Healthcare hacking

Healthcare hacking

Hey there. I attended a conference a bit ago which main topic was ICS and SCADA systems. Someone mentioned something about healthcare and I started to do some research on that. It happened that I realized that healthcare´s security was one of the major cybersecurity trends this year. So let´s dig in a little bit. First let´s talk about how sensitive information can be compromised via anything related to healthcare:

-Hacking hospitals ´systems.

-Hacking research labs.

Hacking research labs seems more like a simple pentest so, let´s put our attention into hospital systems. What kind of software/hardware do they have? Well, do you remember when your doctor starts typing in his/her computer and instantly he/she knows all your medical history? The system providing such a service is probably a DICOM server. What is DICOM? DICOM stands for Digital Imaging and Communications in Medicine, which is a protocol active since 1985 (then it had a different name). This protocol is used to exchange medical images and data between doctors, nurses, etc. DICOM is used to store the data in .dcm or .dcmdir files. More information on DICOMDIR files:

Also there are Picture Archiving and Communication Systems (PACS) which are in charge of the data-exchanging part. The data is sent from medical devices to the server (where it is stored) and then, if your doctor needs to have a look, he/she will access the data through a PACS client

  1. 1)This is how a .dcm file looks like

The left column shows DICOM ´s data structure: A patient\>Series(one or more)\>Studies(one or more)\>Images(one or more). The right column shows the Information Object Definitions (IOD) which are attributes of the .dcm file. DICOM has, what´s called Application Entities (AE), which is the name used to represent a system/program running on a system acting as the endpoint of DICOM communications. There are two types of AE:

  • Service Class User (SCU): device that requests a service.
  • Service Class Provider (SCP): device that provides a service

As DICOM is a protocol it has its own commands (called DICOM Message Service Elements or DIMSE):

Protocol Ports
DICOM 11112 (TCP & UDP)
MedImage (nuclear, PET, CET review software) 7720 (TCP & UDP)
Pharmasoft (inactive website) 1779 (TCP & UDP)
HL7 2575 (TCP & UDP)
TMOP HL7 Message Transfer Service 20046 (TCP & UDP)
Health-polling, health-trap (its' usage isn´t clear) 1161,1662 (TCP & UDP)
Healthd 1281 (TCP & UDP)
IEEE 11073-20701 (medical devices) 6464 (TCP)
Medevolve (physician software) 13930 (TCP)
Electromed SIM port (redirects to 3564 (TCP & UDP)
Philips medical services/software/devices 24000-24006(TCP & UDP)

You can play with this by downloading sample DICOM images and a free DICOM viewer. Also, if you wanna know in more detail what kind of image you are watching check: For example, the first image of the post says CT1 at the image, and CT at the Modality IOD, so it is a Computed Tomography. This is a list of the protocols and ports I´ve found related to healthcare, you can, for example, use the port filter in Shodan to find systems on the internet running this kind of services.

  1. 2)Example usage of the port filter

There are other ports, like the ones for specific products (example:

In some of this DICOM servers there is no authentication enabled and sensitive data may be leaked. Medical records can be sold or used to impersonate someone. Also medical devices have been and will continue to be, hacked. This article was meant to concern whoever reads it about the level of exposure we all have with this topic. If this was interesting to you, leave a comment and maybe I will start a series about healthcare. See you soon ;)