Understanding HL7 2.x Standards, Pen Testing, and Defending HL7 2.x Messages

Presented at Black Hat USA 2016, Aug. 4, 2016, 9:45 a.m. (50 minutes).

Health Level-7 or HL7 refers to a set of international standards for transfer of clinical and administrative data between software applications used by various healthcare providers. Healthcare provider organizations typically have many different computer systems used for everything from billing records to patient tracking. All of these systems should communicate with each other (or "interface") when they receive new information, or when they wish to retrieve information, but not all do so. The Hl7 2.x protocol was designed keeping certain factors in mind. Some of which are: a closed network, no malicious intent by the devices, and running the devices in a completely reliable environment. The number of devices using the HL7 2.x is huge (currently, the HL7 v2.x messaging standard is supported by every major medical information systems vendor in the world). However, a secure implementation standard / guide still needs to be worked on. Over some time I have observed that hospitals and vendors do not fully understand the risks on their infrastructure. Also vendors need to implement some changes over their software and hardware to make their devices more resilient to attacks.

The talk will cover HL7 2.x messages, their significance and the information in these messages, also the impact of gaining access to these messages. We will look the scenario of gaining patient information, fingerprinting architecture, examining and changing diagnosis, gaining access to non-prescribed drugs / changing medication and possible financial scams. This talk will also cover how to Pen test medical systems running HL7 interfaces (EMR Software, Patient monitors, X-ray machines.. etc.), discovering common flaws and attack surfaces and on devices that use HL 7 2.x messages to test machine interfaces and connected environment.


Presenters:

  • Anirudh Duggal - Royal Philips - Healthcare
    Anirudh Duggal is a cyber security enthusiast and works with Philips healthcare on securing medical devices. He is a sustainability enthusiast and plays guitar in free time. Besides this he runs the http://hospitalsecurityproject.com/@secure_hospital - A project that aims to bring together researchers and help spread awareness on healthcare security. He has previously spoken at Cocon (India), Ground Zero (India), HITCON (Taiwan) , Nullcon (India) and PhD (positive hack days, Russia).

Links:

Similar Presentations: