More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes.
The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who were conducting an investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), which are used by hospitals and health systems around the world.
NAS is a popular choice in healthcare due to the low cost of storage compared to dedicated servers or cloud storage, especially with smaller healthcare providers with limited funds. DICOM is the healthcare industry standard for transmitting and receiving medical images. The images are typically generated through medical imaging devices and are then transmitted using DICOM via Picture Archiving and Communication Systems (PACS), with the latter used to store and share the images.
The CyberAngel researchers conducted scans to identify medical devices that contained medical images that were not properly protected. The researchers identified more than 45 million images during the study from scans of around 4.3 billion IP addresses. Those images were found on 2,140 unprotected servers across 67 countries, including the United States, United Kingdom, France, and Germany.
The NAS devices had several vulnerabilities that allowed medical images to be accessed, such as unsecured ports supporting FTP and SMB protocols that allow unauthorized individuals to gain access to the devices and the images stored on them. The researchers also identified Dynamic DNS services which permitted outsiders to access unsecured web services.
The medical images could be accessed without authentication. In many cases, while the images required logins for access to be granted, it was possible to get passed those logins by leaving the username and password fields blank.
Medical images alone may not be of great value to cybercriminals, but the images also had up to 200 lines of metadata that included names, addresses, dates of birth, the age of the patient, their height and weight, diagnosis, and other information. In the United States, those data elements are classed as “protected health information” and are subject to the strict rules of the Health Insurance Portability and Accountability Act (HIPAA) which requires safeguards be implemented to prevent unauthorized access – safeguards that were found to be lacking.
The personal and protected health information does have value to cybercriminals and could be easily sold on the dark web or used for blackmail or fraud. The data could be used to create convincing phishing scams, and the lack of protection could place healthcare providers at risk of ransomware attacks.
The researchers did not need to use any hacking tools to access the images nor specialist software to find the images. All that is needed to view images is a PACS viewer, which are widely available.
The method of communication used in healthcare for sharing medical images is meant to be secure, but the researchers found security to be insufficient. “To make matters worse, the existing DICOM application security measures are not mandatory and are not implemented by default,” said David Sygula, senior cybersecurity analyst at CybelAngel and author of the CyberAngel Full Body Exposure report.