Artificial intelligence–based ethical hacking for health information systems: simulation study

This is the latest version of this eprint.

Abstract

Background:

Health information systems (HISs) are continuously targeted by hackers, who aim to bring down critical health infrastructure. This study was motivated by recent attacks on health care organizations that have resulted in the compromise of sensitive data held in HISs. Existing research on cybersecurity in the health care domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach an HIS and access health care records.

Objective:

This study aimed to provide new insights into HIS cybersecurity protection. We propose a systematic, novel, and optimized (artificial intelligence–based) ethical hacking method tailored specifically for HISs, and we compared it with the traditional unoptimized ethical hacking method. This allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks on the HIS more efficiently.

Methods:

In this study, we propose a novel methodological approach to ethical hacking in HISs. We implemented ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the open-source electronic medical record (OpenEMR) system and followed the National Institute of Standards and Technology’s ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods.

Results:

Ethical hacking was successfully conducted using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized method in terms of average time used, the average success rate of exploit, the number of exploits launched, and the number of successful exploits. We were able to identify the successful attack paths and exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the web graphical user interface for the Linux Virtual Server).

Conclusions:

This research demonstrates systematic ethical hacking against an HIS using optimized and unoptimized methods, together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to the HIS literature, ethical hacking methodology, and mainstream artificial intelligence–based ethical hacking methods because they address some key weaknesses of these research fields. These findings also have great significance for the health care sector, as OpenEMR is widely adopted by health care organizations. Our findings offer novel insights for the protection of HISs and allow researchers to conduct further research in the HIS cybersecurity domain.

Metadata

Item Type:	Article
Authors/Creators:	He, Y. https://orcid.org/0000-0003-2023-5547 Zamani, E. https://orcid.org/0000-0003-3110-7495 Yevseyeva, I. https://orcid.org/0000-0002-1627-7624 Luo, C. https://orcid.org/0000-0003-3946-1093
Copyright, Publisher and Additional Information:	© 2023 Ying He, Efpraxia Zamani, Iryna Yevseyeva, Cunjin Luo. Originally published in the Journal of Medical Internet Research (https://www.jmir.org), 25.04.2023. This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in the Journal of Medical Internet Research, is properly cited. The complete bibliographic information, a link to the original publication on https://www.jmir.org/, as well as this copyright and license information must be included.
Keywords:	AI-based hacking; HIS; OpenEMR; artificial intelligence; cyber defense solutions; ethical hacking; health information system; open-source electronic medical record; Humans; Artificial Intelligence; Health Information Systems; Electronic Health Records; Computer Security; Software
Dates:	Published: 25 April 2023 Published (online): 25 April 2023 Accepted: 19 January 2023
Institution:	The University of Sheffield
Academic Units:	The University of Sheffield > Faculty of Social Sciences (Sheffield) > Information School (Sheffield)
Depositing User:	Symplectic Sheffield
Date Deposited:	16 May 2023 12:37
Last Modified:	16 May 2023 12:37
Status:	Published
Publisher:	JMIR Publications Inc.
Refereed:	Yes
Identification Number:	10.2196/41748
Related URLs:	PubMed URL
Open Archives Initiative ID (OAI ID):	oai:eprints.whiterose.ac.uk:199262

Available Versions of this Item

AI-based Ethical Hacking for Health Information Systems (HIS): a simulation study (Preprint). (deposited 27 Jan 2023 11:36)
- Artificial intelligence–based ethical hacking for health information systems: simulation study. (deposited 16 May 2023 12:37) [Currently Displayed]

Download

Published Version

Filename: PDF.pdf

Licence: CC-BY 4.0

CLICK TO DOWNLOAD

CORE (COnnecting REpositories)