One of the largest private medical service providers is the healthcare organization. Patients from the United States, Africa, the Middle East, and Europe come to this hospital for low-cost healthcare. It has many hospitals all over India. It offers nuclear medicine, cardiology, neurosciences, electrophysiology, and cancer treatment to patients. This hospital, which is a publicly traded firm with over 37,000 shareholders, employs over 2000 doctors and sees about 100,000 patients per day.
To conduct the tests in a non-intrusive, non-harmful manner to avoid causing any damage to the equipment.
Create customized scripts for each device to guarantee that all test scenarios are covered.
Develop an appropriate compromise between security best practices and equipment operating difficulties.
Over 1,00,000 patients per day
PAN India Operation had to be taken into consideration
The organization approached Kratikal's security testing department to identify any technical or logical vulnerabilities in their network-connected medical equipment. They also needed tangible solutions to mitigate the risks that could emerge from exploiting those vulnerabilities.
The tests were carried out in live environment, during times of no traffic on the machine.
We conducted the assessment of their medical devices, network, and support systems from a hacker’s perspective.
The test was conducted as a Grey Box exercise.
Various hacks were attempted to test the medical devices, the consoles, and the network connection.
Solutions and patches were deployed with close coordination with the OEMs and the in-house teams.
The tests were conducted in accordance with the best practices available in the industry, using the experience of Kratikal in Medical Device Security Testing.
Most of the machinery, such as MRI scanners, CT scanners, radiology, and nuclear medicine equipment, have been discovered to be extremely vulnerable to both local and distant attacks.
Remote takeover, remote code execution, and Denial of Service assaults were all possible on several of these devices.
Many machines used default credentials and had obsolete program, operating systems, firewalls, and antivirus engines. Some were employing passwords that were easy to guess.
The Vulnerability could steal confidential patient records from the systems.
An attacker could also use the vulnerability to install ransomware, viruses, or trojans into the system, which could harm the entire network.
An attacker could remotely shut down the machine while procedures were being performed on the equipment.
An attacker sitting close or inside a hospital may seize control of medical devices and command all hospital activities, from MRI scans to robotic surgery.
An attacker could take advantage of these flaws, putting patients in a life-threatening situation.
Attacks against vital instruments, especially those dealing with nuclear medicine and radiology, could result in equipment failure in the best-case scenario and unrestrained radiation leakage in the hospital in the worst-case scenario.
The hospital might face significant litigation, sanctions, and a drop in share price, as well as a public relations disaster.
We advised them to upgrade their operating system (from Windows XP to Windows 10) as well as their applications and firewall services.
A full report was provided on the vulnerabilities, including their impact and approaches for recommending solutions.
Policies were being framed for device access, network security, physical security, and password management.
To cope with cases of cyber incidents, we developed a quick reaction strategy for the hospital by developing a synergy between the hospital, the IT team, and the OEM.
We collaborated with OEMs to patch key vulnerabilities as rapidly as possible.
For the devices, we devised a patch management system.
We advised on hardening their devices and censor remote access for OEMs.