IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Researchers find 45 million medical images exposed online

Google crawled images containing sensitive patient metadata

Doctor looking at medical images on a screen

Cyber security company CyberAngel has found 45 million unique medical images exposed online. The images, which include sensitive patient metadata, are accessible without a username or password, said the company, adding that some were indexed by search engines.

The report details a six-month investigation into the security of Digital Imaging and Communications in Medicine (DICOM), a standard protocol for storing medical images. Medical equipment uses DICOM to exchange images, which also carry over 200 lines of metadata, including physician and patient name, the patient's date of birth, and medical comments.

Health care workers can store and distribute these images on a picture archiving and communication system (PACS), which is typically a workstation running web server software. The researchers used internet of things (IoT) search engines, including Shodan, to scan for the non-standard ports these servers used. They found 300 open portals online.

"While the manuals indicate steps to secure the portal using encryption and password-restricted access, it is not mandatory and thus not enforced by default," the report said. In some cases, the portals granted the researchers direct administrative access within any login at all, meaning they could view, create, edit, or delete patient data.

"Worse is these web services are unprotected, which allow search engines to index the content and more easily expose it," they added.

CyberAngel's team was also able to watch the medical imaging equipment directly. Scanning for the specific ports these machines used for DICOM communications yielded 3,092 imaging devices communicating online, most of which (819) were in the US.

They obtained access to these devices 88% of the time in 50 random tests and noted the devices transmitted data without encrypting it.

Searching beyond PACS portals and imaging devices revealed a variety of other services exposing DICOM images. CyberAngel found 45 million unique DICOM images hosted on 2,138 unique IP addresses across 67 countries.

The US hosted 9.8 million of these files, the largest proportion in the study. Korea came a close second with 9.6 million files.

Digging into these leaks’ sources on a sample of 18 servers revealed that two-thirds were medical centers or hospitals. Other sources included independent doctors.

One of the leakiest sources was a server advertising a DICOM image-hosting service. The server exposed more than 500,000 unique files via the Network File System (NFS) protocol.

Most devices exposing the service were network attached storage (NAS) devices, which allow access using the FTP or SMB protocols, the report added.

Of the images CyberAngel discovered, 59% are from 2019 or later. Researchers also found 12 servers hosting at least a million unique files each.

Hackers had already compromised some of the servers the company found and were hosting malicious scripts.

CyberAngel warned that exposing images like these put patients at risk. "The comments made on a medical image can reveal a great deal about your health, such as a serious illness, which could be damaging if your bank, insurance, or employer were made aware of your condition," it noted. "The privacy and security risks includes, but are not limited to blackmail, specifically ransomware."

Criminals have already exploited patient data in this way. In October, someone attempted to blackmail thousands of Finnish therapy patients after stealing their records.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022
CIAM buyer’s guide
Whitepaper

CIAM buyer’s guide

6 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022