RESUMEN
BACKGROUND: Health information systems (HISs) are continuously targeted by hackers, who aim to bring down critical health infrastructure. This study was motivated by recent attacks on health care organizations that have resulted in the compromise of sensitive data held in HISs. Existing research on cybersecurity in the health care domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach an HIS and access health care records. OBJECTIVE: This study aimed to provide new insights into HIS cybersecurity protection. We propose a systematic, novel, and optimized (artificial intelligence-based) ethical hacking method tailored specifically for HISs, and we compared it with the traditional unoptimized ethical hacking method. This allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks on the HIS more efficiently. METHODS: In this study, we propose a novel methodological approach to ethical hacking in HISs. We implemented ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the open-source electronic medical record (OpenEMR) system and followed the National Institute of Standards and Technology's ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods. RESULTS: Ethical hacking was successfully conducted using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized method in terms of average time used, the average success rate of exploit, the number of exploits launched, and the number of successful exploits. We were able to identify the successful attack paths and exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the web graphical user interface for the Linux Virtual Server). CONCLUSIONS: This research demonstrates systematic ethical hacking against an HIS using optimized and unoptimized methods, together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to the HIS literature, ethical hacking methodology, and mainstream artificial intelligence-based ethical hacking methods because they address some key weaknesses of these research fields. These findings also have great significance for the health care sector, as OpenEMR is widely adopted by health care organizations. Our findings offer novel insights for the protection of HISs and allow researchers to conduct further research in the HIS cybersecurity domain.
Asunto(s)
Inteligencia Artificial , Sistemas de Información en Salud , Humanos , Registros Electrónicos de Salud , Seguridad Computacional , Programas InformáticosRESUMEN
BACKGROUND: The Intelligent Medical Diagnosis System (IMDS) has been targeted by the cyber attackers, who aim to damage the Healthcare Critical National Infrastructure (CNI). This research is motivated by the recent cyber attacks happened worldwide that have resulted in the compromise of medical diagnosis records. This study was conducted to demonstrate how the IMDS could be attacked and diagnosis records compromised (i.e. heart disease) and suggest a list of security defence strategies to prevent against such attacks. METHODS: This research developed an IMDS simulation platform by implementing the OpenEMR system. A Cardiac Diagnosis Component is then added to the IMDS. The IMDS is fed with the ECG data (retrieved from the PhysioNet/Computing in Cardiology Challenge 2017). This research then launched systematic ethical hacking, which was tailored to target IMDS diagnosis records. The systematic hacking was based on the NIST ethical hacking method and followed an attack pathway, starting from identifying the entry points of the medical websites, then propagating to gain access to the server, with the ultimate aim of modifying the heart disease diagnosis records. RESULTS: The hacking was successful. Four major vulnerabilities (i.e. broken authentication, broken access control, security misconfiguration and using components with known vulnerabilities) were identified in the simulated IMDS and the cardiac diagnosis records were compromised. This research then proposed a list of security defence strategies to prevent such attacks at each possible attacking points along the attacking pathway. CONCLUSIONS: This research demonstrated a systematic ethical hacking to the IMDS, identified four major vulnerabilities and proposed the security defence pathways. It provided novel insights into the protection of IMDS and will benefit researchers in the community to conduct further research in security defence of IMDS.
Asunto(s)
Seguridad Computacional , HumanosRESUMEN
En Cuba la mayoría de los especialistas de seguridad informática tienen un escaso conocimiento sobre las herramientas indispensables del hacking ético. Para realizar la presente investigación se hicieron búsquedas bibliográficas nacionales e internacionales. De la gran cantidad de herramientas disponibles en distribuciones especializadas para la seguridad informática (Parrot Security, Black Arch y Kali Linux), se seleccionaron aquellas que se ajustaban más a las características de las redes cubanas. Este trabajo tuvo como objetivo describir algunas de las herramientas seleccionadas para el escaneo y explotación de vulnerabilidades, y conceptos fundamentales sobre el tema. Consideramos que este estudio puede ser provechoso para los especialistas cubanos en seguridad informática pues les servirá no solo para conocer sobre el hacking ético, sino también cuáles son las herramientas que se pueden emplear, teniendo en cuenta las características de nuestras redes nacionales(AU)
In Cuba, most computer security specialists have little knowledge about the essential tools of ethical hacking. To carry out the present investigation, national and international bibliographic searches were made. From the large number of tools available in specialized distributions for computer security (Parrot Security, Black Arch and Kali Linux), those that best fit the characteristics of Cuban networks were selected. Our research aimed to describe some of the selected tools for scanning and exploiting vulnerabilities, and fundamental concepts on the subject. We believe that this study will be very useful for Cuban specialists in computer security because it will serve them not only to learn about ethical hacking; but also, what are the tools that can be used taking into account the characteristics of our national networks(AU)