Philippe Delteil is a Computer Science Engineer@University of Chile. 3 years of experience in the Chilean public health system. Wifi Hacking Workshop instructor in Defcon China 1.0 and Defcon US 27. Speaker at Defcon 26 (Skytalks) and conference 8.8 (La Paz, Bolivia). Founder and CEO at Info-sec.cl
Title: Macabre stories of a hacker in the public health sector (Chile)
Want to know what happens when a nation wide network in the public health sector with over 14 million patients has no real experts on cybersecurity? I will explain how I manage to get over 3 millions files including patients records, people with HIV, abortions and a long etc. And how I managed to get it fixed (spoiler: press was involved).
- The talk starts with some context information about Chile and its health system. I want the audience to understand that this is not the case of a poor country with lack of funding for technology/security/infrastructure, it’s quite the opposite. And also explain how big the public health system is compared to the private one (80% vs 20%).
- I will mention some of the situations I experienced before and after the talk at Defcon. I received threads from the government, that I would be sent to jail if the talk was given (they thought I was going to teach another hackers how to hack gov. systems), also that during that talk I asked if there were government officials in the room, and they raised their hands, prompting the audience to laugh.
- Then I explain 4 short stories about the security problems faced on a day by day basis, the stories are presented as funny and macabre (yes, at the same time) anecdotes.
- Details about the problem
- Technical detail of the security issue. Some stats and some examples about what I had found.
- I will explain the process from finding a very serious security issue, my attempts to call the attention of authorities to get the problem fixed for over 10 months and 3 different attempts. And going through the publication of a press article made by the most respected media organization in Chile (Ciperchile.cl, they worked on the Panama paper’s investigation). This is still considered the worst security vuln in the health sector in Chile’s history. Link of the publication: https://bit.ly/2QsxmtA
- The work that I had to do during a 1 month investigation with the journalists, and how we almost got caught before the publication. I will show source code of the scripts (shell) I used to gather and filter the information we needed, how I found over 670 spreadsheets containing personal information of patients with HIV.
- I’ll show some examples of the files I found, blood donation forms (around 23,000 in only one server), 10,000 xrays with patient’s sensitive information, around 1,500 mammographies (with name and ID number). All the sensitive data is blurred.
- The minister of Health was subpoenaed by congress to explain what happened. The CTO of the Dep. of Health was sanctioned and I got promoted. Months later my boss (director of the institution I worked for) got fired, one week after I was fired. I sued them and I won (over US100,000 in damages).
- I obtained (sort of OPEN Government Data Act, but it’s called Transparency Law) Investigation made by the Dept of Health to find responsables for this huge problem. I received over 1,200 pages (after paying US$50) that have to scan and read carefully. I quote part of the declarations of witnesses or people involved, some blame me for releasing the data, others blame the users for exposing sensitive patient’s information, other denied ever talking to me or receiving an email. I will finish with the sanction the CTO received (it’s ridiculous).