Mitigating HL7 Vulnerabilities
January 9, 2019 | Evaluations & Guidance
While concerns about privacy and security in healthcare have increased over the years, Health Level Seven International's HL7 protocol, the most common standard for the transmission of clinical data between systems, has not evolved to match them. HL7 was developed with the assumption that additional security measures, beyond the scope of the protocol itself, would also be implemented. (Read more about HL7 in the Background below.)
Healthcare organizations put a great deal of effort into encrypting data at rest (data held static in a device's or system's memory) to protect patient health information. However, at some point most of that data will be transferred to other systems, in many cases via an HL7 interface that does not provide encryption. An attacker with access to a network through which HL7 messages flow would be able to eavesdrop the traffic and the protected health information (PHI) it contains. When in close network proximity to an interface engine, an attacker could retrieve thousands of patient records in a short time frame.
What's more, the HL7 standard offers no means to validate the source or destination of the data (i.e., it doesn't authenticate or authorize transactions). Exploiting this shortcoming, an attacker with knowledge of the IP address and TCP port of an HL7 interface could send falsified data, and the receiving server will accept the data as valid without verifying the source. This data (e.g., diagnostic results) could then mislead clinicians...