Penetration Testing: Medical
A medical facility used the technical resources of their nationally recognized Electronic Medical Records (EMR) provider to set up and maintain their network, servers, and workstations. While the medical facility was under the absolute belief everything was secure, they wanted to be sure. To ensure the security of the sensitive data patients entrusted to the medical facility, they hired High Bit Security to perform testing to identify security vulnerabilities in their systems via an engagement called a penetration test. During a penetration testing engagement, High Bit Security performs IT security testing, and once finished testing, provides a report detailing security holes, where they were found, what they mean and specifically how to correct the vulnerabilities identified.
For this engagement, High Bit Security performed an external penetration test, IT security testing performed from outside of the network like a hacker. High Bit Security also performed an internal penetration test, which is an IT security test performed against the inside of the network to emulate what a hacker could do once they compromise the environment.
To the surprise of the medical facility, High Bit Security produced a nearly 150 page security report.
During external testing, High Bit Security discovered configuration problems exposing useful information to hackers and found a security flaw that would have allowed a hacker to compromise the network from outside the building.
During internal testing, High Bit Security identified the following security vulnerabilities:
- Allow a hacker to connect to any machine in the environment and gather all user accounts.
- Misconfiguration of workstations and servers that would allow a hacker full control over every workstation and server in the environment.
- Outdated software that allowed High Bit Security to pull and decrypt the passwords for every account in the system, a vulnerability that would have allowed hackers to create administrator accounts on the target systems.
- Misconfiguration of the all in one printer allowing High Bit Security to gain access to the sensitive information being printed and copied.
- Misconfiguration that allowed High Bit Security to remotely connect to internal machines and transfer any data from the internal network to the outside.
- Vulnerabilities allowing a hacker to covertly install malicious software on the network.
The medical facility was extremely pleased they engaged High Bit Security. The new IT support company, which replaced the nationally recognized EMR company, reviewed the report results with High Bit Security, and made the changes to the medical facility systems in order to close out all security flaws identified. The new IT support company easily saved over a hundred hours of research and investigation as a result of the details and guidance contained in the High Bit Security reports, allowing them to implement the corrections quickly and efficiently.
The engagement was summed up best by one of the medical facility's founders "Certainly the money I spent on testing by High Bit Security was well worth it."