How to Secure Hospital Technology - HCCI-215 Session 6

We've previously discussed how some healthcare organizations are putting private files on search engines, unaware that they are doing so, how others are leaving private information in public press releases and photos, how hackers can steal or reconstruct a corporate email database, and more.  This entire work has been, not a 10,000 foot view, but in-depth review for the average computer user of the endless ways that healthcare organizations can mistakenly arm the criminals and competitors looking for security holes to take advantage of.  Now, we'll pull all that knowledge together into a timeline for a potential hack.  Though the following scenario may strongly resemble actual hospital data breach cases, the details are mere speculation, intended to demonstrate how these techniques are used to bypass hospital technology security measures.

January 23rd - 1 Week Before the Attack

30 year old Martin Ruch, a stucco mason from Mishicot, WI, boots up a used PC from a privacy-centric Live DVD*, like TAILS, and creates a new LinkedIn account.  He is about to engage in a long-con, to relieve a major healthcare organization of its Electronic Health Records.  Those health records will then be sold on to an underworld data-fence on the darkweb who may sell the data to criminals in its entirety, or else break up the data in a few different products.

The skills that Ruch will us to perpetrate this crime are not the skills of a computer technician or some sort of programming genius, but the tricks of the trade of a professional confidence man, translated into the digital medium.  Some of the tools that Ruch will use are advanced, while others are basic, but Ruch himself is only a user of tools.  In this, Ruch is not an engineer, not an architect, but a hobbyist whose success lies in the skill with which he uses the ingenuity and intellect of others.  Ruch may be a hacker or a cracker, by the definitions of the law but, it is essential to understand that the quality which differentiates Ruch from a former employee, a school teacher, a 16 year old, a stay at home mom, or anyone else is not a difference in technical skill, but in the desire to make a living upon the mistakes made by others, without conscience or ethics.

You've met Ruch before, or at least someone like him.  The salesman who turned your weeknight excursion for printer ink into a new PC purchase, the real estate agent got you looking at listings complete outside of your price range (until your spouse talked you out of it), even the people who design the layout of a store to get you to buy candy, chips, and a 12 pack of Coke when all you came in for was milk, all of these are the same as Ruch, but with different ambitions and slightly different designs on the money in your bank account.

  • *Live DVDs allow a user to run an operating system from a CD-ROM or DVD, which can prevent sensitive information from being permanently stored to a hard drive.  Ruch will use a special, but free, Live DVD called TAILS, which is designed to keep the user completely anonymous, even from their home computer.  TAILS uses the TOR proxy network to achieve this level of anonymity.

An email "Phishing" attempt.
Ruch uses a website called FakeNameGenerator ( to create plausible
aliases for this attack.  Since the aliases created free by FakeNameGenerator are random, Ruch reduces the risk that he will accidentally use the name of a real person that he may have read in the news or a press release.  Ruch needs aliases that will provide no clues to investigators and an alias that is completely random will work better than one which impersonates a real person.  Additionally, Ruch has no interest in committing any additional crimes through identity theft, the hacking he plans is risky enough.

January 26th - 6 Days Before the Attack

At this point, Ruch has already run into a few problems:

  • LinkedIn has banned the majority of IP addresses associated with the TOR network, believing that they may be linked to criminal and spammer activities.  
  • LinkedIn also requires an email account for registration and many email accounts ban TOR IPs.  

Through trial and error, Ruch can manually try different TOR "identities" (IP addresses and more technically "exit nodes") until he finds one that LinkedIn will except.  He may need to do this every time he works on this hack though.  Ruch might prefer to use cash to purchase a prepay credit card, which he can then use to anonymously buy access to a private anonymized proxy network and set-up fake websites, companies, and email addresses.  That entire venture would set him back less than $50, though the details of the set-up are outside of the scope of this article.

January 27th - 5 Days Before the Attack

There may have been a few set-backs, but at this point, Ruch is well equipped for his attack.

