Researchers find 45 million medical images exposed online

Google crawled images containing sensitive patient metadata

Doctor looking at medical images on a screen

Cyber security company CyberAngel has found 45 million unique medical images exposed online. The images, which include sensitive patient metadata, are accessible without a username or password, said the company, adding that some were indexed by search engines.

The report details a six-month investigation into the security of Digital Imaging and Communications in Medicine (DICOM), a standard protocol for storing medical images. Medical equipment uses DICOM to exchange images, which also carry over 200 lines of metadata, including physician and patient name, the patient's date of birth, and medical comments.

Health care workers can store and distribute these images on a picture archiving and communication system (PACS), which is typically a workstation running web server software. The researchers used internet of things (IoT) search engines, including Shodan, to scan for the non-standard ports these servers used. They found 300 open portals online.

"While the manuals indicate steps to secure the portal using encryption and password-restricted access, it is not mandatory and thus not enforced by default," the report said. In some cases, the portals granted the researchers direct administrative access within any login at all, meaning they could view, create, edit, or delete patient data.

"Worse is these web services are unprotected, which allow search engines to index the content and more easily expose it," they added.

CyberAngel's team was also able to watch the medical imaging equipment directly. Scanning for the specific ports these machines used for DICOM communications yielded 3,092 imaging devices communicating online, most of which (819) were in the US.

They obtained access to these devices 88% of the time in 50 random tests and noted the devices transmitted data without encrypting it.

Searching beyond PACS portals and imaging devices revealed a variety of other services exposing DICOM images. CyberAngel found 45 million unique DICOM images hosted on 2,138 unique IP addresses across 67 countries.

The US hosted 9.8 million of these files, the largest proportion in the study. Korea came a close second with 9.6 million files.

Digging into these leaks’ sources on a sample of 18 servers revealed that two-thirds were medical centers or hospitals. Other sources included independent doctors.

One of the leakiest sources was a server advertising a DICOM image-hosting service. The server exposed more than 500,000 unique files via the Network File System (NFS) protocol.

Most devices exposing the service were network attached storage (NAS) devices, which allow access using the FTP or SMB protocols, the report added.

Of the images CyberAngel discovered, 59% are from 2019 or later. Researchers also found 12 servers hosting at least a million unique files each.

Hackers had already compromised some of the servers the company found and were hosting malicious scripts.

CyberAngel warned that exposing images like these put patients at risk. "The comments made on a medical image can reveal a great deal about your health, such as a serious illness, which could be damaging if your bank, insurance, or employer were made aware of your condition," it noted. "The privacy and security risks includes, but are not limited to blackmail, specifically ransomware."

Criminals have already exploited patient data in this way. In October, someone attempted to blackmail thousands of Finnish therapy patients after stealing their records.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

What is e-safety?
e safety

What is e-safety?

27 Jan 2021
Your essential guide to internet security
Security

Your essential guide to internet security

27 Jan 2021
Mimecast links breach to SolarWinds hackers
Security

Mimecast links breach to SolarWinds hackers

27 Jan 2021
TikTok vulnerability exposed private user data
data protection

TikTok vulnerability exposed private user data

26 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
Hackers are actively exploiting three Apple iOS flaws
exploits

Hackers are actively exploiting three Apple iOS flaws

27 Jan 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

26 Jan 2021