Ransomware attacks in healthcare are our biggest threat according to the annual report of Z-Cert.nl. In this report it’s mentioned that the vendors of the healthcare providers are targeted more often compared to the individual practices or professionals (page 16).
The reason could be that the impact could be bigger if you hack a vendor, as they likely supply multiple customers at the same time.
Most people think of healthcare vendors that are used by patients; for example the alarm systems we use for our elderly. Last year one of those vendors became victim of a ransomware attack; Tunstall.
But what about the vendors that host sensitive data about the healthcare providers, for example the complaints officers and dispute resolution bodies? What if they have bugs that leak data?
If we could figure out who has signed up with them we could spear phish those healthcare providers: “You received a complaint, enter your password now”.
Today we will hack the firm I use as a complaints and disputes committee for my healthcare work; SKGE.nl
More than a year ago we discussed the data leak at HAwebsso.nl which led to the leak of +15k Dutch doctors their private details, including their email and hashed passwords. This was an interesting finding, as it uncovered a bug that was there for at least +3 years (regarding Archive.org logs maybe even +5 years).
The LHV quickly mitigated the bug and coordinated the disclosure, a great example of how coordinated vulnerability disclosure can be applied in healthcare.
However the vendor of today SKGE.nl does not future such coordinated vulnerability disclosure at the time of reporting.
The good news is that after the report SKGE published a CVD that matched the NCSC guidelines. However the sad news is that the influx of bogus reports was too high for them to keep it online, at the time of writing (17–03–2024) they were searching for solution to this (Z-Cert might be able to help out here).
An interesting lesson learned and something we need to fix on a wider scale if we want to give everyone access to CVD. Is this something our government should fix, for example by provide grants to nonprofits who are in need of CVD triaging services? Or offer themselves such a thing as a service?
One might ask themselves, is it unethical to hack a system if you’re not explicitly allowed to hack it?
Doing this sort of security research is serving the public interest and could be compared with being a journalist trying to research stuff that has serious impact on our society. Especially if it hosts your own data.
Also see the Code of Conduct of the DIVD:
We are aware that we operate at the edges of what is legally allowed, so we proceed by these three criteria commonly used in court cases on vulnerability disclosures:
Societal need: we do vulnerability disclosure to prevent online damage to as many internet users as possible and don’t serve any particular financial, political or individual interests.
Principle of Proportionality: we serve this need with appropriate means. Our research should increase and not decrease the integrity and availability of online systems.
Principle of Subsidiarity: if several means are available to meet the need, we opt for the one which has the least impact.
A real world example is when the Dutch Journalist Daniel Verlaan hacked the video conference of the EU defence ministers. As far as I know he did not had permission to research it, but he’s not being charged for this hack. Mr Borrell told him during his hack:
“You know it’s a criminal offence, huh? You’d better sign off quickly before the police arrives.” — Mr. Borrell, 21 November 2020
A clear signal we still got work to do convince (political) leadership that we need to endorse ethical journalists/hackers like Daniel. Not charge or intimidate them or even have laws that make their work risky.
Sharing insights and let everyone learn from previous bugs is the only way forward; you have to compete with threats that are state actors (unlimited budgets) or ransomware groups having millions of dollars in their (bitcoin wallets) bank accounts.
A good development is the recent endorsement of DIVD by our Minister of Justice (dutch); as the DIVD scans the full internet non stop for vulnerabilities and responsible disclose those bugs to the owners of the systems. Wherever they are on the world, despite if they have a responsible disclosure policy. Nobody would prosecute a firefighter right? By the way they always look for talent, so join them if you can!
The platform has a portal that is used by health care providers to change their contact details.
The actual complaints are not registered in any portal. If you don’t store it, you can’t lose it. A smart move as that reduces the attack surface.
So let’s have a look if we could access other providers their data. A good start is always to have a look at the spots where we can download invoices.