As a patient, I don't really think about my medical records being kept confidential. I assume that my general practitioner and the medical facilities that I use will keep that information confidential. Working in the medical industry, I am bound to HIPAA laws, so I understand that releasing medical information to anyone not involved in their care is strictly forbidden. So when I read this week that 45 million medical images, including x-rays and CT scans, were sitting on unprotected servers, I was shocked.
CybelAngel, a company specializing in finding data leaks before bad actors can
find them, released a report this week that analyzed 4.3 billion IP addresses
looking for unsecured medical imaging data. The result was that of the IP
addresses they scanned, 2140 servers across 67 different countries had unsecured
patient images saved on them. Almost 10 million unprotected images in the United
States alone were less than 2 years old. The six-month investigation into NAS
(Network Attached Storage) and DICOM (Digital Imaging and Communications in
Medicine) found not only x-rays and CT Scans but also patient information,
including names, birthdays, addresses, social security numbers, insurance
information, and diagnosis. Cybel Angel did not use any traditional methods of
"hacking"; they simply scanned the IPs looking for information. This is similar
to an individual typing in a website name and hitting enter.
Through CybelAngel's investigation, there were indications that malicious actors had already been to many of the IP addresses scanned. Some of the IP addresses had viruses planted in them that would implant crypto-miners on the requesting computer or the more vicious types of viruses that would place ransomware on the requesting computer.
Let's be clear, CybelAngel is the good guy in this unfortunate scenario. They contacted the medical facilities and independent physicians and informed them of the HIPAA compliance breach and provided them with simple steps to safeguard that information. CybelAngel found that many of the records were stored on inexpensive NAS systems (systems commercially available at Best Buy or Amazon). Many of these NAS have password protection but no encryption or password standards. Worse yet, most of these NAS allow "Guest Access" to allow someone to access the drive without a password.
DICOM is both a protocol and an international image standard. These images are processed through a PACS (Picture Archiving and Communications) server and through PACS workstations allow the end-users to view the x-rays/CT/MRI scans through image viewers. Though most PACS systems update their security fairly often, CybelAngel found many of the ports used for DICOM processing using the "standard ports" of 104 and 11112. Because these two ports are used for other types of devices, like video games, these ports are accessible to outside computers. Though being accessible is not unprotected, CybelAngel analysts could gain access to DICOM images without passwords 88% of the time during this investigation.
For some web-based software PACS systems, Cybel Angel was able to find the web portals by researching the PACS software online. By looking up three specific vendors, the analysts found 300 open portals giving unprotected access. Worse, because these were unprotected portals, Google's search bots were able to index the images, with the meta-data, and display them in search results. These results included names, birthdates, patient IDs, and other personal health information.
Throughout my blogs, I have covered the financial consequences of cybersecurity breaches and the associated HIPAA fines. To these bad actors looking for a quick and relatively easy payday, the medical industry is amongst the easiest because of the number of hospitals, imaging centers, and private physician practices. CybelAngel provided these three actions to help fight against unwanted information breeches:
- Make sure any information collected during the COVID-19 outbreak is also protected under security policies and protocols.
- Limit diagnostic imaging equipment and supporting systems exposure to wider networks.
- Use a third-party to audit all security policies and identify weaknesses and individuals who might be following those policies and procedures.