| 1

This is a sample of the book

MEDICAL DEVICE NETWORKING

AND CYBERSECURITY
A technician’s guide to networking and protecting
interconnected healthcare devices

To get the full book please visit

https://htm-workshop.com/shop/medical-device-networking-and-cybersecurity/
CHAPTER 1

NETWORKS

1.1. Why Use a Network?

Networks form the backbone of modern communication, collaboration, and data
exchange. But this begs an important question: Why use networks at all? Imagine
this scenario: You have just adopted a newborn puppy. Using your phone, you snap a
picture of this super adorable pup, and you want to share it with your friends.

Now, this image is stored on your phone’s memory. But how do you share it with your
friends? Well, here’s how networking can help. Your phone connects to the internet
through Wi-Fi or mobile data, making it part of a network. You open your favorite social
media app and upload the picture. When you hit ‘Share,’ your phone uses the network
(the internet) to send that image to social media servers.

Your puppy’s picture is now saved on the servers. These servers are like huge
digital warehouses that keep all the photos and videos people share. Fun fact: It was
estimated in 2015 that cat images and videos drive around 15% of internet traffic in
total1 (I am not sure I believe that, but it is funny to consider nonetheless).

1 Bloomberg. Laura Bennett. February 19, 2015. https://www.bloomberg.com/news/

articles/2015-02-19/catster-magazine-tries-to-bring-lolcat-world-into-print

Networks | 3
Your friends also use the same network (the internet) and access the social media
platform. They can see your uploaded picture when they open the app because it’s
stored on the platform’s servers. It is like you’ve put the puppy picture in a virtual photo
album that your friends can easily look at whenever they want.

Now, you might say, wait a second, I don’t need a network to do any of that. I will
print this picture out and send it in the mail. But you just inadvertently started using
a network! Yes, the mail system is a network. It has different rules and protocols, but
the theory is, in many ways, the same. Then you say to yourself, I’ll use a fax machine
and send it that way (you’re giving your age away if you think that); however, phone
numbers are once again part of a network with their own rules and protocols.

Let us unpack the first examples of how computer networks and the postal service
share similarities in how they function and deliver information or packages.

 Delivery: computer networks help transfer data and information between

computers and devices, and the postal service helps deliver letters,
packages, and mail between people.
 Addresses and Routing: For computer networks, devices have an address
(like an IP address). Information is sent using these addresses and is routed
through various paths to reach its destination. Similarly, letters and packages
have addresses, zip codes, and specific routes to reach their destinations.
The postal service sorts and routes mail through different post offices to
ensure it gets to the right place.
 Interconnected: Computer networks often consist of interconnected
devices and servers working together to transmit and receive data efficiently.
The postal service operates a network of post offices, sorting centers, and
delivery routes, all connected to ensure mail moves smoothly from sender
to recipient.
 Reliability and Security: Computer networks use security measures (like
encryption and firewalls) to protect data from unauthorized access and
ensure reliability in data transmission. The postal service ensures the security
and integrity of mail through various measures, such as tracking packages,
to ensure they reach their intended destinations securely.
 Speed and Efficiency: Computer networks have varying speeds, such as
fast local networks and slower connections over Wi-Fi. Similarly, different
postal services offer various delivery speeds, ranging from standard mail to
express services.
4 | Networks
  Wide Access: Computer networks, especially the internet, provide a platform
for universal access, connecting people globally by creating a network of
networks, often referred to as a wide area network (WAN). The United States
Postal Service (USPS) provides mail delivery services to all addresses in the
United States, ensuring everyone has access to postal services. Still, it can
also send mail internationally through coordination with international postal
services.

In summary, while computer networks and the postal service have different purposes,
they provide communications services that have become foundational to businesses
and communities worldwide.

1.2. What is a Network?

To understand a network, we must understand all its parts. Because networks are so
large, complex models (such as the OSI and TCP/IP) are used to help simplify and
break up the model into smaller pieces.

OSI Model
To understand how devices communicate, a starting point is to learn the OSI
(Open Systems Interconnection) model. This model, developed by the International
Organization for Standardization (ISO), defines seven layers that describe how data is
transferred and processed from one device to another over a network. These seven
layers – Physical, Data Link, Network, Transport, Session, Presentation, and Application
– each perform distinct functions and allow for modular design, troubleshooting, and
understanding of networks.

Of course, the OSI model is primarily a conceptual-level model. The TCP/IP model
is more accurate regarding what is practically used. Nonetheless, these two models
are very interrelated. The OSI model, however, allows for easier segmentation of
processes behind the scenes. A graphical representation of the model is shown in
Figure 1.

Networks | 5
 Figure 1. OSI Model licensed under CC 1.02

The awesome thing about networks is that everything is connected at each step of
the networking process. However, learning about networks is challenging. As soon as
you are introduced to one topic, you are thrown into another, connected to another
new topic, etc. The OSI model is a simplified way to divide the process into smaller
chunks that are easier to learn. Like other models, the model does not apply to every
situation or describe all nuances of the real thing. For example, my son has a model
X-wing Lego. Does the model do everything a real X-wing starfighter would do? Of
course not, but it has moving wings, and the model can fire plastic blasters. A model

2 https://commons.wikimedia.org/wiki/File:OSI_Model_v1.svg

6 | Networks
is meant to approximate something, which may do well in some cases and poorly in
others. The same is true of the OSI model. As you develop your understanding of
networks, you will learn where the model works well and where it breaks down. It’s a
valuable tool, but eventually, you will find it less helpful.

