Researchers find 45 million medical images exposed online

Google crawled images containing sensitive patient metadata

Doctor looking at medical images on a screen

Cyber security company CyberAngel has found 45 million unique medical images exposed online. The images, which include sensitive patient metadata, are accessible without a username or password, said the company, adding that some were indexed by search engines.

The report details a six-month investigation into the security of Digital Imaging and Communications in Medicine (DICOM), a standard protocol for storing medical images. Medical equipment uses DICOM to exchange images, which also carry over 200 lines of metadata, including physician and patient name, the patient's date of birth, and medical comments.

Health care workers can store and distribute these images on a picture archiving and communication system (PACS), which is typically a workstation running web server software. The researchers used internet of things (IoT) search engines, including Shodan, to scan for the non-standard ports these servers used. They found 300 open portals online.

"While the manuals indicate steps to secure the portal using encryption and password-restricted access, it is not mandatory and thus not enforced by default," the report said. In some cases, the portals granted the researchers direct administrative access within any login at all, meaning they could view, create, edit, or delete patient data.

"Worse is these web services are unprotected, which allow search engines to index the content and more easily expose it," they added.

CyberAngel's team was also able to watch the medical imaging equipment directly. Scanning for the specific ports these machines used for DICOM communications yielded 3,092 imaging devices communicating online, most of which (819) were in the US.

They obtained access to these devices 88% of the time in 50 random tests and noted the devices transmitted data without encrypting it.

Searching beyond PACS portals and imaging devices revealed a variety of other services exposing DICOM images. CyberAngel found 45 million unique DICOM images hosted on 2,138 unique IP addresses across 67 countries.

The US hosted 9.8 million of these files, the largest proportion in the study. Korea came a close second with 9.6 million files.

Digging into these leaks’ sources on a sample of 18 servers revealed that two-thirds were medical centers or hospitals. Other sources included independent doctors.

One of the leakiest sources was a server advertising a DICOM image-hosting service. The server exposed more than 500,000 unique files via the Network File System (NFS) protocol.

Most devices exposing the service were network attached storage (NAS) devices, which allow access using the FTP or SMB protocols, the report added.

Of the images CyberAngel discovered, 59% are from 2019 or later. Researchers also found 12 servers hosting at least a million unique files each.

Hackers had already compromised some of the servers the company found and were hosting malicious scripts.

CyberAngel warned that exposing images like these put patients at risk. "The comments made on a medical image can reveal a great deal about your health, such as a serious illness, which could be damaging if your bank, insurance, or employer were made aware of your condition," it noted. "The privacy and security risks includes, but are not limited to blackmail, specifically ransomware."

Criminals have already exploited patient data in this way. In October, someone attempted to blackmail thousands of Finnish therapy patients after stealing their records.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Microsoft brings passwordless security to consumer accounts
Microsoft Windows

Microsoft brings passwordless security to consumer accounts

16 Sep 2021
Datto launches its business continuity solution for Azure
disaster recovery (DR)

Datto launches its business continuity solution for Azure

15 Sep 2021
Smishing attacks increased 700% in first six months of 2021
scams

Smishing attacks increased 700% in first six months of 2021

14 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021