45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.

More than 45 million medical images—and the personally identifiable information (PII) and personal healthcare information (PHI) associated with them–have been left exposed online due to unsecured technology that’s typically used to store, send and receive medical data, new research has found.

A team from CybelAngel Analyst Team uncovered sensitive medical records and images–including X-rays CT scans and MRI images—that anyone can access online in a six-month investigation researchers conducted into network attached storage (NAS) and Digital Imaging and Communications in Medicine (DICOM).

NAS is an inexpensive storage solution used mainly by small companies or individuals to store data rather than paying for more expensive dedicated servers or virtual cloud servers, while DICOM is a global standard used by healthcare professionals to transmit medical images.

[Editor’s Note: Threatpost has published an exclusive FREE eBook, sponsored by ZeroNorth. The eBook, “Healthcare Security Woes Balloon in a Covid-Era World”,examines the pandemic’s current and lasting impact on cybersecurity. Get the whole neatly-packaged story and DOWNLOAD the eBook now – on us!]

“CybelAngel Analyst Team detected medical devices leaking more than 45 million unique imaging files on unprotected connected storage devices with ties to hospitals and medical centers worldwide,” David Sygula, senior cybersecurity analyst at CybelAngel, said in the report Full Body Exposure, adding that leaks were found in data across 67 countries.

Free eBook on Healthcare and CybersecurityThe findings are concerning for a number of reasons. Threat actors can violate people’s privacy by selling the data on the dark web, where it is a valuable commodity, researchers said. They also can use the images and data to blackmail patients or to scam the medical system by using patient data to set up “ghost clinics” and “ghost patients” to commit fraud.

Moreover, privacy concerns over patient data are especially critical as the world is currently in the midst of a pandemic in which PII and PHI can have major implications for patient lives and the lives of those they’ve been in contact with. Threat actors or those with bad intentions also can use access to the data to modify someone’s medical records with ill intent, researchers noted.

CybelAngel tools scanned approximately 4.3 billion IP addresses to discover the images, which were left exposed on more than 2,140 unprotected servers across 67 countries including the United States, United Kingdom, France and Germany, according to the report.

Images typically included up to 200 lines of metadata per record which included the name, birth date and address of the patient as well as his or her height, weight, diagnosis and other PHI. Anyone could access the images and data without the need for a username or password; in fact, in some cases, login portals to the systems storing the info accepted blank usernames and passwords, researchers said.

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” Sygula said in a press statement. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals.”

Researchers investigated the route medical images and data take from devices such as MRI, CT scanners and X-rays using DICOM through to a centralized Picture Archiving and Communication System (PACs), which stores and distributes the images.

The PACS workstations usually include DICOM viewers, which can exist in the form of web applications, as well as organizational and collaborative tools. While these means of communication and transfer are meant to be secure, researchers discovered that security was “insufficient,” at best.

“To make matters worse, the existing DICOM application security measures are not mandatory and are not implemented by default,” Sygula wrote.

In most cases, the leak involved a NAS device that would expose data in a number of ways. These include unsecured ports allowing FTP and SMB protocols to provide unauthorized third parties access to devices and their data, as well as Dynamic DNS (DDNS) granting outsiders access to unsecured web services.

CybelAngel provided some simple advice for healthcare facilities to avoid exposing sensitive data to those unauthorized to view it. Researchers suggest they ensure that pandemic response not exceed current security policies, as well as maintain proper network segmentation of connected medical imaging equipment.

CybelAngel also suggests that healthcare facilities conduct real-world audit of third-party partners to ensure that they also are in compliance with protocols so data isn’t leaked inadvertently in transit, according to the report.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles