Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

12/15/2020
03:25 PM
50%
50%

Medical Imaging Leaks Highlight Unhealthy Security Practices

More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.

Thousands of storage servers housing more than 45 million medical images can be accessed from the public Internet, with the majority using default ports and many showing signs of already being accessed by malicious actors, cybersecurity firm CybelAngel stated in a research report published on Dec. 15.

Over a six-month investigation, researchers from the firm discovered more than 3,000 servers that allowed connections to port 104 — one of the network ports used by the manufacturers of medical imaging machines — and presented a banner for the medical file format DICOM. A test of 50 randomly sampled servers found that 44 — or 88% — allowed connection attempts, according to the report.

Related Content:

Healthcare Industry Sees Respite From Attacks in First Half of 2020

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 2021 Security Budgets: Top Priorities, New Realities

While the largest volume of files was stored in the server of a Russian health center, the largest number of unsecure servers— 819 — were located in the United States, says David Sygula, senior cybersecurity analyst at CybelAngel.

These exposed servers "are totally widespread," he says. "There are some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, ... some of the biggest ones belong to medical centers."

The research underscores that storage servers and cloud storage services continue to suffer from misconfiguration problems that expose them to data leaks and breaches. While the healthcare industry has seen its share of data breaches — such as tens of millions of records stolen from medical debt collector American Medical Collection Agency (AMCA) in 2019 — the threat of ransomware attack eclipsed run-of-the-mill data leaks in 2020.

Yet CybelAngel found that many medical organizations aren't aware that they are leaking sensitive image files. Despite a focus on securing data, many companies and industries are still unprepared for attackers, the researchers state in the report.

An initial scan of the entire IPv4 range allowed the company to detect 20 million unique DICOM images left exposed on approximately 1,1000 unprotected servers in 57 countries worldwide. At the end of the six-month investigation, the firm had found 45 million unique images on more than 2,100 servers in 67 different countries. Twelve of the servers had more than a million DICOM files each, with a total of 9.8 million files found in the United States, 9.6 million files found in South Korea, and 8.8 million files found in Russia, according to the report.

"[I]ronically more and more personal data is left exposed across the internet," the report states. "Unfortunately, despite many ... newer versions of protocols, we still rely on old technology that was not purposefully-built for secure exchanges."

The researchers used a number of Internet-scanning technologies to find open servers, including looking for publicly accessible DICOM headers on servers, focusing on other metadata to determine whether the servers were accessible to the Internet, and scans using services such as Shodan. The researchers also identified the official Web portals used by the three major vendors, and a search of the Internet turned up 300 open portals, the company says in the report.

CybelAngel did not report the issues to the owners of the servers. The company could not always identify affected organizations, and "since this is a leak — public images, no hacking involved — versus a data breach, it is CybelAngel's experience that leaks of this nature don't necessarily have to be reported," the company says through a spokesperson.

Unfortunately, there is very little that is difficult about Internet scans. A variety of companies regularly scan for exposed services. Under the moniker of Project Sonar, vulnerability management firm Rapid7 scans 70 different services and protocols to determine the level of exposure of common ports. The security searching service Shodan scans the 4.3 billion IP addresses on the IPv4 Internet and keeps track of which services are available.

Companies need to regularly scan their own networks to be aware of what services they're exposing to attackers, CybelAngel's Sygula says.

"The first thing is that people need to read the documentation and find the best way to secure the services," he says. "They should be also scanning the server and change the default password."

While the company did not attempt to use default or common passwords against the services, Sygula predicts that the number of accessible servers would be much higher. "I think if we did the same survey with default passwords," he says, "then we would find 10 times the number of images."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.