Seems we have a systemic issue here. So I went out and bought a whole bunch more pumps off off the market. Secondary Market tried to get them as cheap as possible, whether it was the pump, or and then I added a third one into the mix two I actually added a Hospira Abbott plum into the mix. So I could have three different devices, three different brands of devices instead of just the two for that phase. And we just start pulling them apart, ever how I get the data off it let's just get the data off of them. I literally destroyed a half dozen pumps in one day. Just rip them apart, pull the chips off. Because I think I found out the best way to see if there's data thereby breaking things that are broken. There's no way anyone could have purchased the data off of it in that case. So I grabbed a bunch that way I grabbed a bunch that were working just got a good example of every one of these brands of devices online. And we found out I think out of the 13 devices I pulled to do this. Eight of them I was actually able to pull credit credit for that led to what I consider potentially accessible data that can be used to gain Wi Fi access to five different hospital chains. Wow. And then we didn't save the data. Right just I made I made note of it we purchased the data we didn't keep it or anything like that. It was just say is there an issue there? The only other thing I did was to go okay, I have this data who's it even belong to because the the the Wi Fi SS IDs were not necessarily completely descriptive sometimes they were just a series of initials and I'm like, I have no clue who this is where you can go online and there's a online website called WiGGLE, which is an entire massive databases of Wi Fi.


VAMOSI: Okay, so I had to go check this out. It’s really cool. It’s an open source map of SSIDs that have been reported. I was looking around my neighborhood and sure enough I could see on the map the same SSIDs around me that my laptop can see. So one can use this if they have an SSID. They can type that name in and see where in the world it relates to. 


HEILAND:  Everyone can put data in it and it's like a running database of Wi Fi SSIDs around the world. And he can go in there and search for it and literally find out who it belongs to and it doesn't take long and you can narrow it down right to the hospital hospital chains. In some cases if it's an organization that goes hey, we're going to name all of our location Wi Fi SSID slightly different. You know, they'll have initials and it'll be 001002 for the different APS or something like that. You can often narrow it down to the exact building it's in because they typically just reuse them when they replace it with new gear.


VAMOSI:  And part of that reuse I would imagine is going back to the OT problem which is you don't want somebody out in the field futzing with that type of stuff. They just want to like, hook it up and get it running and then leave.


HEILAND:  You want it, you want it to work. So if you think about it in today's modern time, think about a hospital, all the different devices they have. You have all their laptops, you have all their tablets that they're carrying around. You have all the infusion pumps, you have all of the health monitors that look up for blood pressure and all those types of things you go on and on and on all the devices that are in the hospital now that are communicating via Wi Fi. If I decide I want to change out one, the infusion pumps am I going to have to go out and change the Wi Fi credentials on 1000s or even potentially 10s of 1000s of other devices to effectively be able to switch over to something new, or am I just going to put the same stuff that everyone's using already. Back on the new devices I just bought, typically the only time we would ever and we did this when I worked in Fortune 500 companies too, because it's nearly impossible. It's very problematic to go change everything. And we used to the only time I ever saw us switch everything over is when we were changing the entire security model. So we decided to go from a pre-shared key to EP or from standard pre-shared key stuff to let's say, an enterprise where we use certificates on all the devices. Usually when we start doing something like that, then we'll do a full migration of the entire organization. And we How often do you do that? And hospitals want things to always work  and they want them to be simple. So yeah, so probably just going to reuse it.


VAMOSI:  So is this like an orchestration problem or a governance problem from like an IT perspective? Or is it still back to the individual device? so you were just saying that they want it to be simple. They've got this SSID and Password baked in and they want to hook it up and get it up and running quickly.


HEILAND:  Often it's a resource issue. For you know, what is the cost to me as an organization to have to, you know, I have 1000 occasion pumps that I just bought to set those up to match what we're already doing, or go out and change 10,000 things to match something new. How much of a resource to have what's that cost to me employees time effort. Most of the time, a lot of organizations don't have staff, effective staff to be able to go in and make major changes like that. And even if you decide you want to make changes like that, it can take a while. I've been involved when we've made those migrations over Wi Fi for every machine to different different thing and make it easy to take months in a large organization. I've seen it take upwards of six to nine months to migrate over. The thing. The good thing is, is if you want to migrate over to something new, you've decided, hey, you know, we've managed to sell all of our infusion pumps on eBay over the last six months. We didn't bother to purge any of them. Now I'm a little worried about what to do? Often? The the Wi Fi access points that are out there have multiple radios and sometimes you can go in and easily spin up new radios and all of those with new new creds and new pre shared keys or whatever you want to do enterprise certificates, whatever, and then start migrating everyone over as time permits as you as you have the resources. Now you're gonna have you're gonna have duplicates, you're gonna have the new solution and the old solution in place for a while but at some point, you can get rid of the old stuff. But again, based on the amount of resources you have to throw at it, it could easily take six to nine months I've seen in large organizations to be able to make a migration like that.


