Unsecured medicals images: The self-destructive threat
The primary mission of all healthcare professionals is to protect the health and wellbeing of their patients. However, they also have a duty of care to safeguard their patients’ sensitive personal data and prevent it from falling into the hands of ruthless and exploitative criminals.
Many cybercriminals target the healthcare sector as an easy source of personal data that can be sold on the black market and used in other criminal acts. At the same time, many standard practices, such as the sharing of medical images, are continually leaving sensitive records exposed to cyberattacks.
Why is medical data sought after?
Medical records have long been a favourite target of cybercriminals as they are an easy way to turn a quick profit on underground dark web forums. Attackers will commonly sell on records to other criminals as a commodity item, often in huge databases containing the details of thousands of individuals.
The personal details contained in an average medical record could be used to fuel further attacks, with names, emails and other details used to craft targeted email phishing attacks. Harvested details are also frequently used to commit fraud and identity theft, including health insurance fraud. High-worth individuals may also be the victim of more elaborate schemes such as blackmail. Criminals may, for example, threaten an individual with the release of information relating to a medical diagnosis that would damage their career or insurance prospects.
Beyond this, there is a psychological impact for those affected by cybercrime and identity theft. The aftermath can have a severe impact on a patient’s wellbeing, particularly if they are already suffering from a serious condition.
How damaging is medical data theft?
The theft of medical data can have far-reaching consequences for the organisation involved. Regulatory fines are one of the biggest concerns as regulators can levy potentially crippling fines on a sector that is already struggling with tight budgets. If the data of EU Citizens is involved, the GDPR can mandate fines of up to four percent of global turnover, or £17.5 million. Elsewhere, healthcare privacy violations in the US can rack up fines ranging from $100 to $50,000 per record from HIPAA.
Organisations and individual practitioners may also face legal action from victims suing for financial damages and loss of privacy.
How are unsecured images accessed?
Any organisation where resources are scarce, and the value of information they hold is high, is extremely attractive to cybercriminals. Medical centres tick both of these boxes and have earned an unfortunate reputation among criminals as representing an easy mark. Cyber attackers know that many healthcare providers operate under limited security budgets, particularly those in the public sector such as NHS Trusts. It is common to find providers using outdated devices, software and operating systems, or using weak or incorrectly configured protocols. Attackers callously count on the fact that providers will lack either the budget or the required downtime to address these issues, as patient care always takes priority.
One of the most striking security vulnerabilities we have investigated is the use of Digital Imaging and Communications in Medicine (DICOM), a common standard for storing and transmitting medical images between devices. DICOM dates back more than 30 years, so it predates modern cybersecurity protections.
The security risk here is not the image but the attached metadata. DICOM allows more than 200 lines of data to be attached to images, which will generally include the personality identifiable information (PII) prized by criminals.
We have found the standard is frequently misused in a way that leaves vast swathes of records exposed. Our investigations recently discovered more than 45 million medical images unsecured and openly accessible online. These included X-rays as well as MRI and CT scans – along with all the sensitive metadata attached to each image. We found files accessible at providers ranging from large hospitals to independent doctors and dentists all over the world.
The main issue is not DICOM itself, but rather how it is implemented. The standard has added support for security provisions such as encryption over the years – but these are not mandatory and, indeed, are often not selected by default. As a result, organisations using DICOM are often leaving data completely vulnerable to abuse. Thousands of DICOM devices are publicly discoverable online, and our investigators were able to access the vast majority of them without any challenges.
In some cases, this included login portals accessed by simply entering blank login and password credentials. Sensitive data is also often transmitted as unencrypted plain text, so an attacker only needs to discover the device online to freely access large amounts of sensitive data.
This is an extremely low-level activity that requires little experience or skill on the part of the attacker. The risk has also been greatly exacerbated during the pandemic as more staff transmit data to remote devices.
How can healthcare providers keep patient data safe?
Healthcare practitioners need to operate with a heightened sense of cybersecurity and an awareness that they are likely in the sights of criminals. While patient care must always be the priority, there must also be a balance between the speed and security to ensure that patients’ privacy is also safeguarded.
This means ensuring that security processes are not circumvented. In particular, all organisations must ensure they have strong password practices in place for all applications, including DICOM. No application should ever be left with a factory default password or easily guessed entry such as “Password123”. Organisations should also assess DICOM and other online assets to make sure that they are protected from snooping criminals. Most assets should not be discoverable over the wider internet, and all traffic should always be encrypted.
Finally, practitioners can also take a further step by beginning to proactively scan for data leaks. Regularly scanning external sources such as dark web forums can identify data that has already been leaked in a timely manner. Not only will this help to contain the current breach, but it will also enable the IT and security team to work backwards and close the source to prevent further leaks.