Attacking & Securing HealthCare Standards &
Pentest Medical Devices
Ajay Pratap Singh
This presentation does not reflect opinions of my employer and all the data or views are my OWN.
• Security professional with 6+ years of industry experience.
• Associate Architect – Product security, Dover Corporation
• Speaker at HiTB, COSAC, ISC2, Nullcon, c0c0n etc.
• Not a hacker, just a bug hunter
• Like to play cricket
• HealthCare security
• Healthcare standards
• HL7 2.X
• Healthcare standards workflow
• Healthcare standards attacks
• Methodology to pentest medical devices / systems
• Securing standards & medical devices / systems
What do you
Why is Security
• Healthcare Industry : ~$11 Trillion by 2022
• Healthcare technology sector : ~$280 billon by 2021
• USA GDP percentage on healthcare : 17.9% in 2019
Access to unauthorized medicines
Healthcare Standards (HL7)
• HL7 and its members provide a framework (and related standards) for the exchange, integration,
sharing, and retrieval of electronic health information.
• HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical
domain and arguably the most widely implemented standard for healthcare in the world. This
messaging standard allows the exchange of clinical data between systems.
• 95% of US healthcare organizations use
• More than 35 countries have HL7 V2.x
• Uses MLLP (Minimum Lower Layer
• Fast Healthcare Interoperability Resources
• It’s a draft standard for the exchange of
• Other standards are version 3.x, CDA, CCD, SPL etc.
DICOM Healthcare Standard
• DICOM (Digital Imaging and communication in Medicine) is
the international standard to transmit, store, retrieve, print,
process, and display medical imaging information.
• DICOM makes medical imaging information interoperable
• DICOM networking Protocol is used in communication
between medical devices.
Modality PACS Server
DICOM networking protocol
EMR – Electronic Medical Records | RIS – Radiology Information System | PACS – Picture Archiving and communication system
HL7 – health level seven | FHIR - Fast Healthcare Interoperability Resources | DICOM – Digital Imaging & communications in Medicine
HealthCare standards (workflow )
Next of kin Info
| - Field delimiter (pipe) ^ - Sub-field delimiter (caret) ~ - Repeating Filed delimiter (tilde)
- Escape Character (backslash) & - sub-sub-file delimiter (ampersand)
HL7 2.x message
• ADT – Admission, discharge, transfer
• ORM – Order Message
• ORU – Observation Results
• DFT – Detailed Financial transactions etc..
HL7 2.x message - Types
• Plain Text – MiTM
• Injection Attacks
• Data Modification
• Denial of Service attacks
• Client side attacks
HL7 2.x message - Attacks
FHIR aims to simplify implementation without sacrificing information
integrity. It leverages existing logical and theoretical models to provide
a consistent, easy to implement, and rigorous mechanism for
exchanging data between healthcare applications.
• Makes use of web and exchange data in XML & JSON format.
• Latest HL7 standard.
FHIR (Fast HealthCare Interoperability Resources)
• All web based attacks are applicable.
• JSON injection
• XML injection
• SQL injection etc…
• Violating access control
• Privilege Escalation
DICOM Usage & File View
• DICOM is used in Imaging device like CT, X-ray etc. and workstations.
• Files with .dcm extensions.
• Modalities (based on the type of query) needs to be pre-configured with servers & clients IP addresses, Port
number and AE title.
DICOM Network / communication Model
Association request / response
Actual data transfer
AE title, IP Address, Port
• Gather Publicly available information
• Full understanding of workflow / deployment of system
• Threat Modeling
• Specific test cases for devices
• Risk based pentesting
• Risk analysis document
Methodology to Pentest Medical devicesMethodology to Pentest Secured Medical Devices / Systems
• User Roles
• Access to file system
• Sticky keys
• Monkey testing etc.
• Look for writable directory
• Full understanding of workflow of the application
• Command Injection
• USB – configuration update
• Custom Services
Pentest Medical Devices / Systems
• Encryption (Data at rest & in transit)
• DICOM: Remove the header before processing the image
• Software patching
• No hardcoded secrets
• Input validation
• SSH tunneling
Securing HealthCare Standards & Devices / Systems