VAMOSI:  So it'd be unreasonable to expect management of individual devices. There's still going to be a bit of cloning going on this is going to be the management as you said, like, you know, 1000s of devices as opposed to individual.


HEILAND:  Yes, yes. Typically, typically if you wanted to change out a device, you're going to have to there's there's probably going to have to be some kind of physical access to it. It varies from device device, these devices that I've had in my lab to be able to go in and go okay, you need to change the Wi Fi pre shared key passwords on every Baxter infusion pump in your environment. Yeah, you're not, you're not going to do that in a day.


The start with these devices you had to have physically in front of you to do it. It couldn't be done over the network from what I can tell, at least the older stuff, doesn't mean new solutions moving forward are not going to solve that problem. But you had to do that. Now. Again, with a lot of these medical devices. They go through a biomed lab where they have to go through regular calibration and testing. To me that's where you were. I mentioned you set up two radios each one of your access points, spin up two radios, and then make those migrations. So when it goes to the bio lab, you switch it over to the new solution. Eventually everything's gonna make it through the bio lab for testing and calibration and you're gonna get everything switched over. That's kind of how I would see the vision. Now, if you went and talked to a hospital's security teams or network teams or biomed teams, they may say something different. I can only imagine they probably wouldn't want to do this because of the amount of resources you have to apply to it.


VAMOSI:  So we've talked about the data that's still on these devices and the lack of ease and purging it is that something that needed to have been built in at the beginning


HEILAND:  It comes down to as I've mentioned, and I've said this many times, organizations need to have solid cradle to grave solutions for all new technologies that are brought in, in that they need to have processes and procedures on how everything's done ahead of time. You don't wait and go, Hey, we need to get rid of these 10,000 devices. How are we going to do it? That should already be predetermined when the die devices were acquired. So you build those solutions that cover everything from this is how we're going to deploy them. This is how we're going to maintain them. This is how we're going to do security patches for them. And this is how we're going to get rid of them at the end of life and have the documentation in place. So there is no confusion. So you know, like hey, you need to go to the service manual. And run this procedure to clean it and not wait until the end and go. Where's the manual set? How do we do this? That's the wrong way to do it. So having those solutions built from the very beginning as you acquire new technologies that define how devices are going to be handled. maintained and de acquired, cradle to grave solution. Then you streamline this much better and it becomes way less complex and complicated. And of course that whole streamlining also may include contractual agreements, not all the devices that you acquire in your organization, do you sometimes you may lease this. So you need to have contractual agreements in place going okay. These devices will need to be purged before they're ever done before they leave our building. Or you know the manufacturer or whoever you acquired from not going to resell them, they're going to feed them into a giant metal shredder. All of it done from a contractual agreement ahead of time as part of that cradle to grave solution.


VAMOSI:  So in the health care organizations that you've worked with, is it that they don't know this or they don't have somebody that's doing security? Check on these things just for resource lack of resources.


HEILAND:  And in a case, in the case of the devices I bought online, I can only imagine my assumption is that they sold these things off to a secondary market, some organization that is going to get rid of them somehow. They're like, okay, we can read we can recover the small percentage of our investment by selling these and we stack them on a pallet. We sell them for weight or ever how you want to sell them. I've seen that done for products before and out the door they go not thinking about that these things potentially still have data. I mean, we went through a phase here about it. It's actually not much more than a decade. ago, or less than a decade ago, when we started thinking about hard drives, you know, actually made it on the news, hey, you could buy hard drives off eBay and it contains all your data. And everyone was like in this total state of panic and things got changed. Companies changed their procedures on how devices are sold or disposed of. A lot of times they just pull the hard drives out and feed them into a giant shredder to get rid of them. Or other means. Well we're in a different world now. So we're dealing with embedded technology. There's no hard drive in there. It's a small chip. It probably smaller than a nickel, or a diamond size that's on that board. And it can, in some cases contain upwards of 32 gigabyte of data on newer devices. So So it's literally bigger than hard drives. Were 1520 years ago in some cases that we're dealing with, and now it's just a chip. And we don't think about it. We don't think that these things are storing this data. A lot of organizations have not gave that much thought. They do take into consideration security. They are thinking security. They're thinking about vulnerability, exploit breaches to their organizations, to their hospitals. But they don't think that that data that there's data on these in some cases and really thought about that. I remember going back and looking at a whole bunch of service manuals that were like more than six years old and an eight year old nine year old manuals, other products. And you would search the manuals and go urging the device cleaning the device trying to find a procedure. And all they did was tell you actually how to clean the outside of the device and you can't spread disease. There is literally nothing in the manuals up until, in my opinion in the last few years that covered actually removing data off these devices.


