A worrisome news was reported by TechCrunch a few days ago. The heading goes like this “A billion medical images are exposed online, as doctors ignore warnings”. You can read it here.
The gravity of the news is immense. According to TechCrunch -
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.
About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.
Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.
“It seems to get worse every day,” said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year.
In mid-September 2019 also Greenbone Networks uncovered the news of 400 million medical images getting leaked. You can read it here.
Doctors and Hospitals use DICOM (Digital Imaging and Communications in Medicine), a standard developed in mid-1980’s to store and share images. Hospitals and other medical offices store these images on internet connected servers and a majority of them are not secured. These insecure servers can be accessed by anyone with the freely available DICOM software and they can download the images and other sensitive details stored on the server without even having even the basic hacking skills.
It is easier for the Medical facilities for storing, sharing, and reading the medical images via PACS and by using DICOM. As there are a lot many different medical devices made by different manufacturers, a standard like DICOM became a necessity. DICOM makes it easier for medical facilities to share and transfer the images.
Almost all the facilities use picture archiving and communications system (PACS). These PACS systems are actually connected to the internet. As the standard is used widely, the IANA reserved ports 104, 2761, 2762 and 11112 for this. The trouble starts when the medical facilities plug and play the PACS systems without securing them. And most of them do it without taking the necessary steps of securing them.
One can easily scan the IP addresses and the port numbers and look forthe open ports and download the images and other information. And the downloaded images can be viewed by using the freely available DICOM software.
The researchers also found 10,000 vulnerabilities on the servers, including 2,000 falling into the ‘high severity’ and ‘critical’ categories. These vulnerabilities can be used by criminals to plant malware and use the systems to their advantage.
One more worrying factor is doctors ignoring the findings and warnings by the researchers about the breaches. The callousness by the doctors is putting a lot of patients’ lives at risk. Apart from the images, other sensitive information is also leaked like, SSN, name, address, phone numbers, etc.,
According to Greenbone Networks - Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.
How do we take care of this problem?