Home Health Care is an AI-driven platform that automates medical records for home health care providers, enhancing efficiency and patient care. To ensure the security of sensitive patient data and compliance with healthcare regulations, a comprehensive Gray box penetration test was conducted.
Our primary challenge was assessing the platform's security without prior knowledge of its internal structures. This required simulating real-world attack scenarios to identify potential vulnerabilities, particularly those related to AI functionalities, data handling processes, and the risk of prompt injection attacks. These attacks could manipulate AI-generated responses by crafting malicious inputs, potentially leading to unintended actions or information disclosure. Prompt injections can occur not only through text inputs but also through audio or other input methods, making them a versatile and critical threat vector.
The penetration test identified several high and medium-severity vulnerabilities, including issues related to session handling, file restrictions, rate limiting, data encryption, and access controls. These findings were reported to Health Care's development team, who promptly addressed them, thereby strengthening the platform's security and ensuring compliance with industry standards.