Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Exposed Devices and Supply Chain Attacks: Overlooked Risks in Healthcare Networks

Mayra Fuentes

0 vote(s)

At any one time the world’s connected hospitals could be running as many 100,000 devices, putting hospital operations, data privacy and patient health at risk. We analyzed internet-connected medical-related devices and systems for the US and multiple countries around the world. We successfully discovered exposed Digital Imaging and Communications in Medicine (DICOM) servers, hospital admin consoles, electronic medical records, pharmacy management software and industrial controllers that should not be viewable publicly and can be easily leveraged by hackers for remote attacks.

We will also shed light on the yet-unexamined attack vector in supply chains which threat actors can take advantage of weaknesses to infiltrate healthcare networks. A hacker can exfiltrate confidential/sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity. The healthcare industry is more dependent than ever on cloud-based systems, third-party service providers, and vendors in the supply chain.

With that in mind, we examined the different entry points that can render a network susceptible to a supply chain attack, and the different kinds of attacks that can be deployed by cybercriminals. Finally, we will discuss the underground market for medical information once it has been compromised. We seek to arm IT security teams with a broader perspective about the kinds of threats that they should defend their networks against.


Ms. Fuentes is a Senior Threat Researcher for Trend Micro’s Micro's Forward-Looking Threat Research (FTR) Team. She has worked in the cyber threat field with 10 years’ experience as senior cyber threat analyst for the Department of Defense, US intelligence agencies and private sector.