CanSecWest 2022

In the modern healthcare environment, health care is provided by different departments all using various software solutions. Various protocols are used to send information between the departments. These protocols are used for everything from tracking patient admittance, dispensing medication, and transmitting health records between hospitals. They are essential for the delivery of care in the modern healthcare sector, but are largely unknown outside of healthcare IT. The goal of this talk is to cover research into HL7 protocols, protocols that are not widely known but are becoming the most broadly deployed interoperability protocols in the United States, components of healthcare worldwide, and whose implementations are legally mandated is some circumstances. These protocols shows up everywhere from your phone to your local hospital to Google Cloud to the DEF CON Bio-hacking Village CTF, and is supported by an overwhelming majority of EMRs.


This talk will review both the historical and technical aspects of two HL7 protocols, HL7v2 and FHIR, in depth. First, we'll quickly discuss the reason why these protocols were created, and explain the structure of modern healthcare environments like hospitals and doctor's offices. Next, we'll cover HL7v2, the mostly widely deployed of these protocols, covering its construction, structure, and use. We'll talk about implementations of the protocol, the attack surface of these implementations, and issues to look out for while interacting with them. Next, we'll talk about FHIR and implementations of FHIR, including the most widely used implementation. Then we'll talk about design issues which significantly weaken both protocols such as lack of authentication, and discuss and demonstrate methods to MITM the traffic. We'll also discuss several methods of fingerprinting environments and discovering resources in FHIR environments. We'll demonstrate two CVEs discovered as part of this research, CVE-2021-32053 and CVE-2021-32054, which allow attackers to deny service to an entire medical records system and to upload and serve arbitrary resources and webpages or upload malware on critical infrastructure running affected versions. We'll close with a short discussion of FHIR's future, the security of EMRs in general, and best practices that can be used by organizations to securely deploy these protocols.