Healthcare’s anatomy:
HL7, A Sensitive Yet Overlooked Protocol

Le Lab Gatewatcher D

Introduction

The healthcare sector is one of the domains where humans and machines interact the most. Numerous assistance, imaging, and patient monitoring devices are used constantly to facilitate the tasks of healthcare professionals. This necessary technological dependency drives the evolution of information systems. While it might be tempting to compare industrial information systems to those in healthcare settings, fundamental differences exist.

These differences primarily stem from the IT architecture of healthcare facilities. In the industrial sector, industrial systems and their specific protocols are separated from the rest of the enterprise IT. As a result, industrial attacks are more complex and require dual expertise from attackers. After compromising business IT, they must maintain their access and navigate through the industrial system while executing their malicious actions.

Unfortunately, network segregation is not as simple in the medical world. Medical devices and business IT systems are closely linked, and their interdependence leads to both specialized and generic protocols circulating through the same channels.

This article series will describe two essential protocols in the healthcare sector. The first, HL7, is used for transmitting patient data. The second, DICOM, is both a transport protocol and a file format used in medical imaging. The last article in this series will explain potential attacks on the DICOM protocol.

 

 

Preliminary Considerations on HL7-Related Attacks

As a preamble to this article, it is essential to address attacks related to the HL7 protocol. Unlike DICOM, no attacks using or abusing this protocol have been publicized. However, numerous conferences have highlighted vulnerabilities and potential attack vectors against HL7. As demonstrated in articles about healthcare sector threats, the resale of personal data is highly lucrative. It would not be surprising if, in the coming years, these protocols at the heart of Medical Information Systems (SIM) and the intersection of IT and OT, become targets for malicious actors.

Understanding HL7

HL7, or Health Level 7, is an application protocol that encompasses several standards for the standardized transfer of medical data. For the remaining layers of the protocol stack, such as transport and network layers, the TCP/IP model is used. Although data encryption is possible, it is very rarely enabled by default on devices communicating via DICOM.

There are different versions and standards related to HL7 protocols. First, let’s explore the various versions:

  • HL7 2.x: This is the oldest and most widely adopted version. It allows for the transfer of events related to admissions, transfers, discharges, lab test results, prescriptions, and more. Designed to be flexible and easy to implement, this version uses a message format based on segments delimited by specific characters (such as the pipe character “|”).

 

  • HL7 3: Created in 2010, this version provides a more formal and structured approach to the protocol. It is based on a Reference Information Model (RIM) and uses XML (Extensible Markup Language) to structure messages, facilitating semantic-level interoperability. The use of RIM and XML is the major difference between versions 2 and 3.

 

Next, it is important to introduce the different standards inherent to HL7:

  • HL7 CDA (Clinical Document Architecture): This standard pertains to the exchange of medical reports, summaries, and other health documents. It allows for the integration of both structured information (easy to extract and analyze) and unstructured information (free text), using XML for document structuring. Each CDA document contains metadata to facilitate its interpretation.

 

  • HL7 FHIR (Fast Healthcare Interoperability Resources): This standard aims to facilitate the development of medical tools based on HL7. FHIR uses modular resources (similar to RESTful objects) that represent specific healthcare concepts, such as patients, observations, appointments, etc. These resources can be easily combined and extended to meet the specific needs of applications.

 

The description of the various protocol versions and standards reflects the intention to structure and unify health data communications between entities.

