45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

23,000 Britons' data was among unsecured info, finds research


Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all.

Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive personal information unsecured, but malicious folk had also accessed those servers and poisoned them with apparent malware, the company added.

"The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files," said David Sygula, a senior cybersecurity analyst at CybelAngel and author of the firm's report.

The research did not name any care providers or medical institutions that were found to fall short of running secure systems.

Among the data - drawn from unprotected online storage devices with ties to hospitals and medical centres all over the planet - were 23,000 images of UK patients, left exposed to the public internet on 90 separate servers. X-rays and CT scans were accessible online thanks to what CybelAngel said was a combination of unsecured NAS storage and the 1980s-vintage DICOM medical data transmission protocol.

While it is adequate for the task demanded of it, DICOM's security protocols are merely advisory. The standard itself says:

This Standard assumes that the Application Entities involved in a DICOM interchange are implementing appropriate security policies, including, but not limited to access control, audit trails, physical protection, maintaining the confidentiality and integrity of data, and mechanisms to identify users and their rights to access data. Essentially, each Application Entity must insure that their own local environment is secure before even attempting secure communications with other Application Entities.

Exposed images included, in some cases, "up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.)" and personal health information including a patient's "height, weight, diagnosis" and so on.

Even a specialist firm "advertising a paid service to securely host and manage DICOM images" was leaking around 500,000 files online because nobody had thought to secure its Network File System (NFS) on port 2049, Cybelangel found.

Although Cybelangel said it had used many tools to poke around online and find exposed DICOM data, its report featured screenshots from Shodan and frank findings by researchers who had simply typed common DICOM ports into the insecure kit search engine to see what devices responded.

Aside from the obvious data protection concerns, most worrying was CybelAngel's finding that it was "not the first to have a look at these servers". The report said: "Some of [the servers] included malicious scripts. The infection of unprotected servers is very common and usually done through automation scripts, especially to install Bitcoin (or similar) miners."

The firm recommended that medical orgs "should ensure proper network segmentation of connected medical imaging equipment" as one means of preventing malicious people from accessing things they shouldn't.

Last year Greenbone Networks carried out similar research, popping likely search terms and port numbers through Shodan to discover 24 million people's medical information had been exposed online as 737 million items of DICOM data. ®

Similar topics

Broader topics


Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022