Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives

Conference:  BlackHat USA 2018



The presentation discusses the vulnerability of healthcare cybersecurity and the potential for integrity attacks to harm patients. The speaker emphasizes the need for secure network deployment and collaboration between hospitals, device manufacturers, and policy makers to address the issue.
  • Healthcare cybersecurity is vulnerable, with hospitals experiencing breaches and patient records being leaked despite efforts to secure them
  • Ransomware attacks on hospitals can act as availability attacks, impacting the care of patients with serious medical conditions
  • Integrity attacks, which involve maliciously changing data, can alter clinical decision making and harm patients
  • Secure network deployment and collaboration between hospitals, device manufacturers, and policy makers are necessary to address the issue
The speaker shares a story of how an integrity attack involving the injection of false laboratory results led to a misdiagnosis of diabetic ketoacidosis and the administration of insulin to a patient who did not need it, resulting in a cardiac arrest.


Healthcare infosec is in critical condition- too few bodies, underfunded to a fault, and limping along on legacy systems stuffed with vulnerabilities. From exploited insulin/medication pumps to broken pacemakers, no implantable or medical device is safe. But there’s an even bigger risk on the horizon.WannaCry was a wake-up- when you knock out systems that enable a hospital to care for patients, you start knocking out patients. Hospitals are no longer secure by virtue of being obscure- connected infrastructure means vulnerable infrastructure.The HL7 standards comprises the backbone of clinical data transfer used in every hospital around the globe. Frequently implemented as plain text messages sent across flat networks with no authentication or verification, HL7 is both critically ubiquitous and massively unsecured- and thus every lab sample, every medical image, every doctor’s order becomes a potential time bomb.Join Quaddi and r3plicant, hackers who moonlight as physicians, and Maxwell Bland as they explore the myriad of ways in which HL7 attacks can be used to subvert the implicit trust doctors place in this infrastructure- and just how catastrophic that broken trust can be. Come for the sobering premise, stay for the live HL7 attack demo- but be warned: there will be blood.



Post a comment

Related work

Conference:  Defcon 31
Authors: Katie Inns Security Consultant, WithSecure

Conference:  Defcon 31
Authors: Christian “quaddi” Dameff MD Physician & Medical Director of Cyber Security at The University of California San Diego, Jacqueline Burgette, DMD, PhD White House Fellow in The Office of National Cyber Director (ONCD), Jeff “r3plicant” Tully MD Anesthesiologist at The University of California San Diego, Nitin Natarajan Deputy Director for the Cybersecurity and Infrastructure Security Agency (CISA), Senator Mark Warner Virginia Senator and Chair of the US Cybersecurity Caucus, Suzanne Schwartz MD Director of the Office of Strategic Partnerships and Technology Innovation (FDA)