The primary use of the OSI model is to understand how different parts of a network
communicate. It is divided into seven layers, each responsible for specific tasks in data
communication:

1. Physical Layer (Layer 1): Layer 1 deals with the physical connection between
devices, including cables, connectors, and transmission of raw binary data
(0s and 1s) over the network medium. These cables (like Cat5e, Cat6, etc.)
and connectors (RJ45 connectors) form the physical connections between
devices in a network.
2. Data Link Layer (Layer 2): Layer 2 manages the data flow between devices
on the same network. It establishes point-to-point or direct connections
between devices and handles error detection and correction within the data
frames. Switches operate at this layer to connect devices within a local area
network (LAN). They use MAC addresses to forward data only to the intended
recipient. Also, network interface cards (NICs) are installed in computers and
devices to enable them to connect to a network. They handle the physical
transmission of data onto the network medium.
3. Network Layer (Layer 3): Layer 3 addresses and routes data packets
across different networks. It determines the best path for data to travel from
the source to the destination, often using IP addresses, and handles logical
addressing. Routers operate at the network layer. The data unit is a packet
that contains information such as the IP header, UDP header, or ethernet
header.
4. Transport Layer (Layer 4): Layer 4 ensures end-to-end communication,
delivering reliable data between devices. The transport layer manages data
segmentation, flow control, error-checking, and recovery. TCP (Transmission
Control Protocol) and UDP (User Datagram Protocol) operate at this layer.
Firewalls can operate at the Transport Layer to filter and control incoming
and outgoing traffic based on predefined security rules, often examining TCP
and UDP ports. Load balancers can work at the Transport Layer, distributing
network traffic across multiple servers to improve performance and reliability.

Networks | 7
 5. Session Layer (Layer 5): Layer 5 manages establishing, maintaining, and
terminating sessions or connections between applications on different
devices. It handles dialog control and synchronization between devices.
Gateways operate at higher layers but can include functionalities related to
session management. They translate between different network protocols or
data formats.
6. Presentation Layer (Layer 6): Layer 6 translates, encrypts, or formats data
to be sent across the network. It ensures that data sent from one system can
be read by another system, regardless of differences in data representation.
Encryption devices used for encrypting and decrypting data often operate at
this layer, ensuring secure communication between devices over a network.
Also, media converters convert signals between different media types, such
as electrical and optical signals.
7. Application Layer (Layer 7): Layer 7 is the closest to the user and provides
network services directly to applications. The application layer includes
protocols for various high-level functions like email, file transfer, web
browsing, and other user-facing applications. Web servers are designed to
host and serve websites and web applications, providing services directly to
users at the application layer. This layer includes DNS Servers that resolve
domain names to IP addresses, enabling users to access websites using
readable names (instead of numbers).

Internet protocol suite or TCP/IP model

Ok, so you may ask yourself or have heard someone say, “Who cares about the OSI
model. It is not even the model used in practice.” This usually comes from someone with
years of experience using TCP/IP and has outgrown the OSI model. The OSI model is
helpful for a season, and then you can move on to TCP/IP. TCP/IP is pragmatic, widely
implemented, streamlined, and more directly applicable in real-world networking. In
essence, TCP/IP is the practical choice for actual network implementation and forms
the foundation of the internet. The model has four layers, each listed below. Figure 2
shows the TCP/IP model and how it relates to the OSI model.

8 | Networks
 Figure 2. TCP/IP Model3

1. Network Access Layer (Layer 1): Layer 1, also known as the network access
layer or network interface layer, defines how data is physically transmitted
over the network. Layer 1 includes protocols that operate at the hardware
level, like Ethernet or Wi-Fi, and handle the transmission of data frames
between devices on the same network.
2. Internet Layer (Layer 2): Layer 2 deals with the movement of data packets
across different networks. The Internet Protocol (IP) is the primary protocol
in this layer and is responsible for addressing and routing packets between
devices. Layer 2 uses IP addresses to ensure that data packets are sent to
the right destination.
3. Transport Layer (Layer 3): Layer 3 is responsible for end-to-end
communication and data delivery between devices across the network.
Layer 3 includes protocols like TCP (Transmission Control Protocol), which
ensures reliable and ordered delivery of data packets, and UDP (User
Datagram Protocol), which is faster but less reliable. The TCP protocol
requires a source and destination IP address.
4. Application Layer (Layer 4): Layern4 interacts with applications and
represents various protocols that allow software programs to communicate
over a network. Examples include HTTP (Hypertext Transfer Protocol) for
web browsing, SMTP (Simple Mail Transfer Protocol) for email, FTP (File
Transfer Protocol), etc.

3 Licensed under Creative Commons TCP/IP Model diagram by Ardika6879 used under CC BY 4.0.
https://commons.wikimedia.org/wiki/Category:TCP/IP_layer_model#/media/File:TCPIP_Model.jpg

Networks | 9
The OSI and TCP/IP models help us create a foundation for understanding the
processes going on within a network. Next, we want to explore how devices are
connected within a network.

1.3. Network Topologies

Network topology refers to arranging various network elements, such as routers,
switches, and devices, which can significantly impact the network’s performance,
scalability, and fault tolerance. In healthcare, network topology ensures the seamless
operation of medical devices and the secure transfer of patient data. Below are some
of the most common network topologies.

Figure 3. Generalized ring, bus, and star network topologies

10 | Networks
 Star Topology: In a star topology, all network devices are connected to
a central hub, which is often a switch or router. This topology simplifies
network management and troubleshooting, making it suitable for healthcare
environments where reliability and ease of maintenance are critical.
 Bus Topology: A bus topology is characterized by a single communication
line connecting all devices. It is simple and cost-effective but may not be
ideal for healthcare networks due to its limited fault tolerance.
 Ring Topology: In a ring topology, devices are connected in a closed loop,
with data circulating in one direction. Ring topologies are not fault-tolerant
unless a dual ring topology is used. Ring is used by high-bandwidth service
providers such as telecommunications.
 Mesh Topology: Mesh topologies involve interconnecting every device with
every other device. This redundancy ensures high fault tolerance, making it a
reliable choice for healthcare networks that cannot afford downtime.
 Tree Topology: Tree topologies combine aspects of star and bus topologies.
Multiple star-configured networks are interconnected through a bus. Tree
topologies are scalable and offer a balance between redundancy and
simplicity. Tree topologies are commonly used in hospitals.
 Hybrid Topology: Hybrid topologies combine two or more of the topologies.
This allows healthcare facilities to tailor their networks to their specific
needs, combining the strengths of various topologies to achieve optimal
performance and reliability.

Networks | 11
1.4. Who Uses a Network?
A computer network is like a bustling city, teeming with diverse individuals, each
playing unique roles. From end users to network administrators, the efficient operation
of a network relies on the cooperative interaction of various user types, each with their
specific responsibilities and needs.

