In recent years, the use of internet-connected devices has become more prevalent in the healthcare sector, particularly as a means to communicate patient data. Therefore, it is essential that security testing is carried out against these devices to identify misconfigurations that could cause a severe impact, such as the prescription of incorrect drugs.
At DEFCON 2023 I presented some research in which I discussed an easier method of testing the Health Level Seven (HL7) medical protocol. This included a demonstration of a new tool I created named ‘HL7Magic’, which enables testers to proxy, parse and amend messages to demonstrate the impact of manipulating data sent to a medical device. This blog post has been released alongside the open-sourcing of this tool and will discuss the key concepts mentioned within my talk.