Penetration Testing of a Hospital IT Infrastructure for a US Health System

Customer

The Customer is a large US public health system with over 20 outpatient clinics and a teaching hospital.

Challenge

The Customer was concerned about potential vulnerabilities in the internal IT infrastructure of their teaching hospital that could endanger personal health information of their patients and critical IT services, causing HIPAA compliance breaches and workflow disruption. The size and complexity of the hospital’s IT environment required a comprehensive and scrupulous approach, so they were looking for an experienced provider with a vast portfolio of pentesting projects for the healthcare industry.

Solution

Having analyzed the Customer’s testing scope and needs, ScienceSoft suggested gray box penetration testing to deliver quick and comprehensive results. A team of 3 penetration testers started with automated vulnerability scanning to detect security gaps in the internal infrastructure, then analyzed the findings to exclude false positives and proceeded with vulnerability exploitation.

Due to the Customer’s proactive approach to cyberdefense – regular security testing and continuous vulnerability management of their IT assets as required by the HIPAA Security Rule – their internal infrastructure didn’t have severe vulnerabilities. However, ScienceSoft’s penetration testers revealed a number of less critical security gaps that could be exploited to break through the hospital’s security perimeter: e.g., an obsolete operating system, outdated software, expired SSL certificates, deprecated SSH cryptographic settings, weak security configurations of a remote desktop protocol (RDP).

ScienceSoft’s team recommended corrective actions to improve the protection against potential attacks, e.g., updating OS and vulnerable software to the latest available versions, enabling Network Level Authentication (NLA) on the remote RDP server and upgrading RDP encryption level, installing SSL certificates with valid start and end dates.

The entire project (from planning to reporting the results) took 18 days.

Results

The Customer got a comprehensive report describing detected vulnerabilities classified according to their severity, the likelihood of their exploitation, and actionable guidance on vulnerability remediation. Relying on the guidance, the Customer’s IT team fixed potentially dangerous security issues and ensured high security level of their internal IT infrastructure.

Technologies and Tools

Nessus, OWASP Zed Attack Proxy (ZAP), SSLScan, Metasploit, Burp Suite, Nmap, dirb, DBeaver.