At a Glance
- Industry: Healthcare
- Engagement type: Internal + External Network VAPT
- Tech stack: Active Directory forest, Epic-based EHR, PACS imaging, vendor IoMT devices, on-premise data centers, VPN remote access, Cisco network infrastructure
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Healthcare
Product: Multi-hospital network covering EHR, lab systems, imaging and IoMT devices
Tech stack: Active Directory forest, Epic-based EHR, PACS imaging, vendor IoMT devices, on-premise data centers, VPN remote access, Cisco network infrastructure
The client operates 3 multi-specialty hospitals across South India with ~1,400 beds combined, processing PHI for 80,000+ active patients. Recent ransomware attacks on peer Indian hospitals had elevated security priority at the board level.
Challenge
Three factors drove the urgency of this engagement:
- Ransomware peer impact. Two regional hospitals had been hit with ransomware in the prior 6 months, with ICU operations disrupted
- HIPAA + DPDP audit requirements. US insurance partnerships required HIPAA evidence; new DPDP Act 2023 added Indian patient data obligations
- Medical device proliferation. 600+ IoMT devices (infusion pumps, monitors, imaging) on hospital networks with unknown security posture
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- External perimeter testing of internet-facing services (VPN, mail gateway, patient portal)
- Internal network testing from assumed-breach perspective via deployed pentest VM
- Active Directory enumeration and attack-path analysis using BloodHound
- Medical device network segmentation testing aligned with IEC 62443
- EHR access control and audit log integrity review
- Wireless network testing including guest network isolation
- Vendor remote access and third-party VPN security review
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Domain Admin compromise achievable in under 4 hours from any workstation via Kerberoasting + AS-REP roasting
- Medical device VLAN reachable from corporate workstations with no enforcement, enabling potential infusion pump access
- EHR backend database accessible via SQL injection in legacy reporting module, exposing complete patient PHI
High & Medium Severity
Unconstrained Kerberos delegation on file servers, NTLMv1 still enabled, weak password policy (8 chars min) allowing easy spraying, exposed RDP on 3 servers, vendor service accounts with permanent passwords, missing logging on critical OT/IoMT switches, guest WiFi reachable from clinical networks.
Before vs. After
Before Engagement
- Domain Admin in <4 hours from any laptop
- Medical device network unsegmented
- EHR backend SQL injection exploitable
- NTLMv1 enabled on all DCs
- No formal network pentest in 24 months
- HIPAA Security Rule technical safeguards gaps
After Remediation
- Tiered admin model with PAW workstations
- Medical device VLAN segmented with strict ACLs
- EHR backend hardened, WAF deployed
- NTLM disabled, Kerberos-only auth
- Quarterly network pentest schedule established
- HIPAA Security Rule controls demonstrably operational
"The path from a phished employee laptop to Domain Admin in 4 hours was eye-opening for our board. Codesecure showed us exactly what a ransomware actor would do. The remediation roadmap was specific enough that we executed it in 90 days."
Anonymous, CIO, multi-hospital group, South India
Key Lessons
What Other Teams Can Take Away
- Flat networks are ransomware accelerators. Without segmentation, a phished workstation reaches the entire hospital network including medical devices and EHR.
- Active Directory is the central nervous system. Kerberoasting and AS-REP roasting work in most Indian healthcare AD environments. Tier-0 separation is mandatory.
- Medical devices need dedicated security. Generic network segmentation isn't enough; IEC 62443 and OT-aware monitoring required for IoMT.
- EHR backend deserves dedicated VAPT. Legacy reporting modules and integration endpoints harbor SQL injection that scanners miss.
Conclusion
Healthcare networks have become high-priority ransomware targets in 2026. The combination of flat networks, weak Active Directory configurations and unsegmented medical devices creates attack paths that real-world ransomware actors exploit within hours. Comprehensive network VAPT surfaced and prioritized exactly the right remediation work.
For Indian hospitals, diagnostic chains and healthcare IT providers, network VAPT is now a board-level expectation. Codesecure delivers HIPAA + DPDP aligned network testing with executive-ready reporting and clear ransomware-readiness roadmaps, typically completing in 1-2 weeks.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
