David Sygula at CybelAngel explains how unsecured medical images, and the metadata attached to them, are a problem for patients and healthcare companies alike
The healthcare sector has long been victimised by ruthless cybercriminals who see it as an easy source of personal data. Medical records are a popular commodity on the black market thanks to their universal application in everything from targeted phishing to insurance fraud. At the same time, the industry has a reputation as an easy mark amongst criminals due to a combination of tight budgets and a limited access to resources.
Most organisations, especially frontline providers, are understandably concentrated on providing patient care rather than disrupting operations for required IT security updates and developments. As a result, many practices rely on devices, operating systems and standards that are many years behind and vulnerable to malicious cyber activity. As just one example, our research team recently investigated the way unsecured protocols for file sharing is leaving thousands of patients exposed to criminals.
The problem with unsecured images
Our team researched the use of Digital Imaging and Communications in Medicine (DICOM), an image and a protocol standard for storing and transmitting medical images between devices such as scanners, printer servers and workstations, as well as other assets like picture archiving and communication systems (PACS).
DICOM has been widely used for more than 30 years and is an integral part of the way many healthcare operations share images regularly, particularly larger hospitals. The popularity of the standard is in part thanks to the way it can bridge the gap between devices from multiple different manufacturers.
The standard’s age means that it predates most common cybersecurity protections. However, DICOM has been updated with several security provisions over the years, including standard protections like data encryption.
Despite this and while the standard itself has added support for further security measures, they are not mandatory, or even preselected as default options. As a result, many healthcare practitioners have continued to rely on DICOM for sharing medical images on a daily basis while leaving sensitive medical records completely exposed to threat actors.
How common are unsecured medical images?
To understand the scale of the problem, our investigators set about hunting for accessible DICOM images using commonly available search resources. The result was startling – our team easily discovered more than 45 million unsecured images online, including X-Rays, MRI and CT scans. Most of the images came from large hospitals around the world, but there were many from smaller operations such as independent doctors and dentists.
Our investigators were able to access the vast majority of these images without any kind of security challenge. In some instances, it was possible to login to web portals by simply entering blank credentials. We also found data was frequently transmitted as unencrypted plain text, leaving it completely open to anyone who discovered it.
Of course, X-rays and MRIs are of little value to anyone, least of all a profit-driven cybercriminal. The real risk comes from the attached metadata, as DICOM allows more than 200 lines of data to be included with images. This metadata usually includes relevant medical records of the patient, providing large amounts of personally identifiable information (PII) that can be exploited by criminals.
Accessing unsecured images via DICOM requires very little skill, making it one of the lowest hanging fruits for criminals seeking to steal medical records.
Medical breaches hurt patients and providers alike
Medical data breaches have become increasingly common in recent years, with many high-profile incidents involving the records of several thousand patients. In the UK, healthcare is one of the industry’s most likely to report a breach to the ICO, with only finance and education reporting more cases.
The theft of medical records can have huge consequences for the patients involved. Victims may be exposed to targeted phishing attacks or be caught up in identity theft scams, including financial and insurance fraud. Being the victim of cybercrime can also severely impact a victim’s psychological wellbeing, which is particularly dangerous when they may already be suffering from serious health concerns.
Serious incidents will also have a significant impact on the healthcare organisation. With the healthcare sector under constant observation by regulators, privacy compliance issues are a particular concern.
Incidents involving EU citizens will fall under the GDPR, with potential fines of up to four percent of global turnover, or £17.5 million. Overseas, healthcare privacy violations in the US can result in fines from $100 to $50,000 per record from HIPAA.
How can healthcare providers keep patient data safe?
The healthcare sector will continue to be a favourite target of cybercriminals for the foreseeable future. Indeed, COVID has meant that criminals are paying more attention to the sector than ever before, either to steal valuable vaccine research or simply to take advantage of more vulnerable remote operations.
However, many practitioners continue to leave both themselves and their patients vulnerable to attack. As long as widely used standards like DICOM remain poorly secured, criminals will continue to see the sector as an easy target.
Healthcare organisations must ensure they have the basics right when it comes to DICOM and other processes they rely on every day. Minimising the assets that can be discovered over the wider internet will also make it much harder for criminals to gain initial access. Assets such as DICOM should not be readily discoverable online. Further, all traffic must be encrypted to prevent attackers from easily hijacking sensitive data in transit, while continuous scanning can help plug data leaks before they become devastating breaches.
In addition, ensuring that all applications are protected with strong passwords will go a long way to stopping many attacks; IT and security teams must ensure that there are no weak or default passwords in use on the system.
Getting these basics right will prevent the vast majority of attacks targeting the sector. Organisations can further improve their security with a more proactive approach. Regularly scanning for signs of data breaches in external sources such as social media as well as dark and open web forums can help to quickly identify leaks, giving the organisation a head start in closing the vulnerability while alerting patients and regulators to reduce the negative impact.
CybelAngel is a leading digital risk protection platform that detects and resolves external threats before these wreak havoc.