As a patient, I don't really think about my medical records being kept confidential. I assume that my general practitioner and the medical facilities that I use will keep that information confidential. Working in the medical industry, I am bound to HIPAA laws, so I understand that releasing medical information to anyone not involved in their care is strictly forbidden. So when I read this week that 45 million medical images, including x-rays and CT scans, were sitting on unprotected servers, I was shocked.
CybelAngel, a company specializing in finding data leaks before bad actors can
find them, released a report this week that analyzed 4.3 billion IP addresses
looking for unsecured medical imaging data. The result was that of the IP
addresses they scanned, 2140 servers across 67 different countries had unsecured
patient images saved on them. Almost 10 million unprotected images in the United
States alone were less than 2 years old. The six-month investigation into NAS
(Network Attached Storage) and DICOM (Digital Imaging and Communications in
Medicine) found not only x-rays and CT Scans but also patient information,
including names, birthdays, addresses, social security numbers, insurance
information, and diagnosis. Cybel Angel did not use any traditional methods of
"hacking"; they simply scanned the IPs looking for information. This is similar
to an individual typing in a website name and hitting enter.
Through
CybelAngel's investigation, there were indications that malicious actors had
already been to many of the IP addresses scanned. Some of the IP addresses had
viruses planted in them that would implant crypto-miners on the requesting
computer or the more vicious types of viruses that would place ransomware on the
requesting computer.
Let's be clear, CybelAngel is the good guy in this
unfortunate scenario. They contacted the medical facilities and independent
physicians and informed them of the HIPAA compliance breach and provided them
with simple steps to safeguard that information. CybelAngel found that many of
the records were stored on inexpensive NAS systems (systems commercially
available at Best Buy or Amazon). Many of these NAS have password protection but
no encryption or password standards. Worse yet, most of these NAS allow "Guest
Access" to allow someone to access the drive without a password.
DICOM is
both a protocol and an international image standard. These images are processed
through a PACS (Picture Archiving and Communications) server and through PACS
workstations allow the end-users to view the x-rays/CT/MRI scans through image
viewers. Though most PACS systems update their security fairly often, CybelAngel
found many of the ports used for DICOM processing using the "standard ports" of
104 and 11112. Because these two ports are used for other types of devices, like
video games, these ports are accessible to outside computers. Though being
accessible is not unprotected, CybelAngel analysts could gain access to DICOM
images without passwords 88% of the time during this investigation.
For
some web-based software PACS systems, Cybel Angel was able to find the web
portals by researching the PACS software online. By looking up three specific
vendors, the analysts found 300 open portals giving unprotected access. Worse,
because these were unprotected portals, Google's search bots were able to index
the images, with the meta-data, and display them in search results. These
results included names, birthdates, patient IDs, and other personal health
information.
Throughout my blogs, I have covered the financial
consequences of cybersecurity breaches and the associated HIPAA fines. To these
bad actors looking for a quick and relatively easy payday, the medical industry
is amongst the easiest because of the number of hospitals, imaging centers, and
private physician practices. CybelAngel provided these three actions to help
fight against unwanted information breeches:
- Make sure any information collected during the COVID-19 outbreak is also protected under security policies and protocols.
- Limit diagnostic imaging equipment and supporting systems exposure to wider networks.
- Use a third-party to audit all security policies and identify weaknesses and individuals who might be following those policies and procedures.
Comments
Leave a Comment