What is the final impact of this kill-chain?

The final step lands on Inject / modify OBX segments (HC-HL7-INJECT), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

MITM HL7 v2 → tamper lab orders / results

HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Foothold on hospital LAN

T1078 · Valid Accounts

Credential Access

ARP spoof analyser ↔ EHR

N-ARP-SPOOF · ARP Spoofing / Cache Poisoning

Impact

Falsified results enter EHR record

T1565 · Data Manipulation

Credential Access

Capture HL7 v2 messages

T1040 · Network Sniffing

Impact

Inject / modify OBX segments

HC-HL7-INJECT · HL7 v2 Message Injection

§ Context

Assumed environment: hospital network where HL7 endpoints (lab analysers, imaging, EHR integration engine) share a VLAN or pass through an unsegmented switch. No TLS on HL7 / MLLP.

§ Steps

01
Foothold on hospital LANInitial Access
T1078— Valid Accounts
02
ARP spoof analyser ↔ EHRCredential Access
N-ARP-SPOOF— ARP Spoofing / Cache Poisoning
03
Falsified results enter EHR recordImpact
T1565— Data Manipulation
04
Capture HL7 v2 messagesCredential Access
T1040— Network Sniffing
05
Inject / modify OBX segmentsImpact
HC-HL7-INJECT— HL7 v2 Message Injection

§ References

§ Frequently asked

What is the "MITM HL7 v2 → tamper lab orders / results" attack path?: HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Foothold on hospital LAN (T1078) — a initial access primitive. Assumed environment: hospital network where HL7 endpoints (lab analysers, imaging, EHR integration engine) share a VLAN or pass through an unsegmented switch.
What is the final impact of this kill-chain?: The final step lands on Inject / modify OBX segments (HC-HL7-INJECT), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

MITM HL7 v2 → tamper lab orders / results

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

5G core GTP-U user-plane injection → subscriber MITM

Mifare Classic crack → cloned hotel key

MITM unencrypted RTP → call eavesdropping