Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives

Healthcare infosec is in critical condition- too few bodies, underfunded to a fault, and limping along on legacy systems stuffed with vulnerabilities. From exploited insulin/medication pumps to broken pacemakers, no implantable or medical device is safe. But there's an even bigger risk on the horizon.

WannaCry was a wake-up- when you knock out systems that enable a hospital to care for patients, you start knocking out patients. Hospitals are no longer secure by virtue of being obscure- connected infrastructure means vulnerable infrastructure.

The HL7 standards comprises the backbone of clinical data transfer used in every hospital around the globe. Frequently implemented as plain text messages sent across flat networks with no authentication or verification, HL7 is both critically ubiquitous and massively unsecured- and thus every lab sample, every medical image, every doctor's order becomes a potential time bomb.

Join Quaddi and r3plicant, hackers who moonlight as physicians, and Maxwell Bland as they explore the myriad of ways in which HL7 attacks can be used to subvert the implicit trust doctors place in this infrastructure- and just how catastrophic that broken trust can be. Come for the sobering premise, stay for the live HL7 attack demo- but be warned: there will be blood.

Presented by