Attacks on HL7


Supervision: Dominik Noß

More details:


HL7 is a protocol for transmitting medical data:

„HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems.“ (

The protocol is ASCII-based and defines Message Types, such as „Register a Patient“, „Delete a Patient Record“ and „Merge Patient“. These Messages are used to pull, push and manipulate medical data, such as patient information and diagnoses. An attacker who gains access to HL7 is in a powerful position. Not only can they steal sensitive data, but also disrupt operation of critical infrastructure and possibly inflict physical harm to patients by injecting misdiagnoses.

Goals of this thesis:
  • Research, summarize and implement existing attacks on HL7
  • Survey the protocols attack surface. This includes manual risk analysis of all HL7 Message Types. (What types of attacks are possible? What damage can be done?)
  • Implement cross-protocol attacks (e.g. via http, ftp, smtp) against a HL7 implementations, such as Mirth Connect
  • Assess the use of HL7 as a means of payload delivery, e.g. for malware
  • Create an archive of attack implementations...
  • well as a vocabulary of malicious HL7 Messages.

The deliverables shall help with fuzzing and penetration testing of HL7 software in the future.


All relevant standards. Registration is required, but disposable email addresses work fine. Start with “HL7 Version 2.9 Messaging Standard”:

HL7 Browser (to fiddle with HL7 Messages):

Mirth Connect HL7 Server: