Medical imaging devices are a regulatory nightmare
Medial imaging systems and insecure protocols are leaking millions of patient images and meta data onto the open internet.
For an industry that is regulated like no other, it may come as a shock to many that the imaging platforms, management systems, and protocols used in healthcare are horribly insecure—shedding data in plain text and plain sight for anyone (not just hackers) to view, download, and use as they please.
After conducting an extensive, six-month investigation, CybelAngel researchers were able to access millions of unique imaging files complete with patient information on internet-accessible storage devices with ties to hospitals and medical centers worldwide.
While the devices themselves were usually password protected, many had security flaws that enable guest access through the file transfer (FTP) or server message block (SMB) file-sharing protocols. In one instance, our researchers uncovered a healthcare imaging service provider whose website was leaking more than 500,000 unprotected files per day via an unprotected network file system (NFS) port. Our team also uncovered malicious scripts on that same web server.
A 30-year-old protocol
Another and equally pressing issue for healthcare cyber security teams and the public at large is a good implementation of the DICOM protocol, used for transferring and viewing images. Developed in the early 1980s before cyber security was a concern, the digital imaging and communication in medicine (DICOM) protocol is the standard protocol most imaging systems use to share files.
Medical imaging devices, such as MRIs, CT scanners, and x-ray machines rely on DICOM to send data to picture archiving and communications systems (PACS) used by doctors to view and share image files between different systems. DICOM as an image standard also allows for up to 200 lines of patient-specific information per image. This data can include patient social security numbers (SSNs), patient names, doctor names, diagnoses, doctor’s notes, and the date, time, and location each image was taken.
What’s even more concerning is medical images are available to anyone who knows where and how to look for them. In instance after instance, our researchers were able to access patient image files by simply knowing the port number each vendor’s equipment uses to communicate with the internet. (These port numbers were easily found by reviewing vendor product data sheets.)
According to DICOM secretariat, the Medical Imaging Technology Association (MITA), the standard does support encryption and other cyber security measures. Rather, it is up to the healthcare providers and software vendors to ensure these measures are put into practice. “[DICOM] defines how encryption is to be used in a DICOM context,” the organization said on its website. “Whether to employ encryption is a policy choice of the hospital and an implementation choice of the product vendor.”
When our researchers scanned the internet looking for medical imaging systems with open ports, they discovered over 300 web portals with no security whatsoever. In one instance, our researchers accessed the image interface without having to log in, provide a password, or use hacking tools of any kind. In another instance, a basic internet search using the publicly available cyber security search engine Shodan.io revealed over 3,000 DICOM devices communicating openly with the internet. Out of 50 anonymous attempts, 44 of these devices granted our researchers access.
Fish in a barrel
Finding insecure and unprotected medical devices and portals was just the first phase of our investigation. In phase two, instead of hunting for open ports on devices, our researchers went looking for the DICOM images directly. After scanning the entire IPv4 range of approximately 4.3 billion IP address, our tools detected 45 million unique DICOM files stored on over 2,140 servers in 67 countries.
As these numbers indicate, the problem is widespread. According to a September 2019 report by ProPublica,an independent investigative news outlet, and the German public broadcaster Bayerischer Rundfunk, the main problem for healthcare providers is complexity.
As healthcare networks became more complex over the past decade, cyber security responsibilities shifted from the imaging software and platform vendors to the network administrators. But many of these administrators assumed the software was secure by design and often failed to adequately secure network access to the platforms.
Like most cyber security issues, the tools exist to change the status quo: encryption needs to be enforced for images in transit and at rest; anonymization of patient data should be implemented; and the use of digital signatures to authenticate applications and servers should be enforced—to name a few of the security features of the DICOM protocol.
At the top of this list, however, is locating and shutting down the servers and systems that are leaking the information in the first place. This is where CybelAngel excels. We’ve made a business out of plugging data leaks wherever they occur: on your network, your partners’ networks, the open internet, and the Dark Web.
Is it too late to secure all of this data? Clearly it is not. While current medical devices and PACS systems may not be designed to meet the challenges of today’s digital ecosystems, CybelAngel’s Digital Risk Protection Platform is.