IBCS P3 Challenges Faced

Challenges Faced + Ethics for IBCS M26

Focus of White Box Testing

Internal workings, code logic, structure.

White Tester Knowledge

Requires deep understanding of the codebase.

Approach of White Box Testing

Code paths, branches, logic.

Tools/methods of White Box

Code review, unit testing, path testing.

Advantages of White Box Testing

Helps identify logical errors and code vulnerabilities. Better code optimisation and thoroughness achieving a high code coverage. Can be easily automated for uninterrupted service delivery.

Disadvantages of White Box Testing

Requires extensive coding expertise and time. Can be expensive to conduct. Does not reflect experiences on the user-level. High maintenance and inability to detect requirements that aren’t implemented already.

Use Case of White Box Testing

Debugging and verifying the logic of critical code. Used to verify interaction between code units and how data is handled in an application.

Suitability of White Box Testing

Offers more depth and precision than other test methods. Governance needs to be strict as this method can be invasive and PHIs are at risk.

Focus of Black Box Testing

Functionality and end-user experience.

Black Box Tester Knowledge

No knowledge of internal code structure or implementation.

Approach of Black Box Testing

Testers validate the system against requirements.

Tools/methods of Black Box Testing

Functional testing, regression testing (re-running functional/non-functional tests to ensure modifications to code haven’t affected software performance), UI testing.

Advantages of Black Box Testing

Simulates real user and malicious hacker behaviour, unbiased testing. Finds weakest part of system from a hacker POV.

Disadvantages of Black Box Testing

With limited knowledge, there is a risk of harming the system and jeopardising continued service. Especially in the IoMT with a possible compromise to the interconnectedness of the system.

Use Case of Black Box Testing

Testing UI and overall system behaviour. Holistic approach

Suitability of Black Box testing

Less suitable for hospital settings due to higher disruption risk.

Focus of Grey Box Testing

Combination of functionality and some internal code logic. Authentication, input validation, weak or missing Role Based Access Control (RBAC - end-user access authorisation) checks.

Tester knowledge of Grey Box Testing

Partial understanding. Insider threat or external hacker with some insider information.

Approach of Grey Box TEsting

Testers leverage limited system knowledge to design tests for a healthcare system. Conducted in controlled environment.

Tools/methods of Grey Box

Burp Suite, OWASP ZAP, manual inspection

Advantages of Grey Box Testing

Balanced approach. Wider coverage than other testing methods. More efficient use of resources as plans are better tailored with partial knowledge while not being incredibly comprehensive.

Disadvantages of Grey Box Testing

Dependent on partial knowledge. Can be difficult to test complex cases. Hard to trace root of bugs without knowledge of source code.

Suitability of Grey Box testing

More suitable for live hospital networks requiring uninterrupted service delivery

Evaluation of testing methods.

Best is grey box. While not as thorough, allows for inspection of front-end vulnerabilities and more in-depth analysis for later exploits in response plan. Also simulates most realistic hacker perspective. However, on outdated IoTs, white box may be best as they can crash under heavy attacks.

Why is penetration testing important in healthcare?

Heatlhcare keeps a lot of medical data online now

A data breach is costly, averaging over $10 million over incident (2024 IBM report).

Operational Continuity

Patient data needs to be completely secure and stay that way since it is a constant target.

Encryption

Add additional layers of encryption such as biometric authentication or MFA to protet patient data.

Staff Training during Vulnerability Testing

Helps staff know what is out of order during the PTES to stop any issues and continue to work as smoothly as possible.

Emergency Procedures

Developing clear and actionable guidelines for potential disruptions i.e. isolating systems and maintaining communication.

Back-up infrastructure

Implements redundancy for critical systems (off-site back-ups, cloud storage, secondary servers) to maintain OC while testing and in case of breach. Minimises potential downtime.

Why uninterrupted service delivery is important

• Patient safety/life-critical services

• Continuous access to EHRs and clinical systems

• Avoiding disruption to hospital operations

• Maintaining trust of healthcare services

Ethics: Proper Authorisation

Unapproved testing could breach hospital policy, violate regulations, impact systems. Phase 1 creates an audit trail establishing written authorisation.

Ethics: Data confidentiality and integrity

Exposure, modification, and the leaking of hospital data is at risk when scanning or exploitation takes place. Phase 2 and 4-6 handle this, helping to define rules around data and enforce safe, controlled exploitation and post-exploitation.

