PC Magazine - USA (2020-09)

Seth Fogie, Information Security Director for Penn Medicine, performed what
KHFDOOHGDQRQVFUHHQELRSV\RIKHDOWKFDUHVHFXULW\LQWKH86IRU%ODFN+DW
attendees. It wasn’t pretty.

KNOWN PROBLEMS
$V)RJOLHLQWURGXFHGKLPVHOIKHQRWHGWKDWKHKDGSUHVHQWHGDW%ODFN+DW
years ago on the topic of Pocket PC security abuse. That seems dated today, but
as he pointed out, Windows CE and other antiquated, insecure systems are still
used in the healthcare industry.

“Patient records are being exploited and sold,” explained Foglie. “There is
monetary value.”

In the security business, you often hear about zero-day vulnerabilities—security
holes that are so new, nobody has seen them before. Foglie characterized the
health industry’s problems as one-day vulnerabilities. They’re known, but
WKH\¶UHQRW¿[HG

“H-ISAC (Health Information Sharing and Analysis Center) is aware, the
vendors are aware, but there’s no guarantee of remediation,” said Foglie. He
noted that no vendor names will appear in his talk. “My aim is to bring
awareness to the public, guidance to the vendors, and insight for security folks.”

THE BLACK HAT CLINIC
)RJOLHFDVWKLVHQJDJLQJSUHVHQWDWLRQDVDVWRU\DERXWDYLVLWE\$OLFHDQG%REWR
WKH%ODFN+DW&OLQLF6HFXULW\ZRQNVZLOOUHPHPEHU$OLFHDQG%REIURPWKH
original cryptographic paper in which Rivest, Shamir, and Adelman laid the
JURXQGZRUNIRUSXEOLFNH\HQFU\SWLRQ1RZWKH\¶UHPXFKROGHUDQG%REQHHGV
attention at the clinic.

Drawing on his actual experience testing security, Foglie examined seven
distinct types of medical systems that could be compromised, some with
disastrous results. The story begins with an unfamiliar face appearing on the TV
LQ%RE¶VURRPDQGPDNLQJDYDJXHWKUHDW+RZFRXOGWKDWKDSSHQ"7XUQVRXW
it’s not a TV; it’s a Patient Entertainment System. As such, it can handle meal
orders, accept screencasts from doctors, and more. And it’s not secure.