VAMOSI:  So we've tossed the term data around are we talking about PII? Are we talking about telemetry what sort of data have you encountered?


HEILAND:  So in this case, of all these three devices I looked at I did not find PII data. If you look at the communication packets that are sent from these devices, and the data structure it's stored on there. There is space for patient name, and other data about the patient. But none of these devices collect that data. They assign it a patient ID. So it's basically a patient medical record number that's assigned. So all of this data because you could go in there you know, I got I got captures of things like different drugs that were actually being administered so maintains all these logs too. So you have patient IDs that they assign it from patient records, you have date time stamps, and you go t drugs, fentanyl, this watch ministry on this date for how long, that type of thing. And these things contain a lot of records literally 1000s of records are on these devices for that type of stuff. But without a tie back to the actual electronic medical record, then there's no way to associate this to a specific individuals. So my opinion, not much of a PII or HIPAA related problem at this point.



VAMOSI:  So what could somebody do with this data? You mentioned the SSID and the password, that type of stuff, but no PII. So what would be an attack from from the research that you've done? So,


HEILAND:  in my opinion, you could actually with the SSID. We could trace that back through Wiggle who owns it. And now I have the WPA pre shared key. All I have to do is go to that organization, now I can log into their biomedical network. Now, I recently had a I had a question and somebody they're like, well, then it's basically just a targeted chance. I have to buy a device figure out who belongs to and if it happens to be in California, and I'm in Maine. What good's that and then I mentioned to him Well, you can also go online and search through all these us devices, and all the pictures and search for things like hospital names. Calibration stickers that have the hospital name on it, and just buy the devices that are near you. save you from travel, so there's usually enough data from photos and pictures of devices. Not all the time, but a number of the devices I bought still had the calibration stickers with the hospital names and stuff still on them. So you can narrow it down from a flip of a coin down to somebody within driving range if you want it. But that doesn't mean there'll be data on there again, but if you buy one is broke, the chances are you're going to actually be able to get data because you know they weren't able to power it up and purchase.



VAMOSI:  So somebody gets the SSID and the pre shared key they get on the network. How, how extensive could they get on the network? i It goes back to this logical segmentation that's going on or not.


HEILAND:  Okay, so it's kind of interesting. So I did pen testing. There are a number a number of years I did it for over a decade. I've I've been tested probably upwards of 20 or 30 hospitals. In every every one of those cases, the only thing I had was a network connection. I plugged into the network. Or connected in through Wi Fi. And every every one of those cases, I managed to steal every one of the patient's records for every patient at every one of those hospitals every time. Now I haven't been a pen tester for about six years but I think if you would sit down with current pen testers, you will probably find the exact same stuff.


VAMOSI:  Wow. Okay,


HEILAND:  and it's all it's all about. It's now it really comes to so at that point, you start thinking oh my gosh, we're all in trouble. But then it comes down to the organization's ability to detect and respond to breaches. Because breaches are a real thing. We see them every week. We see that with medical organizations all of the time. Sometimes malware spread, you know, and it's bad. So then it comes down to are you going to detect and respond to any kind of reaction taking place on your network and do something about it? That's where it comes down to it because if you're gonna go well, we're just going to never get breached. That's not possible. If somebody targets you, they can breach you. That's, that's a guarantee. It's all about how do we detect and respond quickly to stop somebody? That would be the Farias that would gain access to your network because if you don't have the ability to detect and respond to what they're doing, they will get the data it's it's it's a matter of you gain a foothold you escalates your rights. You move laterally until you find what you're looking for, and then you take it


VAMOSI:  Ao I've asked a lot of questions. Is there anything from your talk at sector that we haven't covered that you would like to bring up in this discussion?


HEILAND:  Yeah. So let me think about this. For a second. cut that part out there. think we've pretty much covered the breach or not the breach, but the data being pulled off the devices and what that means from a systemic issue that's critical. The kind of the talk and this is going to run after the talk. So yeah, to think about it from that perspective. Generally, I think we've covered everything pretty good. Like it, like I said, reemphasize that it's critical that medical organizations besides besides handling all of their technology, from cradle to grave, and think about how that's going to be bought, managed and disposed of, they also need to think about how they're to things segmentation segment their their biomedical critical care networks off. And the third thing is that they want to be able to have proper solutions in place to help them detect and respond to anything taking place on their network that shouldn't be taking place in the network. Whether someone would breach something whether a malware landed on their network, whatever the case may be, to have solutions for detecting processes and procedures in place for how we going to react if something does happen.

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem