Background: Health Information systems (HIS) are continuously targeted by hackers, who aim to bring down the Health Critical Infrastructure. This study is motivated by recent attacks to healthcare organisations that have resulted in the compromise of the sensitive data held in HIS. Existing cyber security research in the healthcare domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach a HIS and access healthcare records, with the view to improving cybersecurity in the future.
Objective: This research aims to provide new insights regarding HIS cybersecurity protection. We propose a systematic and novel optimized (AI-based) ethical hacking method tailored specifically for HIS, and we compare it with traditional unoptimized ethical hacking method. It allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks to HIS more efficiently.
Methods: In this study, we propose a novel methodological approach to ethical hacking for HIS. We launched ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the OpenEMR (Open Electronic Medical Record) system and followed the National Institute of Standards and Technology's (NIST) ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods.
Results: Ethical hacking was successful using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized one in terms of average time used, average success rate of exploit, number of exploits launched, and number of successful exploits. We are able to identify the successful attack paths, and the exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the Web GUI for the Linux Virtual Server).
Conclusions: This research demonstrates systematic ethical hacking against HIS using optimized and unoptimized methods together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to Health Information Systems (HIS) literature, ethical hacking methodology and mainstream AI-based ethical hacking method as it addresses some key weaknesses of these research fields. The findings also have great significance for the healthcare sector, as OpenEMR is widely adopted by healthcare organisations. Our findings offer novel insights for the protection of HIS and equips researchers toward conducting further research in the HIS cybersecurity domain.
He, Y., Zamani, E., Ni, K., Yevseyeva, I., & Luo, C. (in press). AI-based Ethical Hacking for Health Information Systems (HIS): a simulation study. Journal of Medical Internet Research,