Ruch has created:

  1. 5 email addresses with realistic names.
  2. 4 LinkedIn accounts for fake identities.
    • 2 (of the 4) LinkedIn accounts have work histories claiming they are currently employed at the target company.
  3. Facebook and Twitter Accounts for each LinkedIn identity.
    • Ruch has made sure to stock his fake identities with thousands of legitimate looking updates in short order by using free websites which update his accounts with interesting articles automatically.
  4. Stock photo profile photos for each social media account.
  5. Disposable phone and fax numbers.
  6. A website for a fake technology consulting company.

With this in hand, Ruch is going to begin by downloading and installing a free browser extension which allows him to scrape (automatically record) email addresses from webpage.  Using that software, he will craft a series of counterfeit email address books which he can then upload to LinkedIn in order to add connections.  The email addresses are real enough and have been scraped from public "LinkedIn Open Networking" or "LION" groups on LinkedIn, where individuals who will connect with anyone (i.e. corporate in-house recruiters) attempt to make new connections.

Ruch will visit several LION groups and amass lists of email addresses in the thousands.  He will use Microsoft Excel to make these lists of email addresses look to LinkedIn like exported email address books.  When Ruch logs in to his fake LinkedIn accounts and uploads these fake address books, LinkedIn will not question their legitimacy and allow Ruch to send out invitations to all email addresses included as though Ruch is some sort of super-networking CEO who has just created a LinkedIn account for the first time.  The majority of the LION email addresses will be valid and within a day or two, Ruch will have perhaps thousands of connections for each of his LinkedIn accounts.  Those LinkedIn accounts will gain the coveted "500+ Connections" account status and Ruch will be ready for the next step in his plan.

January 28th - 4 Days Before the Attack

Armed with some very convincing fake LinkedIn accounts, Ruch will now attempt to infiltrate the company.  First, he will anonymously view the LinkedIn accounts of important individuals, such as the President, CEO, VPs, and Directors of the target company and join many of the groups that they are members of.  Ruch will also alter the work history of his LinkedIn personas to imply a connection to the company, perhaps by directly claiming to be an employee or else by claiming to be a consultant contracted by the company.  The stage is set for Ruch's accounts to gain some very powerful friends in short order.

Ruch will now upload yet another new address book to his LinkedIn accounts.  This address book will contain the email addresses of many individuals who work at the target company.  Those email addresses will come from one of the many sources discussed previously.  They may be the result of a leak, of a corporate webpage that makes too much information public, of an email server attack, or simply the result of Ruch reconstructing likely email addresses from news articles and press releases.  Accuracy is not highly important, Ruch can count on LinkedIn not penalizing any bad email addresses that accidentally end up in his address book.  Ruch can also presume that 10% or less of employees will accept his connection requests, but the chances are excellent that someone will.  Of course, it only takes a single employee.

January 30th - 2 Days Before the Attack

Ruch is now, just a couple days later, the newest unpaid and completely unofficial employee of the target hospital.  His LinkedIn accounts reflect this fact and has the connections to prove it.  If Ruch attempted to connect with a scant 300 employees and succeeded with a mere 15 (just 5%!) he still has everything he needs to complete his attack.  Most employees viewing his LinkedIn account will presume him to be a legitimate co-worker and from here Ruch could conceivably take more time to attempt to use his new connections to network into connections which might afford him even more power.  All of the connections that Ruch's accounts have made at the company have now become marks.

Some of the most common passwords in use.
Ruch's next step will be the approach.  Earlier, Ruch has used well known "Google-dorks*," browsed your websites configuration files, or in some other way located the login page for the company's Electronic Health Records system.  This system of records has to be accessible remotely, it must be able to be accessed by physicians on iPads, medical technicians on-site, and yes, even billing, located in the annex 2 miles down the road.  If the login page for this data is not on the website, then instructions to locate it are likely stored there.  If Ruch can't find those instructions, he'll look for press releases and whitepapers from the technology company that was contracted to complete the work.  Even a site certificate won't stop Ruch; he'll use distributed password cracking software to find the certificate's password, completely undetected, or more likely ship the certificate off to an underworld contract who can have the password for him in 2 days for $10.  The point is, Ruch will find and has found the gate that secures the data that he is about to steal and now all he needs are the keys.

  • *Google-dorks are Google search queries which have been found by researchers and hackers to frequently reveal security flaws in websites.  They represent some of the easiest and least skilled hacking possible, though they remain highly effective.

