A large hospital system needed to test the security of its IT infrastructure, including the internal network, internet-facing devices, web applications, and wireless network. Given the protected health information (“PHI”) under their control, it was important for them to take proactive steps to secure their data. The hospital engaged Virtus to conduct a simulated cyber-attack, also known as a penetration test, to see how easy it would be for a hacker to compromise their systems.
Impact
As you can imagine, in an ever-changing world with new threats like the recent COVID-19 pandemic, the security of hospital networks is paramount. Exploited vulnerabilities in the hospital's infrastructure could lead to major denial of service, potential interruption of lifesaving operations, and the disclosure of protected health information.
Resolution
Virtus' ethical hacking team simulated a cyber-attack, testing over 1,000 devices, and uncovered over 30 critical vulnerabilities, including Eternal Blue, NPT enumeration, outdated versions of Apache, PHP, and more. It was also determined that a hacker could achieve privilege escalation on the internal network, allowing unauthorized access to sensitive systems hosting patient data. Additionally, the team uncovered a vulnerability with the potential to obtain hospital staff usernames and passwords.
Results
The hospital system was immediately notified of the critical findings, and Virtus' cybersecurity engineers worked with the hospital to develop a remediation plan. The hospital was able to secure its IT infrastructure to proactively keep its data secure.