Tag Archives: Vulnerability

HL7 Protocol Enhances Medical Data Transmissions–But Is It Secure?

In our last blog, we examined how DICOM became the standard format for transmitting files in medical imaging technology. As software developers, we frequently find ourselves working in the medical technology field navigating new formats and devices which require specialized attention.

This week, we will jump into one of the standards all medical technology developers should understand: the HL7 protocol.

The HL7 protocol is a set of international standards for the transfer of clinical and administrative data between hospital information systems. It refers to a number of flexible standards, guidelines, and methodologies by which various healthcare systems communicate with each other. HL7 connects a family of technologies, providing a universal framework for the interoperability of healthcare data and software.

Founded in 1987, Health Level Seven International (HL7) is a non-profit, ANSI-accredited standards developing organization that manages updates of the HL7 protocol. With over 1,600 members from over 50 countries, HL7 International represents brain trust incorporating the expertise of healthcare providers, government stakeholders, payers, pharmaceutical companies, vendors/suppliers, and consulting firms.

HL7 has primary and secondary standards. The primary standards are the most popular and integral for system integrations, interoperability, and compliance. Primary standards include the following:

  • Version 2.x Messaging Standard–an interoperability specification for health and medical transactions
  • Version 3 Messaging Standard–an interoperability specification for health and medical transactions
  • Clinical Document Architecture (CDA)–an exchange model for clinical documents, based on HL7 Version 3
  • Continuity of Care Document (CCD)–a US specification for the exchange of medical summaries, based on CDA.
  • Structured Product Labeling (SPL)–the published information that accompanies a medicine based on HL7 Version 3
  • Clinical Context Object Workgroup (CCOW)–an interoperability specification for the visual integration of user applications

While HL7 may enjoy employment worldwide, it’s also the subject of controversy due to underlying security issues. Researchers from the University of California conducted an experiment to simulate an HL7 cyber attack in 2019, which revealed a number of encryption and authentication vulnerabilities. By simulating a main-in-the-middle (MITM) attack, the experiment proved a bad actor could potentially modify medical lab results, which may result in any number of catastrophic medical miscues—from misdiagnosis to prescription of ineffective medications and more.

As software developers, we advise employing advanced security technology to protect patient data. Medical professionals are urged to consider the following additional safety protocols:

  • A strictly enforced password policy with multi-factor authentication
  • Third-party applications which offer encrypted and authenticated messaging
  • Network segmentation, virtual LAN, and firewall controls

While HL7 provides unparalleled interoperability for health care data, it does not provide ample security given the level of sensitivity of medical data—transmissions are unauthenticated and unvalidated and subject to security vulnerabilities. Additional security measures can help medical providers retain that interoperability across systems while protecting themselves and their patients from having their data exploited.

Securing Your IoT Devices Must Become a Top Priority

The Internet of Things has seen unprecedented growth the past few years. With an explosion of commercial products arriving on the marketplace, the Internet of Things has entered the public lexicon. However,  companies rushing to provide IoT devices to consumers often cut corners with regard to security, causing major IoT security issues nationwide.

In 2015, hackers proved to Wired they could remotely hack a smartcar on the highway, kill the engine and control key functions. Dick Cheney’s cardiologist disabled WiFi capabilities on his pacemaker, fearing an attack by a hacker.  Most recently, the October 21st cyber attack on Dyn brought internet browsing to a halt for hours while Dyn struggled to restore service.

Although the attack on Dyn seems to be independent of a nation-state, it has caused a ruckus in the tech community. A millions-strong army of IoT devices, including webcams and DVRs, were conscripted with a botnet which launched the historically large denial-of-service attack. Little effort has been made to make common consumers aware of the security threats posed by IoT devices. A toy Barbie can become the back door to the home network, providing access to PCs, televisions, refrigerators and more. Given the disturbing frequency of hacks in the past year, IoT security has come to the forefront of top concerns for IoT developers.

SECURING CURRENT DEVICES

The amount of insecure devices already in the market complicates the Internet of Things security problem. IoT hacks will continue to happen until the industry can shrink vulnerable devices. Securing current devices is a top priority for app developers. Apple has made an effort to combat this problem by creating very rigorous security requirements for HomeKit compatible apps.

The European Union is currently considering laws to force compliance with security standards. The plan would be for secure devices to have a label which ensures consumers the internet-connected device complies with security standards. The current EU labeling system which rates devices based on energy consumption could prove an effective template for this new cybersecurity rating system.

ISPs COULD BE THE KEY

Internet service providers could be a major part of the solution when it comes to IoT Security. Providers can block or filter malicious traffic driven by malware through recognizing patterns. Many ISPs use BCP38, a standard which reduces the process hackers use to transmit network packets with fake sender addresses.

ISPs can also notify customers, both corporate and individuals, if they find a device on their network sending or receiving malicious traffic. ISPs already comply with the Digital Millennium Copyright Act which requires internet providers to warn customers if they detect possible illegal file sharing.

With the smarthome and over 1.9 billion devices predicted to be shipped in 2019, IoT security has never been a more important issue. Cyber attacks within the US frequently claim the front page of the mainstream media. CIO describes the Dyn attacks as a wake-up call for retailers. The combination of a mass adoption of IoT and an environment fraught with security concerns means there will be big money in IoT security R & D and a potential slow-down in time-to-market pipeline for IoT products.

Will the federal government get involved in instituting security regulations on IoT devices, or will it be up to tech companies and consumers to demand security? Whatever the outcome, this past year has proved IoT security should be a major concern for developers.