Worst Case – fortunately only in a test scenario
Last year, the UK’s National Health Service sounded the alarm over a cyber attack, in which the WannaCry ransomware disabled the computer systems of about 40 British hospitals. Since then at the very least IT security in hospitals and other healthcare institutions has become a subject for public discussion and is no longer of internal concern. It is precisely in this area that cyber security is an extremely hot topic, as the issue does not only involve the protection of sensitive personal data. Attacks on clinic IT can directly endanger life and limb if they disrupt computer-guided medical procedures or indeed directly target them.
Despite the enormous potential harm and the consequent urgent action required, IT security in German healthcare institutions is often not taken sufficiently seriously. In the face of directly specialist medical and economic topics, this area often fails to receive the necessary attention. It is not therefore surprising that as a consequence, this is reflected in insufficient financing of the corresponding competent department.
What significant consequences can ensue are illustrated in a security check that BDO IT GmbH was engaged to carry out by a general hospital with more than 300 beds.
In the course of the exercise, the hospital’s system landscape was subjected to an internal penetration test, in which the testers were easily able to access the local network. The hospital IT’s active safeguards were found to be insufficient to prevent the access. And they were insufficient more than once even to detect the unauthorised access. By means of this unimpeded access, the testers were able to capture not just passive information but also actively to interact within the various networks. In this way, the authorised attackers were able to move practically freely around the hospital network.
Among the weaknesses identified in the course of the test, missing network access controls represented one of the greatest threats. As a consequence, so-called “man in the middle” scenarios could have arisen. In this sort of attack, communication between participating systems is not only subject to intercept and capture by an outside party but also in the worst case to misuse and manipulation.
During the interaction test phase, obsolete software and operating system status also came to light, as well as ambiguous rules for allocating passwords, which enabled access to systems and the information they contained. Furthermore, additional weaknesses in the form of insufficiently configured services and encryption mechanisms were identified, which enabled a successful execution of a third-party code in 85% of random sampling cases.
A genuine attacker would thus have had unimpeded access to highly sensitive patient information and management data, been able to alter (integrity) or delete them and would have been in a position to turn off vital systems such as medical technology equipment (availability). In this way, the test revealed a significant real potential threat. While data theft can still be relatively survivable, alteration of data records can have a catastrophic effect on patient safety. And the possible interference with devices and processes can equally bring about lethal risks.
For our client, the surprisingly easy circumvention of its systems was a loud alarm call and led to the direct introduction of corresponding measures to make its IT more secure. Even though an in-depth analysis based on current standards and repeated reviews of the results for reproducibility cannot exclude the possibility of failing to detect individual weak points, the risk of a successful attack is significantly reduced if identified weaknesses are rectified.
As experience from numerous projects in the hospital sector shows, this result is definitely not an isolated instance. BDO healthcare experts were able, in collaboration with IT experts from the institution concerned, to identify comparable weaknesses in various hospitals. It must therefore be regrettably concluded that this situation is rather the rule than the exception in many hospitals.
This must, incidentally, also hold good for all organisations in all types of sectors. Those responsible must therefore urgently take to heart measures to safeguard production. Critical weaknesses in every business, every institution and every administrative authority must as quickly as possible be identified, evaluated and eliminated by the appropriate targeted measures. This includes the introduction and continuous further development of IT processes such as information security, incident and change management. In this way, security loopholes can be closed in time and attacks can be reliably repelled.
 Checks and test methods based on the procedure in the Open Source Security Testing Methodology Manual (OSSTMM), see the recommendations according to the German Federal Office for Information Security (BSI) study Durchführungskonzept für Penetrationstests and the Open Web Application Security Project (OWASP). The tests were carried out by qualified personnel certified as OSSTMM Professional Security Testers (OPST) and ISO/IEC 27001:2005 Lead Auditor IRCA. The testers have many years’ wide-ranging experience of security tests for a very diverse range of clients such as banks, machine manufacturers, media companies, logistics providers, the military and politics.
 In the specific case it would have been possible for external and internal actors with access to the relevant premises to gain access to the network without further impediment (authentication). After connecting to a network port, a potential attacker would have been able to obtain a link to use this himself, without any allocated IP addresses, to record broadcast and multicast communication (resilience). An alarm or active port security that would deactivate non-recognised MAC addresses was not detected in this phase (resilience, authentication). This already enabled Layer 2 and 3 Broadcast and Multicast communication to be recorded, which could have been applied in further attacks, e.g. on client MAC addresses of internal employees. The cloning of already existing MAC and IP addresses in the network was not prevented at the time of the test and neither was any alarm triggered – this represents a control loss.