This guide explores the 2026 IB Computer Science Case Study, focusing on CyberHealth Security's ethical hacking engagement with MedTechPro Hospital (MTPH). We'll break down the core concepts, methodologies, and challenges involved in conducting a responsible penetration test in a critical healthcare environment.
Penetration Testing Approaches
A key decision for any penetration test is choosing the right approach. The amount of information given to the testing team determines the type of test. Each approach simulates a different level of attacker knowledge and affects realism, efficiency, and cost.
The Penetration Testing Execution Standard (PTES)
Phase 1: Pre-engagement Interactions
This initial phase is crucial for setting the stage. It involves discussions between CyberHealth Security and MTPH to define the scope, objectives, and rules of engagement. Clear expectations help prevent disruption to hospital operations.
Phase 2: Intelligence Gathering (OSINT)
Here, the ethical hackers gather as much publicly available information as possible about MTPH. This is known as Open-Source Intelligence (OSINT). The goal is to build a profile of systems, technologies, and potential weak points.
Phase 3: Threat Modeling
In this phase, the team analyzes the information gathered to identify potential threats and vulnerabilities. They create a model of the hospital's systems and prioritize targets based on risk and impact.
Phase 4: Vulnerability Analysis
This involves actively scanning the hospital's network and applications to find security weaknesses. Testers use automated tools to quickly identify common issues and then manually validate and probe deeper.
Phase 5: Exploitation
This is the "hacking" phase. The team attempts to gain access to systems by exploiting the vulnerabilities found in the previous phase. This could involve privilege escalation, lateral movement, or data access.
Phase 6: Post-Exploitation
Once a system is compromised, the work isn't over. In this phase, testers determine the value of the compromised machine and what further access it provides, while ensuring no harm to patient care systems.
Phase 7: Reporting
This is the most critical phase for the client. The security team compiles a detailed report that includes all findings, from high-level summaries for executives to technical remediation recommendations.
Key Challenges for CyberHealth Security
The MTPH engagement presents several unique challenges that the security team must navigate carefully. These challenges highlight the complexities of ethical penetration testing in healthcare.
- Choosing the Right Approach: Balancing the realism of a black-box test with the thoroughness of a white-box test, all while considering the potential impact on critical systems.
- Ensuring Business Continuity: The highest priority is avoiding any disruption to patient care. All testing activities must be carefully planned and monitored.
- Effective Information Gathering: Legally and ethically using tools like network scanners and OSINT to map the hospital's digital infrastructure without crossing privacy boundaries.
- Developing a Robust Response Plan: Creating a practical and effective incident response plan that MTPH staff can follow in the event of a real security incident.
- Navigating Ethical Dilemmas: Constantly weighing the need to find vulnerabilities against the ethical responsibility to protect patient data and ensure safety.