Researchers find 45 million medical images exposed online

Google crawled images containing sensitive patient metadata

Doctor looking at medical images on a screen

Cyber security company CyberAngel has found 45 million unique medical images exposed online. The images, which include sensitive patient metadata, are accessible without a username or password, said the company, adding that some were indexed by search engines.

The report details a six-month investigation into the security of Digital Imaging and Communications in Medicine (DICOM), a standard protocol for storing medical images. Medical equipment uses DICOM to exchange images, which also carry over 200 lines of metadata, including physician and patient name, the patient's date of birth, and medical comments.

Health care workers can store and distribute these images on a picture archiving and communication system (PACS), which is typically a workstation running web server software. The researchers used internet of things (IoT) search engines, including Shodan, to scan for the non-standard ports these servers used. They found 300 open portals online.

"While the manuals indicate steps to secure the portal using encryption and password-restricted access, it is not mandatory and thus not enforced by default," the report said. In some cases, the portals granted the researchers direct administrative access within any login at all, meaning they could view, create, edit, or delete patient data.

"Worse is these web services are unprotected, which allow search engines to index the content and more easily expose it," they added.

CyberAngel's team was also able to watch the medical imaging equipment directly. Scanning for the specific ports these machines used for DICOM communications yielded 3,092 imaging devices communicating online, most of which (819) were in the US.

They obtained access to these devices 88% of the time in 50 random tests and noted the devices transmitted data without encrypting it.

Searching beyond PACS portals and imaging devices revealed a variety of other services exposing DICOM images. CyberAngel found 45 million unique DICOM images hosted on 2,138 unique IP addresses across 67 countries.

The US hosted 9.8 million of these files, the largest proportion in the study. Korea came a close second with 9.6 million files.

Digging into these leaks’ sources on a sample of 18 servers revealed that two-thirds were medical centers or hospitals. Other sources included independent doctors.

One of the leakiest sources was a server advertising a DICOM image-hosting service. The server exposed more than 500,000 unique files via the Network File System (NFS) protocol.

Most devices exposing the service were network attached storage (NAS) devices, which allow access using the FTP or SMB protocols, the report added.

Of the images CyberAngel discovered, 59% are from 2019 or later. Researchers also found 12 servers hosting at least a million unique files each.

Hackers had already compromised some of the servers the company found and were hosting malicious scripts.

CyberAngel warned that exposing images like these put patients at risk. "The comments made on a medical image can reveal a great deal about your health, such as a serious illness, which could be damaging if your bank, insurance, or employer were made aware of your condition," it noted. "The privacy and security risks includes, but are not limited to blackmail, specifically ransomware."

Criminals have already exploited patient data in this way. In October, someone attempted to blackmail thousands of Finnish therapy patients after stealing their records.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Botnet targets vulnerable Microsoft Exchange servers
botnets

Botnet targets vulnerable Microsoft Exchange servers

23 Apr 2021
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

22 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
Geico data breach leads to stolen driver’s license numbers
data breaches

Geico data breach leads to stolen driver’s license numbers

21 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021