Saving a Hospital $200k in HIPAA Fines - My true story

Written By L Trotter II

I Hacked a Hospital and Here’s What I Found.

Devices without passwords, flat networks, and patient data.

Their was so much data in cleartext it was like paradise.

I exploited an Active Directory flaw that displayed domain accounts.

But the $200K hack was the ePHI I found in printers.

So how did I do this?

I walked around scanning the hospital for anything interesting.

The IPs printed on the label printers made me curious.

I went to back to my computer to see if it had a login panel.

Googled default passwords for these devices.

Wahla, I was in!

Performed network scanning and found printers.

Back to the same tactics above.

Check for a login panel.

No authentication required.

The printer was storing gigs of patient records from the scanner.

The hospital Security Director contacted the printer rep.

A few days later the rep paid a visit and said:

"Larry you saved this hospital about $200K in fines"

I have to admit it felt good!

The alarming part was I infiltrated systems undetected.

The hospital lacked:

  • SIEM

  • IDS\IPS

  • Network Segmentation

  • And More

Oh and staff training was non-existent.

The USB drives we staged to make call backs to the servers gave it away.

Hospital networks are riddled with holes.

Making IoT and network devices juicy entry points for hackers.

Cybersecurity was an afterthought until I showed up.

I demonstrated risks they were exposed to.

And threats they never imagined.

I no longer am a Pentester but I manage teams that do.

So if our mission resonates with your goals:

✅Innovative Excellence

✅Empathy at Every Step

✅An Exceptional Customer Experience

Let's connect!

Follow me & hit the 🔔 icon

Repost ♻️ to help the community!

Join 200+ on my newsletter -> https://lnkd.in/e8ueyG9T

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

The Simple Cybersecurity Shift with Big Impact on Healthcare
Next

Navigating HIPAA Compliance: Pt. 4 Information Access Management