Talk To Your Doctor About If Protocols Are Right For You: Vulnerabilities in HL7 Protocols

In the modern healthcare environment, health care is provided by different departments all using various software solutions. Various protocols are used to send information between the departments. These protocols are used for everything from tracking patient admittance, dispensing medication, and transmitting health records between hospitals. They are essential for the delivery of care in the modern healthcare sector, but are largely unknown outside of healthcare IT. The goal of this talk is to cover research into HL7 protocols, protocols that are not widely known but are becoming the most broadly deployed interoperability protocols in the United States, components of healthcare worldwide, and whose implementations are legally mandated is some circumstances. These protocols shows up everywhere from your phone to your local hospital to Google Cloud to the DEF CON Bio-hacking Village CTF, and is supported by an overwhelming majority of EMRs.

This talk will review both the historical and technical aspects of two HL7 protocols, HL7v2 and FHIR, in depth. First, we'll quickly discuss the reason why these protocols were created, and explain the structure of modern healthcare environments like hospitals and doctor's offices. Next, we'll cover HL7v2, the mostly widely deployed of these protocols, covering its construction, structure, and use. We'll talk about implementations of the protocol, the attack surface of these implementations, and issues to look out for while interacting with them. Next, we'll talk about FHIR and implementations of FHIR, including the most widely used implementation. Then we'll talk about design issues which significantly weaken both protocols such as lack of authentication, and discuss and demonstrate methods to MITM the traffic. We'll also discuss several methods of fingerprinting environments and discovering resources in FHIR environments. We'll demonstrate two CVEs discovered as part of this research, CVE-2021-32053 and CVE-2021-32054, which allow attackers to deny service to an entire medical records system and to upload and serve arbitrary resources and webpages or upload malware on critical infrastructure running affected versions. We'll close with a short discussion of FHIR's future, the security of EMRs in general, and best practices that can be used by organizations to securely deploy these protocols.

 
 

Zachary Minneker

Zachary Minneker is a senior security engineer and security researcher at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, IPC methods, and vulnerability discovery in electronic medical record systems and health care protocols.

Previous
Previous

When eBPF meets TLS!

Next
Next

FirmWire: Taking Baseband Security Analysis to the Next Level