A nationally recognized teaching hospital in the United States began a multi-week security assessment. As a result, several vulnerabilities were found in the organization's security controls. v26 Labs had the opportunity to test the security controls at that point. After gathering intelligence during the reconnaissance phase, our team was able to bypass security and was given full access to over 120 patient records over a period of six hours. The v26 team was retained to work with the organization to mitigate those security issues.
Confronted with a need to gather information from a threat assessment standpoint, the v26 team worked with this organization to locate security vulnerabilities that were missed by previous and meaningless automated penetration tests that were performed by another security firm months earlier. It became clear that hospital staff members were unfamiliar with the methods by which attackers can bypass physical and technical security, such as firewalls and other security hardware and software, and launch a direct memory access (DMA) attack made possible by gaining physical access to computer terminals located in central stations as well as at bedside.
By simulating spear phishing as well as other attacks, we were able to demonstrate how their infrastructure continued to be vulnerable to attacks that were not detectable using automated scanning tools. We completed a fresh analysis of the organization's then-current security protocols, and discovered new attacks to which they were vulnerable. We were able to utilize security awareness training to help strengthen their security weaknesses based on a customized security assessment.
As security threats are ongoing and always changing, conversations and assessments continue on an ongoing basis. We were able to help this organization save over $500,000 in costs, protect their patients' PHI, and avoid a public relations nightmare by revealing what was missed in a standard panel of penetration tests. By simulating real world attacks, we were able to illustrate to the organization how much their vulnerabilities could cost them. While threat actors, both external and internal, rely on new exploits and a lack of security awareness on the part of their large and small healthcare targets, we were able to catch these vulnerabilities in time. We continue to monitor this organization's risk.