Presentation Material
Abstract
Healthcare organizations typically have many different computer systems used for everything from billing records to patient tracking. All of these systems should communicate with each other (or “interface”) when they receive new information, or when they wish to retrieve information. In order to facilitate this, Health Level-7 or HL7 was developed – a set of international standards for transfer of clinical and administrative data between software applications used by various healthcare providers.
The Hl7 2.x protocol was however designed with certain assumptions in place – A closed network, no malicious intent by the devices, and running devices running in a completely reliable environment. The number of devices using the HL7 v2.x messaging standard is huge as it’s supported by every major medical information systems vendor in the world.
The talk will cover HL7 2.x messages, their significance and the information in these messages along with the impact of gaining access to these messages. We will look the scenario of gaining patient information, fingerprinting architecture, examining and changing diagnosis, gaining access to non-prescribed drugs / changing medications and more. This talk will also cover how to pentest medical systems running HL7 interfaces (EMR Software, Patient monitors, X-ray machines.. etc.), discovering common flaws and attack surfaces and on devices that use HL 7 2.x messages to test machine interfaces and connected environment.
There are currently no security test cases for finding vulnerabilities in the HL7 2.X protocol. Most of the test cases / understanding is based on developers’ assumption of the infrastructure and the protocols. However, with recent attacks on US hospitals, we have seen that the security community needs to understand a lot about these standards and to begin testing them effectively. The talk will provide security professionals with a methodology to test and attack hospital infrastructure but also the precautions that need to be taken while assessing healthcare infrastructure.