Healthcare providers rely on Hospital Information Systems (HIS) and other similar platforms to manage operations and finances. Such systems are often developed by 3rd party organisations that provide the HIS solution to multiple healthcare providers, making the HIS developers attractive targets for threat actors who see an opportunity to attack multiple hospitals by compromising one organisation. Threat actors who wish to target an individual healthcare facility also attempt to find vulnerabilities in the HIS solution, making HIS a critical target for both the developer and their customers.
Cyber Attacks On Hospital Information Systems
Cyber attacks on HIS and similar healthcare platforms, that can disrupt operations across multiple healthcare facilities, are not just hypothetical scenarios. Real-world attacks include
- Elekta – Threat actors attacked Elekta’s cloud-based platform that is used to store and transmit healthcare data. The ransomware attack and data breach affected 170 of its healthcare clients, and resulted in a class action lawsuit
- United Health Group – A cyber attack on Change Healthcare, the USA’s largest healthcare billing and payment clearinghouse (part of the United Health Group), resulted in healthcare providers being forced to borrow to meet expenses, an investigation by the US government, and a 7% drop in stock price
How VAPT Can Help Secure Hospital Information Systems
Vulnerability Assessment and Penetration Testing (VAPT) is a systematic assessment of an organisation’s cyber defences which includes both scanning for vulnerabilities and attempting exploitation of identified vulnerabilities. K7’s blogs have discussed how VAPT can be used to strengthen enterprise cyber security, how businesses should choose a VAPT provider, and how VAPT can help the C-suite achieve strategic objectives.
VAPT can be used by HIS developers to test their organisation’s cyber defences (to prevent digital supply chain attacks that compromise their product) and to identify as yet undiscovered vulnerabilities in their HIS solution. Healthcare providers can use VAPT to identify vulnerabilities in the HIS solution they use and work with the vendor to avoid cyber attacks that can disrupt their operations, cause brand deterioration, and invite regulatory action and litigation.
Vulnerabilities Identified In Hospital Information Systems By K7 VAPT
K7’s VAPT team have identified multiple vulnerabilities, including several critical vulnerabilities, when analysing HIS solutions. Some of these vulnerabilities are listed below as examples of how healthcare operations may be compromised through Hospital Information Systems.
1. Stored Cross-Site Scripting
K7 VAPT identified a vulnerability in the Appointment Scheduling web forms of a HIS that allowed insertion of malicious scripts in place of genuine scripts meant to provide contextual error messages. The malicious script would execute for every user (front office staff, lab technicians, doctors) in their browser, allowing the attacker to control the user’s browser (browser hooking).
2. SQL Injection
K7 VAPT discovered an SQL Injection vulnerability in a HIS that allowed malicious users to view the database schema and access all tables in the hospital’s Oracle database, exposing the Personally Identifiable Information (PII) and files of all patients treated in the facility.
3. Stored HTML Injection
K7 VAPT discovered a Stored HTML Injection vulnerability in a HIS that allowed threat actors to inject HTML code into web forms, enabling website defacement, loading content from remote websites, and linking images to 3rd party websites which could host cross-site scripting attacks or drive-by downloads.
4. File Download without Access Control
K7 VAPT identified a vulnerability in download links sent to patients that allowed access to files without access control. A threat actor could stage a man-in-the-middle attack, intercept the message with the link, and then access the patient’s file without authorisation. All scans, reports, prescriptions, and other documents related to the patient could be downloaded. Modified files could also be uploaded to the HIS, compromising the integrity of the healthcare information the hospital relies on to treat the patient and exposing the hospital to liability claims.
5. Improper Logout Procedure
K7 VAPT discovered that a HIS did not clear the user’s cache when logging out. On shared computers, which are common in healthcare facilities, the browser back button could be used by a subsequent user to access the previous user’s account and perform modifications to hospital records that would be attributed to the previous user.
6. Server Response Manipulation
K7 VAPT discovered that the Cross-Origin Resource Sharing (CORS) header Access-Control-Allow-Origin for a HIS, which controls access to internet resources outside a domain, was configured with a wildcard. This allowed any domain, including one controlled by an attacker, to receive a response from the HIS server instead of the website that sent the request.
7. Exposed Internal IP Address
K7 VAPT discovered that the internal IP address of a HIS was exposed in HTTP responses from the HIS server, allowing threat actors to access confidential hospital information through Server Side Request Forgery (SSRF) attacks.
8. Upload of Files with Two Extensions
A HIS allowed file uploads as medical practitioners needed to store patient-related (and other) files. K7 VAPT discovered that the HIS did not check if the headers of uploaded files matched the file extensions, allowing threat actors (including internal threat actors) to upload files with two extensions (e.g., .jpg.bat) which could mislead users into opening or sharing files that have malicious content. Additionally, server error messages related to the file included the full URL of the file which could be used for malicious activity such as viewing patient information or launching Remote Code Execution attacks.
9. Exposed Email Address
K7 VAPT discovered that the developer’s email address was revealed in server response messages. Knowing the developer’s email address would allow a threat actor to attempt brute force attacks or social engineering attacks that include emailing the developer requesting information on the HIS website.
The above list provides a snapshot of the vulnerabilities that could exist in a Hospital Information System and expose the hospital using the HIS, or the developer of the HIS, to cyber attacks that could result in brand deterioration, lawsuits, regulatory penalties, and stakeholder alarm. K7 VAPT helps prevent such cyber attacks by providing a comprehensive, forensic analysis of HIS which enables proactive vulnerability mitigation by hospitals and HIS developers. Contact Us for more information on how K7 can help secure your Hospital Information System.