 End Users: End users are the primary consumers of network resources.
They interact with the network for their daily tasks, accessing applications,
services, and data. They might not have the technical expertise and are
more focused on the usability of the network rather than its maintenance.
Examples of end users would be employees using office networks, students
accessing school Wi-Fi, or individuals using home internet.
 Network Administrators: Network administrators are the caretakers of
the network. They are responsible for its setup, maintenance, and smooth
operation. This includes installing hardware, configuring network software,
ensuring security protocols are in place, and troubleshooting network issues.
They use various network monitoring and security management tools and
are skilled in network protocols, hardware configurations, and cybersecurity.
 IT Support Technicians assist end users who face technical difficulties.
Their tasks range from solving minor connectivity issues to helping users
understand how to use specific networked applications.
 System Developers and Engineers: These are the builders of the network’s
backbone. They design and develop the network infrastructure and software.
Their expertise lies in software development, network architecture design,
and performance optimization.
 Database Administrators: They specialize in managing and maintaining the
network’s databases. Their activities include database design, ensuring data
integrity, performance tuning, and managing database access.

In essence, a network thrives on these varied user groups’ collective efforts and
interactions. Each group brings a different set of skills and requirements to the table,
and understanding these roles is crucial for the effective design, implementation, and
management of a robust and efficient network.

12 | Networks
1.5. Network Class
Network classes are part of the Internet Protocol (IP) addressing system, which allows
devices to communicate over a network. The IP addressing system is divided into five
classes (A, B, C, D, and E), but for most practical applications in healthcare IT, Classes
A, B, and C are the most relevant.

Due to their large address space, Class A networks are used for large-scale
networks. They support approximately 16 million hosts on each of the 128 networks.
Class B networks balance address space and network segmentation, supporting
approximately 65,000 hosts on each of the 16,000 networks. Class C networks
are suitable for smaller networks, supporting 254 hosts on each of the two million
networks. The class of the network will depend on the organizational needs and
structure. A small clinic will need a very different network capacity than a large regional
healthcare organization.

Network classes are part of the IP addressing system, which helps to efficiently
categorize and allocate IP addresses. The traditional IP addressing system, known as
IPv4, uses 32-bit addresses, which are divided into five classes (A, B, C, D, and E) to
accommodate different sizes and types of networks.

1.6. Networking Certifications

and Continual Learning
As you begin your journey in medical device networking, it can be helpful to start
working toward foundational competencies defined by the industry. Certifications
serve as invaluable milestones that validate an individual’s expertise and proficiency.
Certifications demonstrate competency and reflect an ongoing commitment to
staying updated with the evolving technologies and practices within the field. Here
are some prominent networking certifications that pave the way for continual learning
and professional growth:

 CompTIA A+ Core 1 and Core 2: The CompTIA A+ certification serves

as an entry point for individuals venturing into IT and networking. Divided
into Core 1 and Core 2 modules, it covers a broad spectrum of foundational

Networks | 13
 knowledge, including hardware, software, troubleshooting, and operational
procedures. This certification is a springboard, providing fundamental skills
for various IT roles.
 CompTIA Security+: Security+ certification demonstrates knowledge
of cybersecurity principles and practices. The certifications cover various
topics, from risk management to cryptography, ensuring professionals
possess the foundational skills and working terminology necessary to
secure networks and mitigate potential threats effectively.
 CompTIA Network+: Network+ certification focuses on networking
concepts, protocols, and tools. It delves into network troubleshooting,
architecture, and security, equipping individuals with the expertise to
efficiently design, implement, and manage networks.
 CompTIA Linux+ Certification: Linux certifications validate expertise in
Linux operating systems and open-source technologies. The certification
covers various aspects, including system administration, shell scripting,
network configuration, and security, catering to the growing demand for
Linux-based environments.
 CCNA (Cisco Certified Network Associate): Cisco offers a renowned
certification that emphasizes skills in networking fundamentals, routing,
switching, security, and automation. It’s an intermediate-level certification
highly valued in the industry, showcasing proficiency in Cisco technologies
and network administration.

Certifications are helpful to benchmark learning and create milestones for your
progress and learning as a technician. Ultimately, each networking problem is unique,
and the solutions will involve a combination of foundational knowledge, creative
thinking, and teamwork.

14 | Networks
Questions and Activities

1. Research and identify one networking certification you might consider

pursuing as a technician. Next, create a plan to earn it. Ensure to include
timelines, funding sources if needed, and study plans.
2. Which model, known for its seven layers, was developed by the
International Organization for Standardization (ISO)?
3. Which OSI model layer is responsible for establishing, maintaining, and
terminating sessions between applications on different devices?
4. What is the primary responsibility of the transport layer in the OSI
model?
5. Which TCP/IP model layer handles the physical transmission of data
frames between devices on the same network?
6. In the OSI model, which layer deals with translating, encrypting, or
formatting data sent across the network?
7. Which layer in both the OSI and TCP/IP models interacts directly with
applications and represents various protocols for software programs?
8. What function is performed by the Network Layer in the OSI and TCP/
IP models?
9. Which layer in the OSI model is responsible for managing the flow
of data between devices on the same network and handling error
detection and correction?
10. Which layer in the OSI model deals with the physical connection
between devices, including cables and transmission of raw binary data?
11. Where (OSI model layer) would you find the source and destination IP
addresses in packet tracer software? Port destination? MAC Address?
12. Which network topology is characterized by a single communication line
connecting all devices?
13. Describe how a DNS server works.

Networks | 15
 Questions and Activities

14. Which topology combines aspects of both star and bus configurations,
often used in hospitals for its scalability and balance between
redundancy and simplicity?
15. What is UDP, and how does it work?
16. 192.168.1.X is most likely the IP address of what type of network?
17. What do we typically call information that travels on the network layer?
18. What kind of information would you find in a packet?
19. True or False. Error detection – such as lost information – is something
that TCP would detect.
20. For a multi-state healthcare system, what class network is most likely
used?

16 | Networks
CHAPTER 12

SOCIAL ENGINEERING
Social engineering is the practice of tricking people into revealing information. Thereby
granting access to those who are not authorized to have it. This can include forging
emails from other people, even impersonating employees, and conducting on-site
trespassing and intrusion. In healthcare, social engineering attacks can be particularly
damaging, both ethically and legally, because they can lead to unauthorized access
to sensitive patient data.

