Healthcare Security Assessment

Healthcare Security Assessment

Healthcare Security Assessment

Is your institution adequately equipped for potential

incidents, ensuring the safety of patients and operability

of critical systems and processes in emergencies?


We are here to support you with our expertise.


CONTACT US

Protecting Healthcare Facilities and Patient Data

The advancement of digitization and connectivity in the healthcare sector introduces new security challenges, not only for institutions such as hospitals and medical practices, but also for their patients. The increasing use of digitally connected devices in laboratories, treatment rooms, and in handling patient data creates numerous entry points for attackers. These risks are further exacerbated by the use of online services, patient portals, mobile devices, and internet-enabled medical equipment.

Challenges

Healthcare organizations must find ways to protect themselves against cyber threats without negatively impacting the efficiency and accessibility of healthcare services.

Internal and External Networking

Modern clinics have complex internal networks. Besides standard services, such as server and storage infrastructure, they require the integration of heterogeneous systems like medical devices (imaging devices, patient monitoring systems, telemedical devices etc.) and various communication systems (e.g., telephony systems).

Seamless data exchange with external partners and service providers is also essential for ensuring smooth operation, including:

  • Patient care services (e.g., food supply)
  • Telematics infrastructure services (e.g., access to electronic health records)
  • Pharmacy services
  • Laboratory information systems
  • Connection to the organ donor register


Legal Requirements (NIS2)

As healthcare facilities are considered critical infrastructures, specific protection requirements apply. In the event of a successful attack, personal data that requires special protection (outlined in GDPR Article 9) is at risk. Furthermore, as part of the critical infrastructure, hospitals are subject to additional legal requirements introduced by the EU NIS2 Directive.

Increasing Number of Cyber Incidents

In recent years, there has been a marked increase in the number of cyber attacks against hospitals and healthcare facilities. These attacks have the potential to compromise sensitive health data and disrupt vital medical equipment and systems, posing a direct threat to patients. Consequently, medical institutions are becoming increasingly targeted by blackmailers and ransomware attacks.

IT Budget and Skills Shortage

The challenges for IT in the healthcare sector are exacerbated by a shortage of specialists and insufficient IT budgeting. Due to limited resources, hospitals are often unable to make the necessary investments in cyber security measures, leaving them at an increased risk of cyber attacks. The shortage of qualified IT professionals also complicates the implementation and monitoring of effective security measures, further increasing vulnerability to potential threats.

Our Offer for You

Drawing on our expertise, we provide comprehensive support in addressing the aforementioned challenges. We are able to comprehensively assess your complex system landscape, identify potential entry points for attackers, and assist you in designing your systems in accordance with regulatory requirements. Our range of services includes:

Patient Portals and Online Services

In the healthcare sector, patient portals and online services fulfil a variety of functions, including online appointment scheduling, digital assistance, and access to medical records. They almost always process sensitive data that requires special protection. It is therefore crucial to ensure that these systems are secure and cannot be misused by third parties.

As part of our security assessments, we offer a comprehensive examination of these systems, including:

  • Testing of web applications
  • Verification of secure API implementations
  • Vulnerability assessment of related mobile applications


Externally Accessible Systems, e.g., External Servers and Maintenance Access

Hospitals have a large number of IT systems that are accessible on the internet, ranging from websites and mailing solutions to VPN gateways. If an attacker gains access to such a system, confidential data like mail communication is at risk of being compromised. Attackers can also exploit compromised systems as a pivot for further attacks within the network, enabling deeper infiltration.

To determine the security level of these and other systems, we offer a comprehensive portfolio of security testing services. Among others, we assess:

  • Perimeter systems (e.g., firewalls, VPN gateways)
  • Externally accessible services (e.g., mail servers, web servers, interfaces to suppliers such as pharmacies and food providers)
  • Cloud environments


Local IT Sytems, e.g., Wi-Fi Network, Local Network, Terminals, Printers, Network Segmentation

Hospitals and medical practices often have complex local networks comprising a large number of devices. These networks include workstations, data storage solutions, mobile devices, and specialized medical equipment that requires network access.

Unfortunately, the security measures in place to protect these networks are not always adequate. For instance, if no proper network segmentation is in place, unauthorized actors may gain access to the internal network via the guest Wi-Fi. Another threat scenario is the insufficient protection of network sockets in hospital rooms against (potentially malicious) external devices such as notebooks.

As part of our security analyses, we conduct comprehensive assessments of your local IT infrastructure and, among others, offer the following services:

  • Penetration testing of the local network, including in-depth analysis of devices such as printers, telephones etc.
  • Examining the secure implementation of network segmentation 
  • Testing the configuration of Wi-Fi access points for potential vulnerabilities that could enable attacks

In addition to these analyses, we offer relevant consulting services, addressing questions such as:

  • What needs to be considered when designing a secure network architecture? (e.g., network segmentation, securing remote access, and the topic of cloud migration)
  • How can I securely operate my applications and infrastructure components? (e.g., secure configuration of applications, servers and services as well as suitable version and patch management)
  • How can I adequately protect sensitive data? (e.g., protection against brute-force attacks, password management, and multi-factor authentication)


Inspection and Evaluation of On-Site IT Security Measures

It is important to note that minimizing network attack vectors is only one part of a comprehensive security strategy. For instance, if an attacker were to gain access to a nurse's room and they could plug in a malicious USB stick to a hospital computer, they might get access to the internal network.

Comprehensive analyses therefore include an evaluation of on-site security measures, considering aspects like:

  • Physical security (e.g., surveillance systems, physical entry protection)
  • Access controls (e.g., guidelines for visitors, suppliers, and IT providers)
  • Network security (e.g., network segmentation, network access protection)
  • Raising employee awareness of IT security
  • Software and system management (e.g., patch management, access to administrative accounts)
  • Compliance with legal and industry-specific requirements


Mobile Devices, e.g., Staff Tablets

Smartphones and tablets have become an integral part of our daily lives and have also found application in medical practices and hospitals. These devices typically have access to the internal network and are thus considered part of the critical infrastructure. Our security assessments encompass both the devices themselves and individual applications, ensuring comprehensive coverage of all aspects. 

As part of our security testing procedures, we verify the:

  • Secure configuration of mobile devices
  • Secure implementation of mobile applications


Medical Equipment, Both Stationary and Mobile

Whether a mobile patient monitor with Wi-Fi connectivity or a stationary respiratory apparatus with a network connection, modern medical equipment is interconnected via IT networks and therefore potentially susceptible to cyber attacks. In addition to these interfaces, there are other physical interfaces that allow for the manipulation and potential theft of personal data. In a worst-case scenario, sensitive data could be extracted or the device's firmware could be compromised via interfaces like USB.  

We have many years of experience in testing this type of equipment  and examine your systems – from the circuit board to the firmware. Our comprehensive testing process covers the following elements:

  • Possible access to sensitive data and manipulation of the device via
    • User interfaces and controls
    • External interfaces (e.g., USB, Ethernet) and wireless interfaces (e.g., Wi-Fi, Bluetooth)
    • Bus systems (e.g., SPI, I²C)
    • Debugging interfaces (e.g., UART, JTAG)
  • Vulnerability analysis of the firmware and the firmware update process

Contact us!

Dr. Antje Winkler

Dr. Antje Winkler

Partner | Offensive Security
View bio