Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.
Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive personal information unsecured, but malicious folk had also accessed those servers and poisoned them with apparent malware, the company added.
"The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files," said David Sygula, a senior cybersecurity analyst at CybelAngel and author of the firm's report.
The research did not name any care providers or medical institutions that were found to fall short of running secure systems.
Among the data - drawn from unprotected online storage devices with ties to hospitals and medical centres all over the planet - were 23,000 images of UK patients, left exposed to the public internet on 90 separate servers. X-rays and CT scans were accessible online thanks to what CybelAngel said was a combination of unsecured NAS storage and the 1980s-vintage DICOM medical data transmission protocol.
While it is adequate for the task demanded of it, DICOM's security protocols are merely advisory. The standard itself says:
This Standard assumes that the Application Entities involved in a DICOM interchange are implementing appropriate security policies, including, but not limited to access control, audit trails, physical protection, maintaining the confidentiality and integrity of data, and mechanisms to identify users and their rights to access data. Essentially, each Application Entity must insure that their own local environment is secure before even attempting secure communications with other Application Entities.
Exposed images included, in some cases, "up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.)" and personal health information including a patient's "height, weight, diagnosis" and so on.
Even a specialist firm "advertising a paid service to securely host and manage DICOM images" was leaking around 500,000 files online because nobody had thought to secure its Network File System (NFS) on port 2049, Cybelangel found.
Although Cybelangel said it had used many tools to poke around online and find exposed DICOM data, its report featured screenshots from Shodan and frank findings by researchers who had simply typed common DICOM ports into the insecure kit search engine to see what devices responded.
Aside from the obvious data protection concerns, most worrying was CybelAngel's finding that it was "not the first to have a look at these servers". The report said: "Some of [the servers] included malicious scripts. The infection of unprotected servers is very common and usually done through automation scripts, especially to install Bitcoin (or similar) miners."
The firm recommended that medical orgs "should ensure proper network segmentation of connected medical imaging equipment" as one means of preventing malicious people from accessing things they shouldn't.
Last year Greenbone Networks carried out similar research, popping likely search terms and port numbers through Shodan to discover 24 million people's medical information had been exposed online as 737 million items of DICOM data. ®