12.1. Phishing
This is perhaps the most common form of social engineering. It involves sending
fraudulent emails that appear to come from a legitimate source, such as a known
contact or a reputable organization. The goal is to trick the recipient into clicking on
a malicious link, scanning a QR code, or downloading an infected attachment. The
email might also ask for sensitive information like usernames, passwords, or credit
card details. In addition to general phishing, there are more nuanced techniques, such
as spear phishing, which is an email or electronic communications scam targeted
toward a specific individual, organization, or business. Furthermore, whaling is a
form of spear phishing that specifically targets high-profile individuals like C-level

Social Engineering | 17
executives, politicians, or celebrities. Phishing can also take place over texting and
communication apps. For example, the text message in Figure 16 shows a message
the author received. One of the key giveaways is that the sender’s username is from
an email account, not a mobile number. In addition, the link address is not from a
trusted website.

Figure 16. A text-based phishing attempt (often referred to as smishing)

18 | Social Engineering
 Prevention
User education is the first line of defense against phishing attacks. Employees
should be trained to recognize phishing emails by checking for suspicious
elements like generic greetings, spelling errors, and, most of all, unofficial email
addresses. They should also be instructed never to click on unexpected links
or download attachments from unknown sources. Technological solutions
like spam filters and phishing detection software can also be helpful. When
employees are unsure if the communication is internal, it is recommended that
they call the sender’s phone using their organization phone directory (not a
phone number listed in the suspicious email) to verify the sender’s authenticity.

It is also helpful to explicitly state within official emails that the origination will never ask
for passwords or other sensitive information over text, email, or phone. This can set
the precedent in the user’s mind that the information will never be requested using
those methods, making the user less likely to fall for falsified requests.

An organization that has set up its password authentication systems properly will
never ask users for their passwords.

12.2. Pretexting
This type of social engineering attack involves the creation of a fabricated scenario
(the pretext) to persuade a targeted victim to divulge information. The attacker typically
impersonates someone in a position of authority or trust, such as a police officer, bank
official, or IT support person. In the most extreme case, a malicious actor may try
to physically infiltrate an organization by impersonating an employee. They may ask
legitimate employees to let them into certain areas, claiming that they “forgot” their
keycard.

Prevention
Again, education is key. Employees should be informed that legitimate
organizations will never ask for sensitive information through insecure
channels. They should also be encouraged to verify unexpected or suspicious
requests by contacting the person or organization directly through a verified
phone number or verified email address.

Social Engineering | 19
12.3. Tailgating or Piggybacking
This physical form of social engineering involves an unauthorized individual gaining
access to a restricted area by following closely behind an authorized individual. In a
healthcare setting, this might involve entering a secure hospital ward or data center.

Believe it or not, this can happen even in full view of other employees – sometimes
even with the employee’s assistance. Generally, people like to be helpful when they
can. For example, think about how often you or others you know hold doors open for
others. For many people, this polite action is done nearly automatically. A bad actor
impersonating an employee may use this social etiquette to gain access to a restricted
area. A legitimate employee may unlock a door, enter, and then hold it open for others
to enter as a courtesy. The attacker may be able to enter under this scenario, never
needing to interact with the door locks at all.

Prevention
Physical security measures such as security badges, locked doors, and
security personnel can help prevent tailgating. Employees should be trained
not to hold doors open for others unless they can verify their identity and
access permissions. Security cameras should also be in place to record
entries into the facility or secure areas.

12.4. Shoulder Surfing

Shoulder surfing is a deceptively simple yet effective form of information theft that
involves an individual stealthily observing over your shoulder to glean sensitive data.
This could happen anywhere – at an ATM while you’re entering your PIN, at your desk
as you log into your computer, or even on public transport as you type a password on
your phone. The data at risk includes not just PIN numbers and passwords but also
confidential emails, security badges, access cards, and any other secured information
that might be visually accessible.

20 | Social Engineering
 Prevention
Always be conscious of people around you when handling sensitive
information. If someone is too close, it’s okay to ask for more space or to
shield your activity from view. Also, use your body as a shield when typing
passwords or PINs to obstruct the view of prying eyes. This is particularly
important in crowded public places. Additionally, you can install privacy filters
on your computer, laptop, and mobile device screens. These screens make it
difficult for onlookers to view your display unless they are directly in front of it.

Other methods to reduce this type of attack include biometric authentication, such as
fingerprint or facial recognition, which eliminates the need for visible password entry.
If possible, enter your password or PIN non-sequentially if a keypad allows it, or use a
dummy entry (random keypresses) before entering your actual PIN.

By incorporating these practices into your routine, you can significantly reduce the risk
of becoming a victim of shoulder surfing and protect your personal and professional
information from unauthorized access.

12.5. Quid Pro Quo

This involves an attacker requesting private information from a party in return for
something desirable or for fulfilling some form of responsibility. A classic example is
an attacker who impersonates an IT support person and offers to fix a non-existent
problem in exchange for the victim’s login credentials.

Prevention
Employees should be trained to verify the identity of anyone claiming to need
sensitive information to perform a service. They should also be encouraged
to report any such requests to their supervisor or the IT department. Again,
it should be made explicitly clear to the users that the organization will never,
under any circumstances, ask for their passwords or other login information.

Social Engineering | 21
12.6. Baiting
Baiting is like phishing but involves promising the victim a reward, such as free music
or movie downloads, for login credentials or other sensitive information.

Prevention
Organizations should maintain a policy against sharing sensitive information
in return for incentives from unknown sources. Awareness campaigns can
help employees recognize and report potential baiting attempts.

There are slight variations on each attack and some additional terms you may see
in the appendix, but these are good starting points and represent most of the social
engineering attacks out there. These are constantly evolving and shaping as systems
become hardened and attackers look for new vectors of attack. In summary, the key
to preventing social engineering attacks is a combination of user education, well-
enforced policies, and appropriate technical controls.

