Skip to main content

 

Splunk Lantern

Monitoring HL7 traffic security in healthcare settings

 

HL7 is a cornerstone protocol in healthcare, facilitating the exchange of patient data across systems, such as lab results, admissions, or treatments. Because these messages contain Protected Health Information (PHI), it's essential to ensure secure transmission of this data in order to maintain compliance with regulations like HIPAA.

This article walks you through how to collect, normalize, and monitor HL7 traffic using the Splunk platform, leveraging network integrations and analytics powered by the Common Information Model (CIM).

Data required

Network traffic data

To ingest network traffic data into the Splunk platform, you can use the purpose built wire data collector Splunk App for Stream, or explore a number of third-party vendor integrations. NetScout and Gigamon, for example, offer integrations with the Splunk platform that make network traffic data they collect available for Splunk platform users. When any third-party integration is installed, make sure the vendor TA extracts and tags the app field, and that the data maps to the Network Traffic CIM model with acceleration enabled.

How to use Splunk software for this use case

Run this search to identify HL7 traffic sent to external (untrusted) IPs, which can indicate misconfigurations or PHI leakage. You can optimize this search by specifying an index and adjusting the time range.

| tstats count from datamodel=Network_Traffic.All_Traffic
  where All_Traffic.app="hl7"
  by All_Traffic.app, All_Traffic.src_ip, All_Traffic.dest_ip
| search NOT dest_ip IN ("10.0.0.0/8", "192.168.0.0/16")
| rename All_Traffic.app AS app, All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip
| table app, src_ip, dest_ip, count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

| tstats count from datamodel=Network_Traffic.All_Traffic

Queries the accelerated Network_Traffic data model.
where All_Traffic.app="hl7" Filters on app="hl7", matching HL7-based traffic.
by All_Traffic.app, All_Traffic.src_ip, All_Traffic.dest_ip Groups results by source and destination IP.
| search NOT dest_ip IN ("10.0.0.0/8", "192.168.0.0/16" Removes internal IPs defined in RFC-1918 ranges.
| rename All_Traffic.app AS app, All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip
| table app, src_ip, dest_ip, count
Returns a table of HL7 sessions going off-network.

Sample output

app src_ip dest_ip count
Hl7 10.10.1.12 203.0.113.42 67
Hl7 10.10.2.19 198.51.100.26 9

Next steps

By detecting risky behavior or misconfigurations before they escalate, your security team can proactively address vulnerabilities. This allows for the timely rectification of issues that could otherwise lead to compliance violations or reportable data breaches.

Continuous monitoring of HL7 traffic provides invaluable operational insight. Security teams can use this real-time understanding to optimize network configurations, refine security policies, and enhance their overall ability to manage and protect critical healthcare data exchanges.