Need help in Testing Anonymized Patient data

Hello All ,

I am working on a Web Application which does data analytics on Hospital Information[HL7 and DICOM] .
During the ETL transformation , All Patient related data are de-identified and displayed in the User Interface .
As a Tester i would like to understand the probable different ways an Ethical hacker would try to decode these patient related data .
This is something very new for me . It would be great if someone would share their experience or shower some test ideas on the same.


Have you considered the usual set of SQL and code injection attacks?

No i haven’t tried this out . I will check this.

Hi Sada

I would start by asking some questions, so:

How are the HL7 messages transmitted, is it tcp or file transfer (ftp)?
How are the messages stored before they are de-identified?
How is the patient data de-identified?



I don’t know your database data is being encrypted but there are lots of tools available to attempt decryption of various SHA1, MD5 hashes etc, all known to hackers. Crackstation is a good example.

Hi Tracey ,

To answer your question :
1.HL7 messages are transmitted using TCP protocol on 9090 port using Thrift application .
2.All the messages are in RAW format before they are de-identified .
3.Patient data is de-identified using SHA-1 .

Best Regards,

Hi Paul ,
Database used is MaprDB and the encryption of data happens with SHA-1.

Hi I am a bit late to the party but there is a good project on git which we have used in the past to do similar stuff , worth a read and you can clone it and modify it according to your needs.