12.7. Vishing and Smishing

In the modern digital landscape, threats don’t just come through the internet; they also
infiltrate via phone calls and text messages. Vishing (voice phishing) and smishing
(SMS phishing) are techniques where scammers use phone-based communication
to trick individuals into divulging personal information. Vishing attacks might involve
a call from a number that appears to be legitimate, asking for sensitive data such as
bank account details. Smishing might come in the form of a text message urging the
recipient to click on a dubious link, which can lead to malware installation or data theft.

Prevention
Always be skeptical of unsolicited contact through phone or text. Verify the
identity of the caller or sender through independent means. Never click
on links or give out personal information during a call or via SMS without
verifying the source. If a call claims to be from a reputable organization, hang
up and call back using a number you trust. Also, if possible, use call-filtering
apps to block suspicious calls and install browser extensions that alert you
of malicious websites.

22 | Social Engineering
12.8. Clickjacking and Session Hijacking
Clickjacking is a practice where cybercriminals trick users into clicking on something
different from what they perceive, such as overlaying a seemingly harmless button over
a hidden malicious link. Session hijacking, on the other hand, occurs when an attacker
takes over a user’s active session, particularly on a web application, enabling them to
steal login credentials and personal data or even take control of the user’s account.
URL hijacking, or typosquatting, relies on the simple mistake of entering a web address
incorrectly. Attackers register domain names that are misspellings of legitimate sites,
waiting for unsuspecting users to make a typo. When users land on these deceptive
sites, they may unknowingly enter sensitive information or download malware.

Prevention
To guard against clickjacking, one can implement security software that
includes clickjacking detection and prevention. Many web browsers have
built-in clickjacking protection. Developers can implement frame-busting
scripts to prevent their websites from being framed by potential attackers. To
prevent session hijacking, use secure (HTTPS) connections when accessing
sensitive online services. In addition, one can use Virtual Private Network
(VPN) services, especially on public Wi-Fi, to encrypt data. Furthermore,
make it a habit to log out of web applications once you are done using them.
Finally, clear your browser cookies and cache regularly to remove session
data. To help prevent URL hijacking, always double-check the URL in your
browser’s address bar before entering any sensitive information. You can
also bookmark your most-used websites to avoid typing the address each
time. Another method is to use search engines to find the official site, as they
often correct typos automatically.

Social Engineering | 23
12.9. QRL Jacking
QRL jacking is a type of social engineering attack that targets QR code-based
login systems. This attack exploits the trust users place in QR codes, manipulating
them to redirect users to malicious websites or applications that capture their login
credentials. Here’s a detailed look at how QRL jacking works, its implications, and
preventive measures.

First, the attacker identifies a service or application that uses QR codes for login
purposes. This could be a web application, a mobile app, or any service that allows
users to authenticate by scanning a QR code. Next, the attacker generates a malicious
QR code that, when scanned, redirects the user to a fake login page or an attacker-
controlled server. This QR code can be distributed through various means, such as
phishing emails, malicious websites, or physical posters in public places. Next, the
unsuspecting user scans the malicious QR code, thinking it is legitimate. They are
redirected to a fake login page that mimics the genuine service or to an attacker’s
server that captures their login information. After that, the fake login page prompts
the user to enter their login credentials, which are then captured by the attacker. If the
attacker’s server is used, it may redirect the user back to the legitimate service to avoid
suspicion while silently capturing the credentials. Finally, with the captured credentials,
the attacker can log in to the user’s account, potentially gaining access to sensitive
information, performing unauthorized actions, or further spreading the attack.

12.10. Email Attack Indicators

Examples of indicators that an email might be part of an attack include:

 Misspelled domain names or email addresses.

 Requests for confidential information.
 Unsolicited attachments.
 Urgent or threatening language urging immediate action.
 Links that do not match the text when hovered over with a cursor.

24 | Social Engineering
 Figure 17. Example of Phishing Email. Image adapted from
https://www.phishing.org/phishing-examples

When looking at the example email above, there are a couple of indicators that this is
a phishing attempt

1. The name suggests Wells Fargo, but the email address is not from the
organization
2. The email is made to sound important and urgent
3. The link listed does not match the domain name of the organization (it is
always a good idea to hover over the link to see the address)
4. Using buttons or links that suggest a method of reply that is not normal for
the email provider.

12.11. Social Engineering in Healthcare

In healthcare, protecting patient privacy is not just ethical; it is the law. The Health
Insurance Portability and Accountability Act of 1996, or HIPAA, sets the standard
for safeguarding sensitive patient data. One key requirement of HIPAA is the use of
privacy screens. These screens play a crucial role in maintaining patient confidentiality

Social Engineering | 25
by ensuring that medical information displayed on digital screens is not accidentally
seen by those who are not authorized, like passersby or visitors.

Social engineering, a strategy where bad actors manipulate individuals into breaking
normal security procedures, is a real threat in healthcare. These individuals may use
deceptive tactics to view protected information, and that’s where privacy screens
can help mitigate the risk. However, technology alone isn’t enough. It is also vital to
educate healthcare workers about social engineering methods and the importance of
strict adherence to privacy protocols to defend against such threats.

26 | Social Engineering
Questions and Activities

1. What is the primary goal of a social engineering attack?

a. To exploit software vulnerabilities
b. To manipulate individuals into revealing confidential information
c. To improve network security
d. To steal computer hardware

2. Which of the following is a common form of a social engineering attack?

a. Brute-force attack
b. Phishing
c. Password cracking
d. Network sniffing

3. How can a healthcare organization mitigate the risks of social

engineering attacks?
a. Installing firewalls
b. Regularly updating the software
c. Training staff on recognizing and reporting potential attacks
d. Restricting internet access

4. A spear-phishing attack is:

a. A generic phishing attack targeting multiple individuals
b. A phishing attack targeted at a specific individual or organization
c. A phishing attack carried out over the phone
d. A phishing attack aimed at stealing passwords

5. What is it called when impersonating a trustworthy entity to trick

individuals into revealing sensitive information?
6. What is the primary goal of phishing in social engineering attacks?

Social Engineering | 27
 Questions and Activities

7. If you are at work and you receive a phishing email, which of the
following would you do? Identify at least two steps.
8. How can organizations discourage tailgating or piggybacking in physical
social engineering attacks?
9. Which social engineering attack involves offering a desirable service in
exchange for sensitive information?
10. What are things to ask before opening an email? Identify and describe
at least three things to ask before opening an email.
11. Find an example of a phishing email online. What clues could have
alerted the receiver that the email was not from a trusted source?
12. Describe how clickjacking works.

