This course aims to educate participants on hacking medical devices and healthcare infrastructure, focusing on the HL7 2.x messaging standard. The learning outcomes include understanding HL7 2.x messages, their significance, and the potential impact of gaining unauthorized access to patient information and medical systems. Participants will learn to pentest medical systems with HL7 interfaces, identify common flaws and attack surfaces, and develop security testing methodologies for hospital infrastructure. The course covers topics such as ADT, ORM, ORU, RDE, MDM, DFT messages, as well as security vulnerabilities like message source validation, server attacks, denial of service, and exploiting file functionalities. The intended audience for this course includes security professionals seeking to enhance their understanding of healthcare standards and infrastructure security.
Hacking Medical Devices and Healthcare Infrastructure
Hack In The Box Security Conference via YouTube
Overview
Syllabus
SPEAKER BIO
#whoami
Agenda
Securing hospitals
Understanding medical devices
HL7 - Health Level 7
In a nutshell
HL 72.x crash course
ADT - Admit Discharge and Transfer
ADT - Potential Entry Points
ORM - Order message
ORM - Potential Entry points
ORU - Observation Result
RDE - Pharmacy order message
MDM - Medical Document Management
DFT - Detail Financial Transaction
Recon
Message source not validated
Unvalidated size
Bad server attacks
Denial of service
Abusing file upload / download functionality
Taught by
Hack In The Box Security Conference
