"Xray us!" - Europe's first pharmacy pentest

"Who would want to hack my little pharmacy?" Our co-founder Immanuel recently explained how deceptive this assessment of many pharmacists is in the podcast "Apo chat“ Spoken to Hanna Backes and Christina Thurow. The pharmacy pen tests by ProSec had previously been a topic in the Pharmaceutical Newspaper and at expopharm.

In this article you will find out why the owners of a pharmacy association voluntarily allowed themselves to be hacked and how the entire industry is now benefiting from it.

Table of Contents

Pharmacy pentest pilot project – how the ball got rolling

At the beginning of the podcast, Immanuel reports how ProSec originally became aware of the topic of IT security in pharmacies: Following an event on the subject of digitization, one of the owners of a regional pharmacy association approached Immanuel with a request: "We have to examine our pharmacies!"

Immanuel was initially skeptical as to whether this wish could be implemented with ProSec. Normally we look after larger companies up to governments in matters of IT security. However, he was quickly convinced of the need to make pen tests possible for pharmacies as well. After all, pharmacies are a kind of "small critical infrastructure". Failure due to hacking attacks fatal for the population would be, as Immanuel emphasizes in the podcast.

So we're hacking a pharmacy now!

ProSec co-founder Immanuel Bär

When Immanuel returned to his team with the task "So, let's hack a pharmacy!", the initial skepticism was quickly overcome. Working closely with the customer, ProSec designed a tailor-made concept for the pharmacy pentest. The focus was on ultimately achieving the greatest possible added value for the IT security of the pharmacies.

How quickly hackers can get payrolls from the printer

The pilot project for the pharmacy pentest started with a 2-stage phishing campaign. For this purpose, phishing mails were first sent to the owners (who had commissioned the test themselves!). In the second step, the employees of all pharmacies in the regional network were involved. The result was alarming: Of the two clients who were in the know, one person fell for the phishing, and three-quarters of the other employees fell for it.

Why is that so problematic? Our pentesters were able to penetrate a pharmacy's network via the user data of a single employee. There they gained access to a printer. For example, they could use its stored files wages see. In addition, they were able to expand their access to the fax archive. There were sensitive ones Patient data from the last 8 to 10 years available in PDF format.

We were able to access all patient data with prescription requirements and medication suggestions for the entire region. And then it really was the end of the day.
ProSec co-founder Immanuel Bär
DEO & Co-Founder ProSec

Now owners of small pharmacies might think that no hacker goes to all that trouble for them. Immanuel explains why this view is wrong: Nowadays it is very easy to over freely accessible search engines find easy targets for hacking attacks. This includes, for example, unprotected peripheral devices such as webcams.

If your pharmacy happens to appear in such a search, you will probably be hacked sooner or later.

"Fuck up" error culture: An entire industry could benefit from this

With such a result, most entrepreneurs would probably not necessarily go public. In our case, fortunately, it was different: the owners of the pharmacy we hacked supported us in to share the learnings from this project with the entire industry. Because one thing is clear: In times of eHealth law and telematics infrastructure, pharmacists can no longer ignore increasing digitization. There Digitalization always means an increase in interfaces early integration of IT security essential.

So many don't have that on their screens - take that, go out with it and tell others about it!

With the permission of our clients, ProSec then shared the results of the first pharmacy pentest in specialist magazines and at pharmacy industry events. Our goal was to create awareness of the threat situation. At the same time, we want to show what solutions there are and how pharmacies can protect themselves in a targeted manner.

Pharmacy Pentest
Pharmacy pen tests by ProSec in the specialist media

Immanuel's message in all these media was always the same: No matter how big or small your company is, actively take care of the integration of IT security and look for real experts. Do not expect your IT service providers to be able to cover the topic of cyber security "just for once", that is an unrealistic expectation. Don't be put off by the fact that you might not be particularly knowledgeable about IT yourself. If in doubt, simply take the service provider you trust on board and look for the right experts together with them.

How secure is patient data in your pharmacy?
Do not be afraid of incomprehensible technical language - we will tackle the topic of IT security together with you!
Arrange a personal meeting now

Table of Contents