Description of HL7 Messages

To further standardize these communications, only a limited number of message types can be used in HL7. Before diving into the details of each message, here is a diagram summarizing HL7’s capabilities

 

Image1 Diagram Of Hl7 Capabilities Extracted From Codeit
Image1 Diagram Of Hl7 Capabilities Extracted From Codeit

As presented in the diagram, HL7 allows the grouping of all data related to a patient, their examinations, and prescriptions. Below are the details of the messages used to perform these actions:

  • ADT (Admit, Discharge, Transfer): These messages are used to report patient movements within healthcare facilities, including admissions, transfers between departments, and discharges.
  • ORM (Order Message): This message is used to transmit medical order requests such as drug prescriptions, lab tests, imaging exams, etc.
  • ORU (Observation Result): This message is used to transmit clinical observation results, such as lab test results, medical imaging reports, vital signs measurements, etc.
  • SIU (Scheduling Information Unsolicited): Used to transmit scheduling information, such as the creation, modification, or cancellation of medical appointments.
  • MDM (Medical Document Management): These messages are used to manage clinical documents, such as the creation, updating, or deletion of medical records.
  • ADT Acknowledgment (ACK): These messages are acknowledgments sent in response to ADT messages to confirm receipt or report errors.
  • ACK (General Acknowledgment): These messages are used to confirm the receipt of other types of HL7 messages.
  • MFN (Master File Notification): Used to transmit updates to reference files such as patient lists, practitioner lists, etc.

Example of an HL7 Message

The message 

Here is an example of an ORU message in HL7v3. This message is sent following exams to add elements to the patient’s file

Lab Healthcare’s Anatomy Hl7, Un Protocole Sensible Méconnu Image2 Exemple D’un Message Hl7 Dans Wireshark
Image2 : Example of an HL7 message in Wireshark

 

Message Details

The first part of the message contains all the information related to the patient’s file and the nature of the exams they must undergo

Lab Healthcare’s Anatomy Hl7, Un Protocole Sensible Méconnu Image3 Exemple De La Première Partie Du Message Hl7 Dans Wireshark
Image3: Example of the first part of an HL7 message in Wireshark

 

Here, in more detail, is an example of personal information related to the patient in these messages:

Lab Healthcare’s Anatomy Hl7, Un Protocole Sensible Méconnu Image4 Exemple D’un Détail D’information Présent Dans Les Paquets Hl7
Image4 : Exemple D’un Détail D’information Présent Dans Les Paquets Hl7

 

The second part relates to the different exams and results obtained during these exams

Lab Healthcare’s Anatomy Hl7, Un Protocole Sensible Méconnu Image5 Exemple D’un Détail D’informations Relatives à Des Résultats D’examens Pour Un Patient Hl7, Un Protocole Sensible
Image5 : Example of detailed exam result information for a patient

 

All these messages contain sensitive data related to patients, making them vulnerable to malicious exploitation. Furthermore, most devices interacting with HL7 do not encrypt their communications. To fully grasp these risks, it is necessary to understand the context in which this protocol is used.

Indeed, its omnipresence in healthcare systems raises concerns about data confidentiality. Data transmitted in cleartext can be intercepted and easily modified. Interception could allow a malicious actor to resell the data, as described in previous articles on healthcare sector threats.

The most severe risk would be the modification of a patient’s medical record. A simple alteration could lead to a misdiagnosis or, in the worst case, a fatal outcome. This scenario is plausible if a criminal modifies the wrong section of a medical record.

This last point is extremely important. It marks a significant difference between an attack on an “IT” protocol and an “OT” protocol like HL7. Securing these flows is imperative because data corruption can directly impact patients’ lives.

Finally, it is crucial to understand why this protocol is still in use in healthcare facilities. HL7 is a standard created in the 1980s and is widely adopted. For example, despite the creation of FHIR, an evolution that appeared about ten years ago, many information systems and medical devices still operate with HL7. Upgrading these systems would require substantial software and hardware changes, which may be too costly for some healthcare facilities.

Conclusion

In cybersecurity, protecting medical data is paramount, especially when it comes to protocols that transmit sensitive information like HL7. However, HL7 is not the only critical protocol specific to the healthcare sector. The DICOM protocol, used for exchanging and storing medical images, also belongs to this select group of crucial information exchange systems in healthcare facilities. The next article in this series will explore the DICOM protocol and the security challenges associated with it.

 

Authors: Gatewatcher Purple Team and 0xSeeker

 

 

Sources : 

[1] https://www.youtube.com/watch?v=YFbAuhnUEQQ