Hackers of India

Attacking & Securing HealthCare Standards & hospital secured systems

By  Ajay Pratap Singh  on 28 Feb 2019 @ Nullcon


Presentation Material

Abstract

The Health Care Industry has evolved exponentially over the last decade. It’s no secret that advancement in technology & it’s adoption was the driving force behind this positive growth. Initially, interfaces between medical devices were custom designed & posed a huge challenge as far as interoperability was concerned. HealthCare standards like HL7 & DICOM standards have come to the rescue by providing interoperability to store, manage & exchange information among one or more devices, product, systems etc. HL7 is a set of international standards for the exchange, integration, sharing, and retrieval of electronic health information. DICOM (Digital Imaging & Communications in Medicine) is the international standard for the communication and storage of medical images and related data. Both of the standards are supported by the majority of vendors & hospitals however secure implementation of these standards is still a concern as security risks were given less importance while designing products (software & hardware) for healthcare services. This presentation will be primarily focused on HL7 2.x, FHIR & DICOM messages, their implementation, the sensitivity of the information and how to attack these messages. The talk will cover workflow testing and its business implications, penetration testing of the hardened/secured medical system in the hospital network and the approach that needs to be taken to pentest the hardened medical system. The talk will be concluded by sharing insights on the proper implementation of these standards to better defend healthcare devices & systems against cyber-attacks.