[BreachExchange] Medical Imaging Leaks Highlight Unhealthy Security Practices

[Destry Winant]

https://www.darkreading.com/application-security/database-security/medical-imaging-leaks-highlight-unhealthy-security-practices/d/d-id/1339723

More than 45 million unique images, such as X-rays and MRI scans, are
accessible to anyone on the Internet, security firm says.

Thousands of storage servers housing more than 45 million medical
images can be accessed from the public Internet, with the majority
using default ports and many showing signs of already being accessed
by malicious actors, cybersecurity firm CybelAngel stated in a
research report published on Dec. 15.

Over a six-month investigation, researchers from the firm discovered
more than 3,000 servers that allowed connections to port 104 — one of
the network ports used by the manufacturers of medical imaging
machines — and presented a banner for the medical file format DICOM. A
test of 50 randomly sampled servers found that 44 — or 88% — allowed
connection attempts, according to the report.

While the largest volume of files was stored in the server of a
Russian health center, the largest number of unsecure servers— 819 —
were located in the United States, says David Sygula, senior
cybersecurity analyst at CybelAngel.

These exposed servers "are totally widespread," he says. "There are
some countries that are more secure than others. [While] we saw some
smaller servers that were eye doctors, ... some of the biggest ones
belong to medical centers."

The research underscores that storage servers and cloud storage
services continue to suffer from misconfiguration problems that expose
them to data leaks and breaches. While the healthcare industry has
seen its share of data breaches — such as tens of millions of records
stolen from medical debt collector American Medical Collection Agency
(AMCA) in 2019 — the threat of ransomware attack eclipsed
run-of-the-mill data leaks in 2020.

Yet CybelAngel found that many medical organizations aren't aware that
they are leaking sensitive image files. Despite a focus on securing
data, many companies and industries are still unprepared for
attackers, the researchers state in the report.

An initial scan of the entire IPv4 range allowed the company to detect
20 million unique DICOM images left exposed on approximately 1,1000
unprotected servers in 57 countries worldwide. At the end of the
six-month investigation, the firm had found 45 million unique images
on more than 2,100 servers in 67 different countries. Twelve of the
servers had more than a million DICOM files each, with a total of 9.8
million files found in the United States, 9.6 million files found in
South Korea, and 8.8 million files found in Russia, according to the
report.

"[I]ronically more and more personal data is left exposed across the
internet," the report states. "Unfortunately, despite many ... newer
versions of protocols, we still rely on old technology that was not
purposefully-built for secure exchanges."

The researchers used a number of Internet-scanning technologies to
find open servers, including looking for publicly accessible DICOM
headers on servers, focusing on other metadata to determine whether
the servers were accessible to the Internet, and scans using services
such as Shodan. The researchers also identified the official Web
portals used by the three major vendors, and a search of the Internet
turned up 300 open portals, the company says in the report.

CybelAngel did not report the issues to the owners of the servers. The
company could not always identify affected organizations, and "since
this is a leak — public images, no hacking involved — versus a data
breach, it is CybelAngel's experience that leaks of this nature don't
necessarily have to be reported," the company says through a
spokesperson.

Unfortunately, there is very little that is difficult about Internet
scans. A variety of companies regularly scan for exposed services.
Under the moniker of Project Sonar, vulnerability management firm
Rapid7 scans 70 different services and protocols to determine the
level of exposure of common ports. The security searching service
Shodan scans the 4.3 billion IP addresses on the IPv4 Internet and
keeps track of which services are available.

Companies need to regularly scan their own networks to be aware of
what services they're exposing to attackers, CybelAngel's Sygula says.

"The first thing is that people need to read the documentation and
find the best way to secure the services," he says. "They should be
also scanning the server and change the default password."

While the company did not attempt to use default or common passwords
against the services, Sygula predicts that the number of accessible
servers would be much higher. "I think if we did the same survey with
default passwords," he says, "then we would find 10 times the number
of images."