At this point, no one is surprised when you visit a doctor and complete your medical history on a computer or on a mobile device, but perhaps not so many of us wonder where and how this information is stored; as well as what impact it would have if other people obtain that information. In this talk I try to analyze and answer these questions from the vulnerabilities found in different medical applications evaluated in web and mobile applications, such as PACS systems, DICOM viewers, ERM / HRM / RIS systems, which has connectivity connectivity commonly with DICOM protocols / HL7. During the time that I have been investigating this type of systems I have found failures at the level of code mainly of type injection, errors of implementation of servers, credentials “hardcoded” in applications, disclosure of information; and each of these would allow at risk sensitive data of patients and doctors, as well as put at risk a complete health infrastructure. The talk will show the level of exposure of these systems based on analysis I have made, found and reported failures; where I also include a demonstration against one of these systems. Hospitals, clinics, patients, doctors and monitoring systems / devices could be affected by these vulnerabilities.
Carlos Avila is Chief Security Ambassador at ElevenPaths and also works as an independent consultant in the Information Security industry, fulfilling several mainly technical roles. Carlos is a founding member of ISSA Capitulo Ecuador and is a guest speaker at conferences and events on computer security. He’s an instructor of security related topics such as: Pentesting, Code Review, Defense Techniques and Hardening of Platforms.