28 | Social Engineering
CHAPTER 25

MEDICAL DEVICE EXPLOIT:

INFUSION PUMP
In this chapter, we walk through a documented infusion pump device hack. The
following material should be used for educational purposes only. Any compromised
devices must never be returned to service and should be tagged as not for patient
use. We recommend becoming a certified ethical hacker before attempting anything
similar to this attack. We will begin with the theory and mindset of the exploit and work
into the technical details. Having a foundation with Linux-based systems will help one
understand some of the more technical details of the exploitation. In addition, a video
walkthrough that includes many of these steps is available on our YouTube channel
(https://youtu.be/QabyPjF4ttk)

25.1. Theory of Exploitation

Some general concepts remain constant regardless of the platform when finding
exploitations in computers or computerized systems. One universal truth is that
humans make computers, and humans are not perfect. Thus, computers are not
perfect. Second, computers tend to have a similarly generalized architecture.

Medical Device Exploit: Infusion Pump | 29

Understanding this general computer architecture can help us determine what areas
should be targeted for weaknesses.  

For example, every computer uses non-volatile memory, whether an EEPROM chip,
hard drive, or flash chip (often, they contain all of the above). The purpose of these
devices is to store instructions for the computer to perform to reach an operational
state. Changing these instructions can drastically affect how the system operates.
Some type of protection may be in place for this memory, such as having certain
sections of the code encrypted. However, computers can’t run encrypted code, so
encrypting the code is only a deterrent rather than providing actual protection when
the system is running.  

A similar analogy could be somebody having a door with a lock and key. The gate can’t
be opened without the key. But the key needs to exist or the gate cannot be opened. If
the key is stolen or duplicated, the lock can be bypassed. The same principle applies
to the above.  

30 | Medical Device Exploit: Infusion Pump

25.2. Understanding the Target
Knowing how a system works is important when attempting to exploit it. In this case,
when the infusion pump starts, it does not immediately become functional. Instead,
it shows a splash screen, does a lamp test, makes a few beeps, and performs other
functions before it’s ready to go. From this, and the fact that the infusion pump includes
a database of medications, we can gather that it’s doing some complex tasks, which
almost certainly means it’s running some operating system. Therefore, the device has
long-term storage containing instructions to support these functions. The best way to
understand the target is to figure out where these instructions are and what they say.   

We can open the hardware and look at the boards and chips used to understand what
type of long-term storage exists for the unit.  

Figure 20. Inside of an infusion pump.

Medical Device Exploit: Infusion Pump | 31

After we take apart the device, we can see our primary target: the Compact Flash
(CF) card. This device was designed to use a standard CF card as the main
system’s long-term memory. Even though there may be, and likely are, other long-
term memory chips on the board, the CF card should be investigated first. CF cards
are not commonly used anymore in computer systems and are normally used for
compatibility reasons. Unfortunately, most computers don’t have a built-in CF reader
port, so an adapter is needed.  

Figure 21. Removal of the compact flash chip from the infusion pump.

25.3. Imaging the Card

A very important part of hacking or, more importantly, computer forensics is the
ability to read from a device while not writing to it. In a law enforcement setting, the
department would have a device called a “write blocker,” which is a physical device
that prevents write operations. We will, however, be using a Unix utility called ‘dd’ to

32 | Medical Device Exploit: Infusion Pump

make a byte-for-byte image of the card, which will be stored as a file. This has two
advantages:

1. This gives us an exact copy of the CF card’s state. Instead of copying the
individual files, the entire device is copied. Thus, if the CF card fails, we can
easily create an exact clone of the card.  
2. We can perform analysis operations on the image of the card rather than
the card itself. This prevents accidental changes to the physical drive and
reduces the wear on the card (flash memory is destructive by nature, so
each flash ‘cell’ has a limited number of write cycles before it goes bad).

To image the card, you must have access to a Unix or Linux operating system (MacOS
is a version of Unix, so these operations can also be done on any Mac system,
excluding mobile devices). When you plug in the adapter with the card, the device will
appear in Unix systems in the /dev folder (also known as ‘device files’). The way Unix
structures the system is that everything is a file. So, in the /dev folder, our flash drive
will be listed as just another file.  

To find out which device file corresponds to the flash drive, you can use the commands:

 lsusb
Note: This command is not always available on Unix systems, but it will show
the USB devices attached to the system.

 df –h
This command lists all the available drives within the system, the size of the
drive, and its mount point (if it’s mounted).

The CF card is relatively small compared to the other drives in the system, so it should
be easy to identify. For example, the system might give it the device file /dev/sdb. This
means the Unix system has given the flash card the unique device file of ‘sdb.’ And,
just like any file, we can read it or make changes to it. We want to make an exact copy
of the drive for analysis. So, we can run the command:

sudo dd bs=64M if=/dev/sdb of=~/alaris.img

Medical Device Exploit: Infusion Pump | 33

The command is broken down as follows:

 sudo - short for Super-User Do, allows the command to use higher
permissions. This will prompt for a password before it runs.
 bs=64M - block size to copy in megabytes, basically just how much to
copy until the entire device is copied.
 if=/dev/sdb – “if” here stands for ‘input file.’ You’ll need to change this
to match the device file the system gives this flashcard (df –h).
 of=~/alaris.img – “of” here stands for ‘output file.’ The tilda and
forward slash (~/) represent the default home directory, and ‘alaris.img’ is the
name of the file we want to write.  

This command may take a while but should finish without errors or messages. Once
completed, you will have the image file ‘alaris.bin’ in your home directory. You can now
disconnect the CF card.

