Huge breach of personal data due to unprotected storage devices
Millions of medical images such as X-rays, MRIs, and CT scans are available unsecured on the open web, an investigation by threat intelligence firm CybelAngel has revealed.
The research team says it found unprotected connected storage devices with ties to hospitals and medical centers worldwide that were leaking more than 45 million unique imaging files.
“It’s important to remember that no hacking tools were used,” David Sygula, senior cybersecurity analyst at CybelAngel, told The Daily Swig. “Millions of images were unencrypted and could be accessed without password protection.
“We were surprised to see the extent to which sensitive images were left unprotected, despite the regulations governing health data.”
In most cases, the culprit was a network-attached storage (NAS) device. While web access to these devices should in theory be password-protected, they can contain security flaws that enable guest access through a file-sharing protocol.
And, says Sygula, there could be significant implications.
“A medical image, and associated metadata, can reveal a great deal about an individual,” he said.
“There could be unfavorable consequences if, for example, details about an individual’s health or medical condition were made available to a health or life insurance company, or to a bank or lending institution.
“The individual whose PHI [protected health information] was leaked becomes a lucrative target for blackmail attempts. This is one of the reasons medical data fetches a high price on the dark web.”
The team examined the Digital Imaging and Communications in Medicine (DICOM) protocol and international image standard, established in 1985 and supervised by the National Electrical Manufacturers Association.
They found that DICOM’s security is not only insufficient, but existing application security measures aren’t mandatory and are not implemented by default.
The main problem appeared to be the lack of a consistent password policy, making it too easy for malicious ‘guests’ to access the data.
An absence of routine updating and patching of the software was also an issue, along with permitting connected medical imaging equipment to operate on unprotected business or public networks.
Plugging the leak
Astonishingly, the research also led analysts to a website advertising a paid service to securely host and manage DICOM images online.
However, the server hosting the website was unprotected on the network file system, port 2049, and thus leaked all its data – more than 500,000 unique files every day.
To minimize exposure to wider business or public networks, Sygula advises tightening up password policies, keeping up to date with patches and maintenance releases, and ensuring there is proper network segmentation of connected medical imaging equipment.