Talk was presented by Ajay Pratap Singh at NanoSec Conference 2019, InterContinental Hotel Kuala Lumpur on the 9th of October 2019.

1. Attacking & Securing HealthCare Standards &
Pentest Medical Devices
Ajay Pratap Singh
This presentation does not reflect opinions of my employer and all the data or views are my OWN.

2. • Security professional with 6+ years of industry experience.
• Associate Architect – Product security, Dover Corporation
• Speaker at HiTB, COSAC, ISC2, Nullcon, c0c0n etc.
• Not a hacker, just a bug hunter
• Like to play cricket
• @ajayps29
#WHOAMI

3. • HealthCare security
• Healthcare standards
• HL7 2.X
• FHIR
• DICOM
• Healthcare standards workflow
• Healthcare standards attacks
• Methodology to pentest medical devices / systems
• Securing standards & medical devices / systems
Agenda

4. What do you
think of
Healthcare
Security?
Why is Security
important in
Healthcare?
Source: https://www2.deloitte.com/us/en/pages/life-sciences-and-health-care/articles/us-and-global-health-care-industry-trends-outlook.html
https://en.wikipedia.org/wiki/Health_care_in_the_United_States
Healthcare Security
• Healthcare Industry : ~$11 Trillion by 2022
• Healthcare technology sector : ~$280 billon by 2021
• USA GDP percentage on healthcare : 17.9% in 2019
Identity Theft
Patient life
Financial fraud
Access to unauthorized medicines

5. Healthcare Standards (HL7)
• HL7 and its members provide a framework (and related standards) for the exchange, integration,
sharing, and retrieval of electronic health information.
• HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical
domain and arguably the most widely implemented standard for healthcare in the world. This
messaging standard allows the exchange of clinical data between systems.
HL7 2.x
• 95% of US healthcare organizations use
HL7 V2.x
• More than 35 countries have HL7 V2.x
implementations
• Uses MLLP (Minimum Lower Layer
Protocol)
FHIR
• Fast Healthcare Interoperability Resources
• It’s a draft standard for the exchange of
resources
• Other standards are version 3.x, CDA, CCD, SPL etc.
Source: http://www.hl7.org

6. DICOM Healthcare Standard
• DICOM (Digital Imaging and communication in Medicine) is
the international standard to transmit, store, retrieve, print,
process, and display medical imaging information.
• DICOM makes medical imaging information interoperable
• DICOM networking Protocol is used in communication
between medical devices.
Modality PACS Server
DICOM networking protocol
Source: www.dicomstandard.org
https://github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_-
_Markel_Picado_Ortiz_(d00rt).pdf

7. HL7-ORM
Order
Scheduling
(Doctor)
RIS
(Modality
Scheduling)
Modality
(CT,X-ray etc.)
(Technician)
EMR (Doctor)
PATIENT QUERY
EMR – Electronic Medical Records | RIS – Radiology Information System | PACS – Picture Archiving and communication system
HL7 – health level seven | FHIR - Fast Healthcare Interoperability Resources | DICOM – Digital Imaging & communications in Medicine
HealthCare standards (workflow )
PACS
Server
HL7-ADT HL7-ORM

8. Message Header
Information
Patient
Information
Next of kin Info
Patient visit
Information
| - Field delimiter (pipe) ^ - Sub-field delimiter (caret) ~ - Repeating Filed delimiter (tilde)
- Escape Character (backslash) & - sub-sub-file delimiter (ampersand)
HL7 2.x message

9. • ADT – Admission, discharge, transfer
• ORM – Order Message
• ORU – Observation Results
• DFT – Detailed Financial transactions etc..
HL7 2.x message - Types

10. ADT-A01 – patient admit
ADT-A02 – patient transfer
ADT-A03 – patient discharge
ADT-A04 – patient registration
ADT-A05 – patient pre-admission etc..
HL7 2.x message - ADT

11. • Plain Text – MiTM
• Injection Attacks
• Data Modification
• Denial of Service attacks
• Client side attacks
HL7 2.x message - Attacks

12. FHIR aims to simplify implementation without sacrificing information
integrity. It leverages existing logical and theoretical models to provide
a consistent, easy to implement, and rigorous mechanism for
exchanging data between healthcare applications.
• Makes use of web and exchange data in XML & JSON format.
• Latest HL7 standard.
FHIR (Fast HealthCare Interoperability Resources)

13. http://www.hl7.org/implement/standards/fhir/message-request-link.xml.html
http://www.hl7.org/implement/standards/fhir/message-response-link.xml.html
FHIR message

14. • All web based attacks are applicable.
• JSON injection
• XML injection
• XSS
• SQL injection etc…
• Violating access control
• Privilege Escalation
FHIR- Attacks

15. DICOM Usage & File View
• DICOM is used in Imaging device like CT, X-ray etc. and workstations.
• Files with .dcm extensions.
• Modalities (based on the type of query) needs to be pre-configured with servers & clients IP addresses, Port
number and AE title.

16. DICOM Network / communication Model
SCU
(service class
user)
SCP
(service class
provider)
Association request / response
Actual data transfer
AE title, IP Address, Port

17. DICOM Network Services
Composite services
• Services
• Verification
• Storage
• Query/Retrieve
• Modality Worklist
• C-ECHO, C-FIND, C-STORE,
C-MOVE, C-GET
Normalized services
• Services
• Storage Commitment
• Print Management
• N-GET, N-SET,
N-EVENT- REPORT, N-
ACTION,
N- CREATE, N-DELETE

18. C-FIND

19. • IP Address
• PORT
• AE (Application Entity) title (used to identify a DICOM application to
other DICOM applications on the network)
DICOM Attack Vectors

20. • MiTM – Sniffing
• PE/DICOM attack – by Markel Picardo Ortiz from Cylera
Labs
• PACS server flooding
• Modification in .dcm file – Exposure to Radiation
DICOM Attacks
https://github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_-
_Markel_Picado_Ortiz_(d00rt).pdf

21. Medical devices / systems

22. • Gather Publicly available information
• Full understanding of workflow / deployment of system
• Threat Modeling
• Specific test cases for devices
• Risk based pentesting
• Risk analysis document
Methodology to Pentest Medical devicesMethodology to Pentest Secured Medical Devices / Systems

23. • User Roles
• Access to file system
• Sticky keys
• Hyperlinks
• Monkey testing etc.
• Look for writable directory
• Full understanding of workflow of the application
• Command Injection
• USB – configuration update
• Custom Services
• Cloud
Pentest Medical Devices / Systems

24. • Encryption (Data at rest & in transit)
• DICOM: Remove the header before processing the image
• Authentication
• Authorization
• Upgradation
• Software patching
• No hardcoded secrets
• Input validation
• SSH tunneling
Securing HealthCare Standards & Devices / Systems

25. Thank you


26. Hospital Attack News