以攻击者视角审视和分析医院网络安全  被引量：2

作　　者：韩雪峰[1] 王静岩[1] 沈洪超[1] HAN Xuefeng;WANG Jingyan;SHEN Hongchao(Computer Department,the 2nd Affiliated Hospital of Harbin Medical University,Harbin 150086,Heilongjiang Province,China)

机构地区：[1]哈尔滨医科大学附属第二医院计算机室,哈尔滨150086

出　　处：《中国数字医学》2024年第6期109-115,共7页China Digital Medicine

摘　　要：目的:通过模拟攻击测试,发现医院网络安全漏洞及隐患。方法:根据测试结果相关数据,梳理医院网络存在的主要风险点并分析应对措施。结果:本次模拟测试共通过78个漏洞风险点攻击成功55家医疗机构,漏洞类型依次为:弱口令漏洞、越权访问漏洞、Spring(开发程序框架)远程代码执行漏洞、文件上传漏洞、SQL注入漏洞、目录遍历漏洞、Fastjson(Java解析库)命令执行漏洞、Nacos(服务中间件)未授权访问漏洞。结论:医院网络存在安全技术力量不对等、供应链管理缺失、重应用建设轻安全、暴露面过多等风险。应从提升医院网络安全管理水平、强化医院网络安全人才培养、丰富医院网络安全技术防御手段、持续关注医院网络安全等方面加强医院网络安全建设。Objective To discover the vulnerabilities and hidden dangers of hospital network security through simulated attack test.Methods According to the relevant data of the test results,the main risk points existed in hospital network were analyzed and the countermeasures were analyzed.Results In this simulation test,55 medical institutions were successfully attacked through 78 vulnerability risk points,and the vulnerability types were as follows:weak password vulnerability,unauthorized access vulnerability,Spring(developer framework)remote code execution vulnerability,file upload vulnerability,SQL injection vulnerability,directory traversal vulnerability,Fastjson(Java parsing library)command execution vulnerability,Nacos(service middleware)unauthorized access vulnerability.Conclusion There are some risks in hospital network,such as uneven security technical strength,lack of supply chain management,focusing on application development but not security measures,and too much exposure.The construction of hospital network security should be strengthened from the aspects of improving hospital network security management,strengthening hospital network security talents training,enriching technical defense means of network security,and paying continuous attention to hospital network security.

关 键 词：攻击者 网络安全 安全漏洞 

分 类 号：R197.3[医药卫生—卫生事业管理] R319[医药卫生—公共卫生与预防医学]