🤖 AI Summary
This study addresses critical security deficiencies in widely adopted healthcare protocols—HL7, FHIR, and DICOM—which commonly lack authentication, employ insufficient transport encryption, and harbor known high-severity vulnerabilities, thereby exposing vast amounts of patient data to breach risks. Conducting the first large-scale security assessment of HL7 and FHIR alongside an extended analysis of DICOM, the research deployed low-interaction honeypots over nine months and performed Internet-wide scans across both IPv4 and IPv6 address spaces. By integrating TLS configuration audits, CVE matching, and coordinated vulnerability disclosure, the investigation systematically identified protocol-level security flaws. Findings reveal tens of thousands of medical endpoints without authentication, over half lacking encrypted transport, and thousands of systems affected by vulnerabilities with CVSS scores as high as 9.8, prompting remediation efforts by relevant stakeholders.
📝 Abstract
Systems that process medical data should be meticulously secured. Yet, network services in healthcare environments often fail to implement basic security measures. For example, previous studies showed that network segmentation flaws led to DICOM systems leaking millions of patient records.
In addition to DICOM, healthcare facilities rely heavily on the HL7 and FHIR protocols to transmit data. For nine months, we operated a low-interaction honeypot for medical protocols. We found it was regularly scanned for DICOM but never for HL7 or FHIR, indicating that despite their widespread use and importance for patient data security, the security of these services remains underexplored.
In this paper, we present the first large-scale study on HL7 and FHIR services and expand previous work on DICOM. Our large-scale Internet scans, covering the three major healthcare protocols across IPv4 and IPv6 address spaces, identify healthcare systems and uncover data leaks due to authentication flaws. Additionally, we scanned for deficiencies in TLS configurations of these services and known insecure healthcare software.
In total, we found \TotalEndpointsAuthFlaws ~healthcare services with authentication flaws. \NonTLSPercentage{}\% of all exposed systems do not support transport encryption, and \AllServerCVE{} systems have known software vulnerabilities, including those with potential for system takeover and CVSS scores up to 9.8. Overall, our study reveals an alarming state of cybersecurity in healthcare deployments, for which we discuss potential reasons and countermeasures. Finally, we report on the coordinated disclosure campaign we initiated to improve the security of patient data.