背景:健康信息系统(HIS)不断成为黑客的目标,他们的目标是摧毁关键的卫生基础设施。这项研究的动机是最近对医疗保健组织的攻击,这些攻击导致了HIS中敏感数据的泄露。关于医疗保健领域网络安全的现有研究将不平衡的重点放在保护医疗设备和数据上。缺乏系统的方法来调查攻击者如何违反HIS并访问医疗记录。
目的:本研究旨在为HIS网络安全保护提供新的见解。我们提出了一个系统的,小说,以及专门为HIS量身定制的优化(基于人工智能的)道德黑客方法,我们将其与传统的未经优化的道德黑客方法进行了比较。这使研究人员和从业人员能够更有效地识别对HIS的可能渗透攻击的点和攻击途径。
方法:在本研究中,我们提出了一种新的方法论方法来处理HIS中的道德黑客行为。我们在实验环境中使用优化和未优化的方法实施了道德黑客。具体来说,我们通过实施开源电子病历(OpenEMR)系统建立了HIS模拟环境,并遵循美国国家标准与技术研究院的道德黑客框架来发起攻击。在实验中,我们使用未优化和优化的道德黑客方法发起了50轮攻击。
结果:使用优化和未优化方法成功进行了道德黑客行为。结果表明,优化的道德黑客方法在平均使用时间方面优于未优化的方法,利用的平均成功率,发射的漏洞数量,以及成功利用的数量。我们能够识别与远程代码执行相关的成功攻击路径和漏洞利用,跨站点请求伪造,不正确的身份验证,OracleBusinessIntelligencePublisher中的漏洞,特权提升漏洞(联发科),和远程访问后门(在Linux虚拟服务器的Web图形用户界面中)。
结论:这项研究表明,使用优化和未优化的方法对HIS进行系统的道德黑客攻击,以及一套渗透测试工具来识别漏洞,并将它们结合起来执行道德黑客行为。这些发现有助于他的文献,道德黑客方法论,和主流基于人工智能的道德黑客方法,因为它们解决了这些研究领域的一些关键弱点。这些发现对医疗保健行业也有重要意义,OpenEMR被医疗保健组织广泛采用。我们的发现为HIS的保护提供了新的见解,并使研究人员能够在HIS网络安全领域进行进一步的研究。
Health information systems (HISs) are continuously targeted by hackers, who aim to bring down critical health infrastructure. This study was motivated by recent attacks on health care organizations that have resulted in the compromise of sensitive data held in HISs. Existing research on cybersecurity in the health care domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach an HIS and access health care records.
This study aimed to provide new insights into HIS cybersecurity protection. We propose a systematic, novel, and optimized (artificial intelligence-based) ethical hacking method tailored specifically for HISs, and we compared it with the traditional unoptimized ethical hacking method. This allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks on the HIS more efficiently.
In this study, we propose a novel methodological approach to ethical hacking in HISs. We implemented ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the open-source electronic medical record (OpenEMR) system and followed the National Institute of Standards and Technology\'s ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods.
Ethical hacking was successfully conducted using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized method in terms of average time used, the average success rate of exploit, the number of exploits launched, and the number of successful exploits. We were able to identify the successful attack paths and exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the web graphical user interface for the Linux Virtual Server).
This research demonstrates systematic ethical hacking against an HIS using optimized and unoptimized methods, together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to the HIS literature, ethical hacking methodology, and mainstream artificial intelligence-based ethical hacking methods because they address some key weaknesses of these research fields. These findings also have great significance for the health care sector, as OpenEMR is widely adopted by health care organizations. Our findings offer novel insights for the protection of HISs and allow researchers to conduct further research in the HIS cybersecurity domain.