Ransomware attacks in healthcare are our biggest threat according to the annual report of Z-Cert.nl. In this report it’s mentioned that the vendors of the healthcare providers are targeted more often compared to the individual practices or professionals (page 16).
The reason could be that the impact could be bigger if you hack a vendor, as they likely supply multiple customers at the same time.
The biggest vendors in Dutch primary health care are the ones building our EHR systems. They store our most confidential information and are often complex applications that have to support integrations with tons of other systems.
Today we will see if we can find a bug in one of those systems to upload our executable file (a dummy virus). This vector could be of interest to ransomware groups, as they want to run their code inside the environment where sensitive data is stored. They use bugs like these to gain remote access to the systems and encrypt the files so they can extort the victim in a later phase.
The vendor of today (Bricks Huisarts Tetra) has a coordinated vulnerability disclosure, which is awesome! See https://brickshuisarts.nl/security.txt and https://brickshuisarts.nl/security-policy.html
It’s highly recommended to publish such a coordinated vulnerability disclosure; it gives clear instruction in how to proceed when finding bugs and makes it less risky for ethical hackers to help them out.
The quickest way to send a malicious executable to health care providers is just to use the email. Sadly this medium is still used in health care to receive information from patients.
“Got a red spot on your skin? Email us a picture please.” — current state of healthcare
But who is trained to see if the file bigredspot1.jpg.exe is malicious when double clicked? By the end of the day we are quite good in detecting red spots caused by viral infections, but not to detect malicious files containing viruses.
Luckily we have apps that allow us to safely interact with our primary health care provider. After login you could ask them a question and attach a file (picture) if necessary. But what if the attached file is a malicious executable? Would the system receiving our executable process it and show it inside the application used by the doctor?
Below the dashboard used by the doctor when receiving a question from one of its clients who uses the portal app.