Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

12/15/2020
03:25 PM
50%
50%

Medical Imaging Leaks Highlight Unhealthy Security Practices

More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.

Thousands of storage servers housing more than 45 million medical images can be accessed from the public Internet, with the majority using default ports and many showing signs of already being accessed by malicious actors, cybersecurity firm CybelAngel stated in a research report published on Dec. 15.

Over a six-month investigation, researchers from the firm discovered more than 3,000 servers that allowed connections to port 104 — one of the network ports used by the manufacturers of medical imaging machines — and presented a banner for the medical file format DICOM. A test of 50 randomly sampled servers found that 44 — or 88% — allowed connection attempts, according to the report.

Related Content:

Healthcare Industry Sees Respite From Attacks in First Half of 2020

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 2021 Security Budgets: Top Priorities, New Realities

While the largest volume of files was stored in the server of a Russian health center, the largest number of unsecure servers— 819 — were located in the United States, says David Sygula, senior cybersecurity analyst at CybelAngel.

These exposed servers "are totally widespread," he says. "There are some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, ... some of the biggest ones belong to medical centers."

The research underscores that storage servers and cloud storage services continue to suffer from misconfiguration problems that expose them to data leaks and breaches. While the healthcare industry has seen its share of data breaches — such as tens of millions of records stolen from medical debt collector American Medical Collection Agency (AMCA) in 2019 — the threat of ransomware attack eclipsed run-of-the-mill data leaks in 2020.

Yet CybelAngel found that many medical organizations aren't aware that they are leaking sensitive image files. Despite a focus on securing data, many companies and industries are still unprepared for attackers, the researchers state in the report.

An initial scan of the entire IPv4 range allowed the company to detect 20 million unique DICOM images left exposed on approximately 1,1000 unprotected servers in 57 countries worldwide. At the end of the six-month investigation, the firm had found 45 million unique images on more than 2,100 servers in 67 different countries. Twelve of the servers had more than a million DICOM files each, with a total of 9.8 million files found in the United States, 9.6 million files found in South Korea, and 8.8 million files found in Russia, according to the report.

"[I]ronically more and more personal data is left exposed across the internet," the report states. "Unfortunately, despite many ... newer versions of protocols, we still rely on old technology that was not purposefully-built for secure exchanges."

The researchers used a number of Internet-scanning technologies to find open servers, including looking for publicly accessible DICOM headers on servers, focusing on other metadata to determine whether the servers were accessible to the Internet, and scans using services such as Shodan. The researchers also identified the official Web portals used by the three major vendors, and a search of the Internet turned up 300 open portals, the company says in the report.

CybelAngel did not report the issues to the owners of the servers. The company could not always identify affected organizations, and "since this is a leak — public images, no hacking involved — versus a data breach, it is CybelAngel's experience that leaks of this nature don't necessarily have to be reported," the company says through a spokesperson.

Unfortunately, there is very little that is difficult about Internet scans. A variety of companies regularly scan for exposed services. Under the moniker of Project Sonar, vulnerability management firm Rapid7 scans 70 different services and protocols to determine the level of exposure of common ports. The security searching service Shodan scans the 4.3 billion IP addresses on the IPv4 Internet and keeps track of which services are available.

Companies need to regularly scan their own networks to be aware of what services they're exposing to attackers, CybelAngel's Sygula says.

"The first thing is that people need to read the documentation and find the best way to secure the services," he says. "They should be also scanning the server and change the default password."

While the company did not attempt to use default or common passwords against the services, Sygula predicts that the number of accessible servers would be much higher. "I think if we did the same survey with default passwords," he says, "then we would find 10 times the number of images."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...