EVENTSTESTIMONIALSvCISO
Picture of the author
Kratikal's Logo
Contact Us

Medical Device
Case Study

Industry

Medical Device

Client Backgorund

One of the largest private medical service providers is the healthcare organization. Patients from the United States, Africa, the Middle East, and Europe come to this hospital for low-cost healthcare. It has many hospitals all over India. It offers nuclear medicine, cardiology, neurosciences, electrophysiology, and cancer treatment to patients. This hospital, which is a publicly traded firm with over 37,000 shareholders, employs over 2000 doctors and sees about 100,000 patients per day.

Business Challenges

  • To conduct the tests in a non-intrusive, non-harmful manner to avoid causing any damage to the equipment.

  • Create customized scripts for each device to guarantee that all test scenarios are covered.

  • Develop an appropriate compromise between security best practices and equipment operating difficulties.

Environment

  • Over 1,00,000 patients per day

  • PAN India Operation had to be taken into consideration

Solution

The organization approached Kratikal's security testing department to identify any technical or logical vulnerabilities in their network-connected medical equipment. They also needed tangible solutions to mitigate the risks that could emerge from exploiting those vulnerabilities.

Approach

  • The tests were carried out in live environment, during times of no traffic on the machine.

  • We conducted the assessment of their medical devices, network, and support systems from a hacker’s perspective.

  • The test was conducted as a Grey Box exercise.

  • Various hacks were attempted to test the medical devices, the consoles, and the network connection.

  • Solutions and patches were deployed with close coordination with the OEMs and the in-house teams.

  • The tests were conducted in accordance with the best practices available in the industry, using the experience of Kratikal in Medical Device Security Testing.

Major Findings

  • Most of the machinery, such as MRI scanners, CT scanners, radiology, and nuclear medicine equipment, have been discovered to be extremely vulnerable to both local and distant attacks.

  • Remote takeover, remote code execution, and Denial of Service assaults were all possible on several of these devices.

  • Many machines used default credentials and had obsolete program, operating systems, firewalls, and antivirus engines. Some were employing passwords that were easy to guess.

Risks

  • The Vulnerability could steal confidential patient records from the systems.

  • An attacker could also use the vulnerability to install ransomware, viruses, or trojans into the system, which could harm the entire network.

  • An attacker could remotely shut down the machine while procedures were being performed on the equipment.

Impact

  • An attacker sitting close or inside a hospital may seize control of medical devices and command all hospital activities, from MRI scans to robotic surgery.

  • An attacker could take advantage of these flaws, putting patients in a life-threatening situation.

  • Attacks against vital instruments, especially those dealing with nuclear medicine and radiology, could result in equipment failure in the best-case scenario and unrestrained radiation leakage in the hospital in the worst-case scenario.

  • The hospital might face significant litigation, sanctions, and a drop in share price, as well as a public relations disaster.

Recommendations

  • We advised them to upgrade their operating system (from Windows XP to Windows 10) as well as their applications and firewall services.

  • A full report was provided on the vulnerabilities, including their impact and approaches for recommending solutions.

  • Policies were being framed for device access, network security, physical security, and password management.

  • To cope with cases of cyber incidents, we developed a quick reaction strategy for the hospital by developing a synergy between the hospital, the IT team, and the OEM.

  • We collaborated with OEMs to patch key vulnerabilities as rapidly as possible.

  • For the devices, we devised a patch management system.

  • We advised on hardening their devices and censor remote access for OEMs.

“Team Kratikal is one of the finest and most diligent professionals I have had the opportunity of working with. The team displays high level of technical competency and professional conduct. They pointed out some critical vulnerabilities in our equipment’s and suggested practical remediations of the same. They patiently discussed every aspect of security with our biomedical and network teams. It was a remarkable experience.” – Group CISO Health care Network

Kratikal Privacy Commitment

Kratikal is dedicated to safeguarding your company from advanced threats, such as data leakage. For this reason, we do not reveal the names of our case study participants.

Loading...