Ethics: Non-disruption of services

Testing may interrupt IoMT, internal communications, and patient monitoring, putting patients at risk. Phase 1 puts systems in place to identify “no-touch” systems, testing windows, and critical assets. This plans for business continuity and disaster recovery plans.

Ethics: Reporting and Responsiveness

Poor reporting in Phase 7 could lead to miscommunication, vulnerabilities being exposed to the wrong people, and delays in remediation. Responsible disclosure and patch management are assured through the PTES reporting framework.

Ethics: Ethical use of social engineering

Vishing or pretexting may distress staff, extract sensitive information, and reduce trust. Human-factor risk assessment must be considered when gathering information through these means. Phase 2 helps ethical hackers to set ethical boundaries and consent-based reconnaissance.

Ethics: Controlled exploitation without causing harm

Exploitation attacks could crash systems and/or corrupt data.

How to maintain operational continuity?

• Stratified testing environment

• Sandbox environment

• Strict RoE

Stratified Testing Environment

Organised testing in which parts of the system are segmented and tested on when they are not live.

Sandbox Environment

An isolated testing space used to safely run code. For aggressive testing, this environment may mirror the hospital’s network to ensure patient safety.

Strict Rules of Engagement

Example: testers only capturing metadata to prove access instead of getting actual patient records or use synthetic/fake data to nullify privacy risk.

Investigate how network scanning/mapping and OSINT can be used

OSINT for public facing tech → passive and undetectable. For initial targeting.

Network scanning + mapping → more active. May risk crashing legacy IoT devices.

White box for fragile/legacy IoMT devices on the network.

Passive Intelligence Gathering

Overall, avoids detection and engaging directly with the target system.

• Search engine dorking

• Shodan + Maltego

• WHOIS queries - identifies domain, registration dates, and DNS servers.

• Social media analysis (LinkedIn, Instagram, TikTok)

Active Intelligence Gathering

Directly interacting with target system; higher risks on system but detailed/less general insight.

• Netwrok scanning → Nmap + Zenmap

• Hping (sending packets) → Useful for testing network connections and examining firewall configurations.

• Burp Suite

• OWASP ZAP

• Exploitation → Metasploit Framework; a popular tool for developing and executing PTES exploits.

Developing Response Plan

• Incident detection crucial for data privacy → stops attack early and prevent data exfiltration → protexts patient/EHR confidentiality

• But, recovery is paramount for patient safety. That is priority.

• Example: in ransomware scenarios, recovery is the only safe option.

• Response plans should prioritise backups and segmentation over perfect detection of threats.

Extension: WannaCry NHS Ransomware Attack (2017)

Hit companies worldwide in spring 2017, cost the NHS £92M, and operations for several days.

• Delivered via phishing locking files via encryption until a bitcoin sum was paid.

• Exposed a specific Windows vulnerability, not an attack on unsupported software

• NHS criticised for using outdated IT systems, including Windows XP, a 17-year-old OS vulnerable to attack.

• NHS also had not rehearsed for a crisis with a recovery plan that had not accounted for large scale attacks.

Extension: Conti HSE Ransomware Attack (2021)

Cyberattack on Health Service Executive (HSE) in Ireland that shut IT systems down nationwide, reverting hospitals to analog media.

• Phishing (malicious Excel doc) for initial access.

• Cobalt strike used to establish persistence and move laterally (jumping from low-value resources to access high value resources) before deploying ransomware.

• Severely interrupted service, even disrupting radiation/cancer treatment for patients.

• Only 2/10 cancer trial units had a response plan in place.

Extension: PwnedPiper Pnuematic Tube System Vulnerability (2021)

Researchers found nine key vulnerbailties in Swisslog Healthcare TransLogic pneumatic tube systems, used by >80% of North American hospitals to transport blood, medication, and lab samples.

• The PTS system supports variable speed transactions, allowing urgent messages, but this can be exploited to disrupt service

• RFID authentication was employed in the PTS system, but this exposes staff records and RFID credentials

• The system had an alert messaging system integrated to hosptial comms that may be abused to interfere with workflow

IoMT Infrastructure Vulnerabilities

Conectivity and data richness, are strengths and vulnerabilties for IoMT devices!

• Wearable devices often rely on wireless communication protocols such as Bluetooth which may be intercepted during attacks, allowing for the manipulation of data.

• Inadequate data encryption and poor security practices can result in unintentional data leakage

• Attackers can gain unauthorized access to implantable devices, such as pacemakers or insulin pumps, potentially altering their settings to harm the patient.

• Implantable devices can be targeted with DoS attacks, which can turn off the device, potentially leading to life-threatening situations for patients