Researchers find 45 million medical images exposed online

Google crawled images containing sensitive patient metadata

Doctor looking at medical images on a screen

Cyber security company CyberAngel has found 45 million unique medical images exposed online. The images, which include sensitive patient metadata, are accessible without a username or password, said the company, adding that some were indexed by search engines.

The report details a six-month investigation into the security of Digital Imaging and Communications in Medicine (DICOM), a standard protocol for storing medical images. Medical equipment uses DICOM to exchange images, which also carry over 200 lines of metadata, including physician and patient name, the patient's date of birth, and medical comments.

Health care workers can store and distribute these images on a picture archiving and communication system (PACS), which is typically a workstation running web server software. The researchers used internet of things (IoT) search engines, including Shodan, to scan for the non-standard ports these servers used. They found 300 open portals online.

"While the manuals indicate steps to secure the portal using encryption and password-restricted access, it is not mandatory and thus not enforced by default," the report said. In some cases, the portals granted the researchers direct administrative access within any login at all, meaning they could view, create, edit, or delete patient data.

"Worse is these web services are unprotected, which allow search engines to index the content and more easily expose it," they added.

CyberAngel's team was also able to watch the medical imaging equipment directly. Scanning for the specific ports these machines used for DICOM communications yielded 3,092 imaging devices communicating online, most of which (819) were in the US.

They obtained access to these devices 88% of the time in 50 random tests and noted the devices transmitted data without encrypting it.

Searching beyond PACS portals and imaging devices revealed a variety of other services exposing DICOM images. CyberAngel found 45 million unique DICOM images hosted on 2,138 unique IP addresses across 67 countries.

The US hosted 9.8 million of these files, the largest proportion in the study. Korea came a close second with 9.6 million files.

Digging into these leaks’ sources on a sample of 18 servers revealed that two-thirds were medical centers or hospitals. Other sources included independent doctors.

One of the leakiest sources was a server advertising a DICOM image-hosting service. The server exposed more than 500,000 unique files via the Network File System (NFS) protocol.

Most devices exposing the service were network attached storage (NAS) devices, which allow access using the FTP or SMB protocols, the report added.

Of the images CyberAngel discovered, 59% are from 2019 or later. Researchers also found 12 servers hosting at least a million unique files each.

Hackers had already compromised some of the servers the company found and were hosting malicious scripts.

CyberAngel warned that exposing images like these put patients at risk. "The comments made on a medical image can reveal a great deal about your health, such as a serious illness, which could be damaging if your bank, insurance, or employer were made aware of your condition," it noted. "The privacy and security risks includes, but are not limited to blackmail, specifically ransomware."

Criminals have already exploited patient data in this way. In October, someone attempted to blackmail thousands of Finnish therapy patients after stealing their records.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022