Because the operation above is a hassle, we want to keep the file we made safe and
secure before we analyze it. An easy way to do that is to just make a copy of it, upload
it to a thumb drive, or upload it to a cloud storage service. If you’re on the command
line, you can just run:  

cp ~/alaris.img ~/alaris.img.bak

25.4. Investigating the Drive

Before we begin cracking into the contents of the drive, we can do a few
automated, high-level operations on the image. On the command line, we can run
the command:

file ~/alaris.img

This command instructs Unix to identify the file, as best as it can, to known file types.
If it fails to find any matching type, it will return ‘data’ (which usually means the file is
encrypted or a custom-formatted file). In this case, running file on ~/alaris.img returns:

34 | Medical Device Exploit: Infusion Pump

alaris.img: DOS/MBR boot sector; partition 1: ID=0x6,
active, start-CHS (0x0,1,1), end-CHS (0x3e7,3,32),
startsector 32, 127968 sectors

That’s a lot of specific information, but what catches the eye immediately is the first
part of the report: DOS/MBR boot sector. This means our file is a filesystem likely
containing most, if not all, of the operating instructions for the Alaris pump. (Note:
DOS/MBR does not imply it’s a Microsoft-based system).  

The system uses the MBR (Master Boot Record) during bootup, but it is not the actual
filesystem we are looking for. Instead, the real filesystem starts 32 sectors into the
image; thus, it reports ‘startsector 32.’

We can now examine the structure of this image in more detail using the command
fdisk. Using the command line, run the command:   

$ fdisk ~/alaris.img

This will give you an interactive prompt to examine the filesystem. For now, all we want
to do is press the letter ‘p’ and press enter. This will tell the fdisk to list all the partitions
within the filesystem. It should return the following:

Disk alaris.img: 62.58 MiB, 65601536 bytes, 128128 sectors

Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device           Boot Start   End    Sectors Size   Id
Type
alaris.img1      *      32     127999 127968   62.5M 6
FAT16

From this, on the last line, we can see that the Alaris pump uses a FAT16 filesystem. We
want to open this filesystem without the boot record, so we need to do a little more
work. From the report above, we can get all the information needed to extract the
filesystem. Shown above, we can see that the partition starts on sector 32 and that

Medical Device Exploit: Infusion Pump | 35

each sector (on line 2) is 512 bytes large. To extract this portion of the data from the
image file, we will use the ‘dd’ command again:

$ dd ibs=512 skip=32 if=~/alaris.img of=~/alaris_fs.img

This command is the same as before, with two changes:

 ibs=512 - tells dd that the sector size is 512 bytes in size

 skip=32 - tells dd to fast-forward 32 sectors before copying  

Now, our new file, alaris_fs.bin, will contain the FAT16 filesystem only. We can confirm
this with the ‘file’ command again:

$ file alaris_fs.img  
alaris_fs.img: DOS/MBR boot sector, code offset 0x3c+2,
OEM-ID “MSDOS5.0,” sectors/cluster 2, reserved sectors 6,
root entries 512, Media descriptor 0xf8, sectors/FAT 249,
sectors/track 63, heads 255, hidden sectors 32, sectors
127968 (volumes > 32 MB), reserved 0x1, serial number
0x187451a4, unlabeled, FAT (16 bit)

Now we’ve got a file we can explore!

25.5. Mounting the Filesystem

Now that we have the extracted FAT16 filesystem, we can mount it on our system and
look around. To do this, we first need to make the file appear to be a drive in the system
(technically known as a loopback device). We will use the ‘losetup’ command for this:

sudo losetup -f ~/alaris_fs.img

This command tells Unix to attach the alaris_fs.img file to the system and register it
within the /dev/ folder, just like with the CF card. We can then run:

sudo losetup –l 

36 | Medical Device Exploit: Infusion Pump

Which will return a list of all the available loopback devices on the system. One of
these should represent our alaris_fs.img file:

/dev/loop8    […] /home/Name/alaris_temp/alaris_fs.img

NOTE: Unix will assign the next-available device number to this file, so the number
may be different each time you run this command. It should always be in the format /
dev/loop# where # is the number your computer has chosen.  

Now, we can mount this filesystem and look at the files running on the Alaris pump.
First, we need to create a target directory to tell Unix where to attach the file:

sudo mkdir /mnt/temp

This creates a folder called ‘temp’ in the /mnt directory, which is historically where
drives are attached in Unix. Next, we mount the device as read-only:

sudo mount -r ~/alaris_fs.img /mnt/temp

Now we can enter this directory and take a look around:

$ cd /mnt/temp
$ ls
ls: cannot access ‘APP’: Input/output error
ls: cannot access ‘APPDATA’: Input/output error
ls: cannot access ‘BOOT’: Input/output error
ls: cannot access ‘CIB’: Input/output error
total 2.0K
d????????? ? ?    ?      ?            ? APP
d????????? ? ?    ?      ?            ? APPDATA
-rwxr-xr-x 1 root root 67 Dec 31 2097 AUTORUN.CMD
d????????? ? ?    ?      ?            ? BOOT
d????????? ? ?    ?      ?            ? CIB
-rwxr-xr-x 1 root root 642 Dec 31 2097 CLEAR.CMD

Medical Device Exploit: Infusion Pump | 37

As you can see above, the files within the filesystem are not being read properly, and
some of the files are apparently being created 76 years in the future. But we do have
two files that are readable:

AUTORUN.CMD and CLEAR.CMD.

Examining the Files

We can look at these two files to get some better clues about how the Alaris works.
Let’s first look at AUTORUN.CMD. We can use the ‘cat’ command to look at files:

$ cat AUTORUN.CMD
echo Starting Medley
boot -crc -cache /ata0/app/medley/0/ose.elf

Now, this is interesting! We have multiple clues as to how the system is structured here.
The first notable fact is that the Alaris is booting the file ‘ose.elf.’ After searching online
for Alaris OSE, we can see that the operating system being run is ENEA OSE, which
is a POSIX-compliant, real-time operating system.

The second and possibly most significant clue is the ‘–crc’ boot flag. CRC, in this
context, generally means Cyclic Redundancy Check, which is a type of integrity
check used to verify that the file hasn’t been modified by any means. Normally, if the
code of the system is changed, even by just one byte, the CRC will fail, and the system
may refuse to start.  

From a security standpoint, the presence of the ‘-crc’ flag is an immediate concern.
Unless there are other types of integrity checking in place, this may be what invokes
the only means of consistency checking in the system. Removing the -crc flag may
cause the CRC to never execute. If this happens, an attacker could change the code
of the Alaris, and when the -crc flag is disabled, the pump will run the modified code
without ever seeing the changes!

