Presentation Material
Abstract
Health Level-7 or HL7 refers to a set of international standards for transfer of clinical and administrative data between software applications used by various healthcare providers. Healthcare provider organizations typically have many different computer systems used for everything from billing records to patient tracking. All of these systems should communicate with each other (or “interface”) when they receive new information, or when they wish to retrieve information, but not all do so. The Hl7 2.x protocol was designed keeping certain factors in mind. Some of which are: a closed network, no malicious intent by the devices, and running the devices in a completely reliable environment. The number of devices using the HL7 2.x is huge (currently, the HL7 v2.x messaging standard is supported by every major medical information systems vendor in the world). However, a secure implementation standard / guide still needs to be worked on. Over some time I have observed that hospitals and vendors do not fully understand the risks on their infrastructure. Also vendors need to implement some changes over their software and hardware to make their devices more resilient to attacks.
The talk will cover HL7 2.x messages, their significance and the information in these messages, also the impact of gaining access to these messages. We will look the scenario of gaining patient information, fingerprinting architecture, examining and changing diagnosis, gaining access to non-prescribed drugs / changing medication and possible financial scams. This talk will also cover how to Pen test medical systems running HL7 interfaces (EMR Software, Patient monitors, X-ray machines.. etc.), discovering common flaws and attack surfaces and on devices that use HL 7 2.x messages to test machine interfaces and connected environment.
presented by Anirudh Duggal
AI Generated Summary
This talk addresses security vulnerabilities in the HL7 2.x messaging standard, widely used for data exchange in medical devices and hospital infrastructure. HL7 messages are plaintext, pipe-delimited segments transmitted over TCP/IP, often without encryption, carrying highly sensitive patient data including identifiers, diagnoses, lab results, and medication orders.
Key findings demonstrate multiple attack vectors. Man-in-the-middle attacks are feasible due to common insecure configurations lacking TLS, allowing interception and modification of messages—such as altering allergy information or diagnostic values—which could lead to incorrect treatment. Unvalidated message sizes enable denial-of-service attacks by flooding interfaces with oversized payloads, exhausting resources. File path segments in messages (e.g., pointing to PDF reports) can be manipulated in transit to reference attacker-controlled locations, facilitating server-side request forgery (SSRF) or remote code execution if the system fetches external resources. Replay attacks are possible by resending valid messages with altered timestamps to override current data. The talk also critiques ineffective fuzzing approaches, emphasizing the need for context-aware testing targeting specific segments relevant to a device’s function rather than generic payloads.
Practical implications stress immediate defensive measures: enforce TLS for all HL7 traffic, implement strict input validation and message size limits, configure automatic purging of stale messages to prevent data corruption, and minimize the transmission of full PII in every message by using anonymized identifiers like Medical Record Numbers (MRN). Network segmentation and monitoring for unexpected HL7 traffic on non-standard ports are also critical, as the protocol often runs on arbitrary ports discovered via simple scans. The research underscores that legacy medical systems’ reliance on an unsecured, ubiquitous standard creates a broad attack surface within healthcare networks.