Systems that process medical data should be meticulously secured. Yet, network services in healthcare environments often fail to implement basic security measures. For example, previousstudies showed that network segmentation flaws led to DICOM systems leaking millions of patient records. In addition to DICOM, healthcare facilities rely heavily on the HL7 and FHIR protocols to transmit data. For nine months, we operated a low-interaction honeypot for medical protocols. We found it was regularly scanned for DICOM but never for HL7 or FHIR, indicating that despite their widespread use and importance for patient data security, the security of these services remains underexplored. In this paper, we present the first large-scale study on HL7 and FHIR services and expand previous work on DICOM. Our large-scale Internet scans, covering the three major healthcare protocols across IPv4 and IPv6 address spaces, identify healthcare systems and uncover data leaks due to authentication flaws. Additionally, we scanned for deficiencies in TLS configurations of these services and known insecure healthcare software. In total, we found 2,841 healthcare services with authentication flaws. 94.4% of all exposed systems do not support transport encryption, and 1,373 systems have known software vulnerabilities, including those with potential for system takeover and CVSS scores up to 9.8. Overall, our study reveals an alarming state of cybersecurity in healthcare deployments, for which we discuss potential reasons and countermeasures. Finally, we report on the coordinated disclosure campaign we initiated to improve the security of patient data.
This repository contains all the applications and scripts that we developed in order to deliver the results of our research for the paper Healthcare Data Leaks and Security Flaws at Internet Scale. Essentially, this involves the following components:
- Low Interaction Healthcare Honeypot
- Zgrab2 including the DICOM, HL7, and FHIR modules
- Scripts for controlling the scan pipeline
- Scripts for the TLS and CVE analysis
Build instructions:
cd honeypot_dir
go get .
env GOOS=linux GOARCH=amd64 go build .
For installation as service, run install_honeypot.sh with sudo.
The Zgrab modules we have developed are used as described below.
DICOM:
echo 127.0.0.1 | zgrab2 dicom -p 11112HL7:
echo 127.0.0.1 | zgrab2 hl7 -p 2575FHIR:
echo 127.0.0.1 | zgrab2 fhir -p 443cd zgrab2
make
./zgrab2All further information about Zgrab can be found in the README file in the Zgrab folder.
The pipeline scripts automate both the Zmap and Zgrab applications and our detailed analysis scripts.The scripts can be started individually or via a cron job. We used the Cronicle application to organise and cascade the scripts. Further details can be found in the README file in the pipeline_scripts folder.