Monitoring HL7 traffic security in healthcare settings
HL7 is a cornerstone protocol in healthcare, facilitating the exchange of patient data across systems, such as lab results, admissions, or treatments. Because these messages contain Protected Health Information (PHI), it's essential to ensure secure transmission of this data in order to maintain compliance with regulations like HIPAA.
This article walks you through how to collect, normalize, and monitor HL7 traffic using the Splunk platform, leveraging network integrations and analytics powered by the Common Information Model (CIM).
Data required
To ingest network traffic data into the Splunk platform, you can use the purpose built wire data collector Splunk App for Stream, or explore a number of third-party vendor integrations. NetScout and Gigamon, for example, offer integrations with the Splunk platform that make network traffic data they collect available for Splunk platform users. When any third-party integration is installed, make sure the vendor TA extracts and tags the app field, and that the data maps to the Network Traffic CIM model with acceleration enabled.
How to use Splunk software for this use case
Run this search to identify HL7 traffic sent to external (untrusted) IPs, which can indicate misconfigurations or PHI leakage. You can optimize this search by specifying an index and adjusting the time range.
| tstats count from datamodel=Network_Traffic.All_Traffic
where All_Traffic.app="hl7"
by All_Traffic.app, All_Traffic.src_ip, All_Traffic.dest_ip
| search NOT dest_ip IN ("10.0.0.0/8", "192.168.0.0/16")
| rename All_Traffic.app AS app, All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip
| table app, src_ip, dest_ip, count
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
|
Queries the accelerated Network_Traffic data model. |
where All_Traffic.app="hl7" |
Filters on app="hl7", matching HL7-based traffic. |
by All_Traffic.app, All_Traffic.src_ip, All_Traffic.dest_ip |
Groups results by source and destination IP. |
| search NOT dest_ip IN ("10.0.0.0/8", "192.168.0.0/16" |
Removes internal IPs defined in RFC-1918 ranges. |
| rename All_Traffic.app AS app, All_Traffic.src_ip AS src_ip, All_Traffic.dest_ip AS dest_ip |
Returns a table of HL7 sessions going off-network. |
Sample output
| app | src_ip | dest_ip | count |
|---|---|---|---|
| Hl7 | 10.10.1.12 | 203.0.113.42 | 67 |
| Hl7 | 10.10.2.19 | 198.51.100.26 | 9 |
Next steps
By detecting risky behavior or misconfigurations before they escalate, your security team can proactively address vulnerabilities. This allows for the timely rectification of issues that could otherwise lead to compliance violations or reportable data breaches.
Continuous monitoring of HL7 traffic provides invaluable operational insight. Security teams can use this real-time understanding to optimize network configurations, refine security policies, and enhance their overall ability to manage and protect critical healthcare data exchanges.