AI-based Ethical Hacking for Health Information Systems (HIS): a simulation study

Background: Health Information systems (HIS) are continuously targeted by hackers, who aim to bring down the Health Critical Infrastructure. This study is motivated by recent attacks to healthcare organisations that have resulted in the compromise of the sensitive data held in HIS. Existing cyber security research in the healthcare domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach a HIS and access healthcare records, with the view to improving cybersecurity in the future. Objective: This research aims to provide new insights regarding HIS cybersecurity protection. We propose a systematic and novel optimized (AI-based) ethical hacking method tailored specifically for HIS, and we compare it with traditional unoptimized ethical hacking method. It allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks to HIS more efficiently. Methods: In this study, we propose a novel methodological approach to ethical hacking for HIS. We launched ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the OpenEMR (Open Electronic Medical Record) system and followed the National Institute of Standards and Technology's (NIST) ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods. Results: Ethical hacking was successful using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized one in terms of average time used, average success rate of exploit, number of exploits launched, and number of successful exploits. We are able to identify the successful attack paths, and the exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle .