Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

12/15/2020
03:25 PM
50%
50%

Medical Imaging Leaks Highlight Unhealthy Security Practices

More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.

Thousands of storage servers housing more than 45 million medical images can be accessed from the public Internet, with the majority using default ports and many showing signs of already being accessed by malicious actors, cybersecurity firm CybelAngel stated in a research report published on Dec. 15.

Over a six-month investigation, researchers from the firm discovered more than 3,000 servers that allowed connections to port 104 — one of the network ports used by the manufacturers of medical imaging machines — and presented a banner for the medical file format DICOM. A test of 50 randomly sampled servers found that 44 — or 88% — allowed connection attempts, according to the report.

Related Content:

Healthcare Industry Sees Respite From Attacks in First Half of 2020

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 2021 Security Budgets: Top Priorities, New Realities

While the largest volume of files was stored in the server of a Russian health center, the largest number of unsecure servers— 819 — were located in the United States, says David Sygula, senior cybersecurity analyst at CybelAngel.

These exposed servers "are totally widespread," he says. "There are some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, ... some of the biggest ones belong to medical centers."

The research underscores that storage servers and cloud storage services continue to suffer from misconfiguration problems that expose them to data leaks and breaches. While the healthcare industry has seen its share of data breaches — such as tens of millions of records stolen from medical debt collector American Medical Collection Agency (AMCA) in 2019 — the threat of ransomware attack eclipsed run-of-the-mill data leaks in 2020.

Yet CybelAngel found that many medical organizations aren't aware that they are leaking sensitive image files. Despite a focus on securing data, many companies and industries are still unprepared for attackers, the researchers state in the report.

An initial scan of the entire IPv4 range allowed the company to detect 20 million unique DICOM images left exposed on approximately 1,1000 unprotected servers in 57 countries worldwide. At the end of the six-month investigation, the firm had found 45 million unique images on more than 2,100 servers in 67 different countries. Twelve of the servers had more than a million DICOM files each, with a total of 9.8 million files found in the United States, 9.6 million files found in South Korea, and 8.8 million files found in Russia, according to the report.

"[I]ronically more and more personal data is left exposed across the internet," the report states. "Unfortunately, despite many ... newer versions of protocols, we still rely on old technology that was not purposefully-built for secure exchanges."

The researchers used a number of Internet-scanning technologies to find open servers, including looking for publicly accessible DICOM headers on servers, focusing on other metadata to determine whether the servers were accessible to the Internet, and scans using services such as Shodan. The researchers also identified the official Web portals used by the three major vendors, and a search of the Internet turned up 300 open portals, the company says in the report.

CybelAngel did not report the issues to the owners of the servers. The company could not always identify affected organizations, and "since this is a leak — public images, no hacking involved — versus a data breach, it is CybelAngel's experience that leaks of this nature don't necessarily have to be reported," the company says through a spokesperson.

Unfortunately, there is very little that is difficult about Internet scans. A variety of companies regularly scan for exposed services. Under the moniker of Project Sonar, vulnerability management firm Rapid7 scans 70 different services and protocols to determine the level of exposure of common ports. The security searching service Shodan scans the 4.3 billion IP addresses on the IPv4 Internet and keeps track of which services are available.

Companies need to regularly scan their own networks to be aware of what services they're exposing to attackers, CybelAngel's Sygula says.

"The first thing is that people need to read the documentation and find the best way to secure the services," he says. "They should be also scanning the server and change the default password."

While the company did not attempt to use default or common passwords against the services, Sygula predicts that the number of accessible servers would be much higher. "I think if we did the same survey with default passwords," he says, "then we would find 10 times the number of images."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21354
PUBLISHED: 2021-03-08
Pollbot is open source software which "frees its human masters from the toilsome task of polling for the state of things during the Firefox release process." In Pollbot before version 1.4.4 there is an open redirection vulnerability in the path of "https://pollbot.services.mozilla.com...
CVE-2021-21362
PUBLISHED: 2021-03-08
MinIO is an open-source high performance object storage service and it is API compatible with Amazon S3 cloud storage service. In MinIO before version RELEASE.2021-03-04T00-53-13Z it is possible to bypass a readOnly policy by creating a temporary 'mc share upload' URL. Everyone is impacted who uses ...
CVE-2020-4695
PUBLISHED: 2021-03-08
IBM API Connect V10 is impacted by insecure communications during database replication. As the data replication happens over insecure communication channels, an attacker can view unencrypted data leading to a loss of confidentiality.
CVE-2020-4903
PUBLISHED: 2021-03-08
IBM API Connect V10 and V2018 could allow an attacker who has intercepted a registration invitation link to impersonate the registered user or obtain sensitive information. IBM X-Force ID: 191105.
CVE-2020-5014
PUBLISHED: 2021-03-08
IBM DataPower Gateway V10 and V2018 could allow a local attacker with administrative privileges to execute arbitrary code on the system using a server-side requesr forgery attack. IBM X-Force ID: 193247.