The next file we can examine is the CLEAR.CMD file:

$ cat AUTORUN.CMD

38 | Medical Device Exploit: Infusion Pump

This is a lengthy file full of Unix-like commands that look like an automated method of
removing a program called “Medley.” The only useful piece of information in this file is
that “Medley” is likely the governing program for the infusion pump systems. Second,
the file gives some paths that we can see line up with the structure of the CF card.

25.6. Extracting More Files

Because the filesystem is not being read properly, we can take another approach to
extracting the individual files from the system. We can go ahead and unmount the
loopback drives with the following commands:

$ sudo umount /mnt/temp

$ sudo losetup –d /dev/loop# (where # is the loopback
number from above)

What we want to do now is go back to the alaris_fs.img file and use a utility called
‘binwalk’ to extract files manually. Run the following command:

$ binwalk –-dd=“.*” alaris_fs.img

What this command will do is look through the image file and extract any files it can
recognize without relying on the filesystem as much. Most of the files extracted will be
classified as “data,” meaning they cannot be recognized. However, a few files were
identified and extracted successfully. Or, at least, that’s what the computer thinks.

The file 1AD000 is suspicious. The operating system has identified it as a bitmap
image. When opening the file, you can see the Alaris boot screen image. However,
the bitmap file is shown to have a size of almost 64 Megabytes, an abnormally large
size for a bitmap image of this size. We can examine the contents of the file with the
command:

$ xxd 1AD000 | less

This will create a hexadecimal dump for the 1AD000 file. In the first line, we can see
the following:

Medical Device Exploit: Infusion Pump | 39

00000000: 424d 2095 0000 0000 0000 3604 0000 2800 BM .......6...(.

The first two bytes, 42 and 4D, represent the ASCII characters B and M, respectively,
which stand for bitmap, which is why the operating system identified this file as a
bitmap image.  

If you hold the page down key for a few seconds, as the code of the file is flying by, you
might catch a few glimpses of strings that should not be in a bitmap file. Press the ‘q’
key to return to the command line and run this next command:

$ strings 1AD000 | less

What this command does is find all the lines in the file, which could be strings, meaning
sequences of ASCII characters. The computer can’t determine if the strings make
sense or not, so many of the strings listed may be gibberish. But as you scroll through
the file, you can see human-readable strings and words appear. For example, this
excerpt:

[…]
/Startup.xml
/ata0/appData/Medley/Startup.xml
disablePcuApplication
<Startup>  
<Startup Options>  
Libs\Os\OsWrap\TimerServer.cpp
.cmd
Libs\Os\OsSystem\AppStartup.cpp
name
Executing application startup script
[…]

What this bitmap file is, most likely, is a collection of multiple files grouped into this
single file. This, combined with the filesystem errors from earlier, means that binwalk
was not able to properly extract the files from the image.  

40 | Medical Device Exploit: Infusion Pump

In order to properly extract the image, we need to use a different, more specialized
utility. Because of how the FAT filesystem has evolved over the years, not every system
will be able to interpret legacy filesystems properly. As a side note, if you’re following
along on a Mac, you might have realized that MacOS was able to open this image with
no problem, but Linux couldn’t.  

What we will need for Linux is a separate utility called “fatcat,” which is a forensic utility
that specializes in working with FAT filesystems. This is not installed on Linux normally,
so you’ll need to run the following command:

$ sudo apt install fatcat

Once this is installed, you can now run the following commands:

$ mkdir extracted_files
$ fatcat -x extracted_files alaris_fs.img
This should successfully extract the files into the new
directory ‘extracted_files.’  

25.7. Reexamining the Files

Now that FATCAT has accurately extracted the files from the image, we can look
through the meat and potatoes of the Alaris pump. You’ll see the AUTORUN.CMD
and CLEAR.CMD files from earlier, along with four folders. Inside the folders are
various files, such as the bootup splash screen, sound files, and configurations for the
‘Medley’ application.

Navigating to the APPDATA/MEDLEY/NETCFG/1/ file, we can see a NET_CFG.XML

file. This file contains the network configuration for the Alaris pump, including sensitive
authentication information in plain text.  

Inside the APP/MEDLEY/0/ folder, you can see files for the system firmware and an
OSE.ELF file – the same file from the AUTORUN.CMD. This OSE.ELF file is the actual
operating system of the Alaris. We can find out some information about this file by
running the command:

Medical Device Exploit: Infusion Pump | 41

$ readelf -a OSE.ELF

This command gives us overall information about the file. Unfortunately, there are no
symbols or sections in this file, so reverse engineering the executable will be very
difficult. At this point, an attacker may begin disassembling the machine code of the file,
which is a very long and tedious process. However, we can extract more information
from the device without needing to disassemble it. We can use the ‘strings’ command
again and look for relevant information:

$ strings OSE.ELF | less

This command will give us about 15,000 strings in total, so narrowing these strings
down would be nice. Fortunately, we know that this operating system is, at least
somewhat, Unix-based. All forms of Unix, whether it’s Linux, MacOS, Unix, BSD, etc.
share common components. One of them is the ‘root’ account.  

25.8. Root Access

The root account in Unix systems is the highest-level user possible by design. The
root user has access to the entire system and can make (almost) any changes without
warning. Restricting access to this user account is a top priority in securing Unix
systems; if a hacker reaches the root account, it’s game over.  

So, since we have a listing of all the readable strings in the system, let’s look for things
with the word “root” in them. Press the forward slash key (/) and type root, then press
enter. Eventually, following these results, the root user file and the root password will
be returned in plain text. This means that if you were able to somehow get console
access to the device through JTAG or some remote service, you could potentially
authenticate into the pump as the root user, giving yourself full control over the
hardware. If you were able to find another software exploit in the system, you could
use these elevated permissions to use the pump as a jump-off point, using it to attack
other devices on the network.  

42 | Medical Device Exploit: Infusion Pump

 This is a sample of the book

MEDICAL DEVICE NETWORKING

AND CYBERSECURITY
A technician’s guide to networking and protecting
interconnected healthcare devices

To get the full book please visit

https://htm-workshop.com/shop/medical-device-networking-and-cybersecurity/