Luckily for Ruch, there's a good chance that all 15 of the employees that he's now personally acquainted with on LinkedIn can provide the login that he needs to directly access the Electronic Health Records.  The possibilities for approach are nearly endless at this point, but here are just a few methods that Ruch might employ:

  • Employee Survey - Ruch creates a fake employee survey, hosted online, that requires an employee login.  Any employee login is accepted, so unless employee purposefully types in their incorrect username and password, Ruch will get at least a few good log-in credentials this way.  Not to mention the fact that Ruch can even program the survey to reject usernames and passwords which do not meet the criteria set by the hospital (something he can easily learn from the login page he found earlier).  The company can tell its employees not to give out passwords all day long, but in this case it looks like they're actually logging-in and a few are sure to make the mistake.
  • Fake Password Reset - Employees might receive an email that advises them that a security breach has already been detected and that they need to immediately reset their password with the attached link.  A huge number of employees will fall for this, including high level administration, before the attack is detected.  Obviously the "password reset" is a fake website and sends legitimate credentials to Ruch.  Ruch could compound matters by actually resetting the passwords that he receives via his fraudulent webpage, which could extend the amount of time until he is detected.
  • Traditional Phishing - Employees could be directed to view an important 401k benefits update via email, but lo-and-behold, they'll need to log-in first.  The fake website Ruch creates here will be a perfect replica of the actual corporate login-page.
  • Test Server - Another approach would be for Ruch to install some applications on a webserver, then solicit employees via LinkedIn to log into that server with their corporate credentials to test the new software.  Under this approach, Ruch would pose as an IT consultant or employee at some distant remote office.
  • False Flag - Ruch could compound any of these methods by physically visiting the healthcare facility and creating a hacked wireless access point, though admittedly that particular approach would require some additional technical skill or the help of someone more trained.  This fraudulent wireless access point could be located in a vehicle in the parking lot or located physically inside the building.  Ruch could install his own access point, or install his software onto a real wireless access point at the site.  Hacking into a corporate wireless access point would not actually require physical access.  The counterfeit access point could appear as a valid corporate access point, which many users would connect to in order to conduct business.  Ruch would then have access to their log-in credentials as well as all the data transmitted or received by their computer, tablet, or phone.  To be clear, it's possible that this could be done from across the street from a major hospital, inside a private residence or a vehicle.

February 1st - 0 Day (The Day of the Attack), 1:00am

Common default router passwords, readily
available on the Internet.
Whatever the approach, Ruch has successfully gained access to several corporate log-in credentials and his activities have yet to be detected.  It is in fact possible that his activities will never be detected, this unfortunately still happens.  With the log-in credentials of, say, a physician, Ruch might remotely access the hospital's Electronic Health Records system and perform a backup function, downloading the entire system for resale.  Ruch could also install software which allows him to copy the entire Electronic Health Records database.  Even if stymied in most other ways, Ruch could potentially print massive quantities of health records to a common PDF, then use other software to extract the data from file after he has made his getaway.  The point is, physicians, billing employees, and others are given access to read Electronic Health Records and any attacker who gets so far as logging into the system is going to find a way to walk off with the facility's data.

After the Attack

Now that Ruch has the data, he will take the files and sell them, again via anonymous methods, on the so-called darkweb.  The darkweb is a number of websites used for crime which exist only via anonymous networks like TOR.  Ruch may take his payment, which can easily exceed $10,000, in Bitcoin, an anonymous currency.  Worth noting, selling this much medical data isn't easy, which means at this point Ruch is probably dealing with someone like the Russian mob or another criminal organization.  It takes infrastructure to make full use of something this valuable and for that matter, large.  Ruch could sell verified email addresses at USD $0.10 apiece.  Credit card numbers can go for as little as a dollar.  Medical records however go for $10, or more, apiece.  That adds up to big money and big times underworld players.

The buyer of the data will in turn commit massive acts of identity theft, likely targeting reimbursements from medical insurers for procedures which were never performed.  Remarkably, nothing will tip off the authorities or the target company that the data has been stolen until Ruch's handiwork is actually uncovered or, more likely, a separate seizure of rogue servers by INTERPOL or another policing organization finds the actual data files which were stolen.

