Medical data leaks are among the fastest-growing segments of cyber crime, and for good reason. Health care systems contain great quantities of sensitive and valuable personal information, but also tend to operate on outdated systems that have inadequate security elements.
A new report from security firm CybelAngel provides a high-level analysis of medical data leaks, examining unprotected storage devices and finding some 45 million patient images connected to the internet and sitting behind minimal to no security. Based on malicious scripts found on these systems, the researchers believe that attackers are already well aware of this vulnerability and are making full use of it.
Medical data leaks stem from outdated systems, failure to keep up with security landscape
Entitled “Full Body Exposure,” the new report finds that the problem centers on connected storage devices that sit on the internet with either no real security or only an FTP/SMB connection protected by little more than a flimsy password system.
The report says that many of these medical data leaks can be traced back to Network Attached Storage (NAS) units, an inexpensive means of local file storage generally used by individual consumers or small businesses. An internet connection allows remote workers or other medical facilities to connect and retrieve files via an FTP or SMB system with a simple web portal. These web portals are generally password-protected, but also often have known vulnerabilities that can be exploited for illicit access.
The records in question are DICOM images, the digital x-ray images of patients generated by radiology applications. While these images alone can provide an unauthorized party with sensitive personal health information, they also come bundled with an attached metadata field that contains further details about the condition or procedure as well as the patient’s name and date of birth.
The DICOM file standard dates back to the 1980s, and the equipment used to store and transfer these images has not evolved with modern cybersecurity considerations and medical data leaks in mind. The PACS workstations that DICOM images are viewed on have implemented a form of encryption in the past decade, but the report finds that not only is it not of adequate strength but it is also not enabled by default. Many facilities never bother to implement it.
Using the SHODAN scanner along with several other tools designed to comb the internet for connected Internet Of Things (IoT) devices, the researchers found about 3,092 DICOM devices around the world that could be accessed remotely. Out of a random sampling of 50 that were tried, 44 allowed open access. Additionally, 300 connected PACS workstations were found and several allowed the researchers to walk right in and view patient images without even asking for login credentials. These connections also automatically gave visitors power to create, edit and delete images.
The researchers found that one does not need to have any special knowledge of the DICOM systems or file format to access and manipulate these images, and in some cases the vulnerable web services had even been indexed by Google and were appearing in search results. After six months the CybelAngel researchers had uncovered 45 million exposed medical images hosted on over 2,100 servers in 67 different countries. 26.8 million of these images had gone online since 2019, and 12 of these vulnerable servers were each hosting over one million DICOM images. Italy, the US and Denmark led the world in unprotected servers with over 200 each. The US, Korea and Russia were the world leaders in total count of unprotected patient files.
In addition to the direct risk to equipment and storage devices located in patient care facilities, the researchers identified an additional risk from third-party services that purport to securely store and handle DICOM images. One such service, which was not named, was hosting the images on a Network File System (NFS) that had an unprotected port and was leaking half a million medical images each day. CybelAngel found malicious scripts on this system, indicating that unknown attackers had beat them to it.
Medical data leaks have chilling consequences
There is obvious concern about the leak of personally identifying and sensitive medical information to the black market, but the researchers also identify a unique and more frightening potential consequence of these medical data leaks: attackers interfering with a target’s medical treatment by altering, removing or replacing their images. If a PACS workstation is left unprotected, the attacker does not even need any real hacking knowledge to do this.
This is of particular concern in a pandemic environment that has put added pressure on health systems as attacks increase across the board and stolen health records increase in value. A number of different patient care organizations lost hundreds of thousands of patient data files due to a breach, though these were not all attributed to the theft of DICOM images. For example, Health Share of Oregon lost 654,000 patient health data files when a vendor had a laptop stolen. Florida Orthopaedic Institute lost the health records of 640,000 patients, including Social Security numbers and home addresses, when a phishing attack hit home and delivered ransomware that also exfiltrated the network’s files. And Elite Emergency Physicians exposed 550,000 patient records when a vendor that was supposed to either securely dispose of them or hold them for transfer instead dumped all of them intact in a landfill.