How to Prevent an Attack (...from being successful)

To avoid attacks like this, the only solution is a dedicated IT team with excellent management ensuring that security is kept at the cutting edge at all times.  Healthcare organizations need to embrace the 10th man doctrine and conduct Red Team Operations at least once a year.  A few steps can help organizations get started:

  • Along with 401k meetings and employee fitness clubs, don't neglect to train each and every employee in data security.  It may seem frightening to reveal the weaknesses of your organization to employees, but remember: theses are the weaknesses of every healthcare organization.  By explaining methods of attack to your employees, you can help them to recognize when something isn't right and to hit the panic button early.
  • Contrary to popular believe, all computers and servers do not need to use cutting edge modern software and hardware.  However, all software needs to be updated with the latest security patches and software security policies need to be reviewed annually and audited each quarter.
  • Embrace dual-factor authentication.  An attacker as dedicated as Ruch can and will find a way to replicate the USB key, RFID tag, or cell phone he needs to fulfill your organization's dual-factor login requirements, but not all attackers are as dedicated as Ruch.  It never hurts to make yourself a less attractive and more challenging target for criminals.
  • Never, ever let employees set their own passwords.  Yes, this is not going to be a popular policy with the employees, but you cannot trust the average individual not to use their wife's birthday or their last name with a couple letters attached as a password.  Adopt a password policy that uses long key phrases rather than passwords.  Instead of passwords that look like Merlin78, try pass phrases that look more like midnightgreenocelot.  What's not memorable about a midnight green ocelot?  "midnightgreenocelot" would take today's technology 6 billion years to crack.  Put another way, it would take every computer in a home in America today, working continuously together, 51 and a half years to crack that password.
  • In addition to better passwords, make sure employees are changing passwords every 6 months or more frequently.
  • Configure each and every computing device used on site not to store corporate log-ins on the local hard drive.  Windows PCs are notoriously easy to recover passwords from and many password recovery tools exist for Mac as well.  If the password that you use to access your Electronic Health Records is also used to log into the PC, all it takes is a high-schooler working at Best Buy with the Geek Squad to retrieve the full password.  Think about that.
  • Segment your data.  Physicians do not need access to insurance information, so don't give them access to it.  The billing department does not need access to medical records above and beyond the procedures performed, the dates, and the associated codes.  A per diem or part time employee entering data from medical monitors into patient records needs access only to the patient's name and room number, so give them just that.  This tactic will make it much less dangerous should an attacker manage to get ahold of an employee's log-in credentials.
  • Configure email servers not to confirm or deny the existence of email accounts when queried.
  • Though an unpopular policy, monitor employee email, which is after all company property, and lockdown suspicious emails, such as fake password resets, before they reach the user.  Transparency about email monitoring will make the measure slightly more palatable for employees.
  • Ensure every single device on the corporate network has had the default manufacturer log-in credentials changed.
  • Configure computer systems to lock-out users who request inappropriate or extreme quantities of data.  An attacker attempting to access 100 medical records in a single hour via a stolen account should find the account completely disabled and unusable.
  • Hire an outside professional consultant to help formulate a robust plan for response to attacks if and when they occur.
  • Finally, consider simply not storing sensitive data which is not needed for the operation of the business.  For example, patients may need to present their driver license to prove their identity when submitting insurance information, but a photograph of their license does not need to be stored with their medical records.
While healthcare organizations are reticent about data breaches, they do occur and frequently.  The US government reports that between 2009 and 2013, the rate of healthcare organizations reporting data thefts rose from around 20% to 40%.  A single organization reported in late 2014 that Chinese hackers had made off with some 4.5 million medical records.  The situation is not likely to get any better on the attack side, but the tips provided can help companies to begin implementing policies which better secure their data.

This concludes the Health Care Competitive Intelligence Course - 215 offered by Christopher Lotito.  Please feel free to contact the author with any questions.

Enter your e-mail for VIP Updates at the top of the page.

The entirety of Christopher Lotito's Health Care CFO Competitive Intelligence Master Class can be found online here:

Contact the author on LinkedIn or via the comment form.