Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
A 30-year-old, rarely updated protocol for medical devices has exposed reams of highly personal data, thanks to a lack of proper security throughout owner environments.
Dan Raywood, Senior Editor, Dark Reading
November 9, 2023
3 Min Read
Source: Panther Media GmbH via Alamy Stock Photo
Around 60 million personal and medical records may have been exposed over the past few decades due to the use of a legacy protocol in medical equipment, researchers say.
Researchers from Aplite examined the Digital Imaging and Communications in Medicine (DICOM) protocol, which is an
internationally-recognized standard for medical imaging transfers that's implemented in almost every radiology, cardiology imaging, and radiotherapy setting globally. They found that the protocol lacks security controls, according to a
presentation on the research that will be given at Black Hat Europe in London in December.
Aplite senior IT security consultants Sina Yazdanmehr and Ibrahim Akkulak in fact detected more than 3,800 servers using the
DICOM protocol that were accessible on the Internet, and 30% of those were leaking sensitive data.
[DO YOU HAVE MORE DETAILS ON WHAT THE SECURITY GAPS/ISSUES ARE?]
Perhaps the security holes are to be expected, given that the most recent version of the protocol was introduced 30 years ago in 1993, with the original published in 1985 and a revised edition published in 1988. Yazdanmehr says there were some updates in 2021, "but not in regards to the security improvements that we wanted to see.”
Imaging Machine Exposure Affects Millions of Patients
The researchers say that over 30 years, they estimate that 59 million records could have been visible, "including personal information like names, addresses, dates of birth, gender — and in some cases we could even see the Social Security numbers of those people."
They also say there were medical records that showed examination results in some cases, such as an MRI, X-ray or CT scan result, as well as the examination date and time.
Yazdanmehr says the vendors of the machines they had spoken with were aware of the issues, but says they were unaware of how big the risk is, and what the volume of data leakage is.
"Hopefully we can increase the awareness make it better, and the number goes down and more vendors and hospitals start hardening their infrastructure. But I think it's going to be a kind of long journey," Yazdanmehr says.
He points out that the devices should be able to talk to each other and exchange data, but that moving electronic records securely involves every link in the chain being secure and up-to-date, and that until the majority of equipment and medical devices can support advanced and complex security measures, there will be a problem.
[HOW DOES THIS RELATE TO THE DICOM PROBLEM?]
[ARE THERE ANY REMEDIES AVAILABLE?]
DICOM: No Security Issues on Our End
A spokesperson for the DICOM said in a statement that DICOM is a standard protocol that manufacturers choose to comply with, and that it allows for security mechanisms to be put in place. Vendors and healthcare delivery organizations are the ones to ultimately decide which security mechanisms are appropriate for their environments, the person said.
Thus, the DICOM standard does not inherently pose a security risk, according to the statement, which pointed out that there’s a “Secure Connection capability” that’s been specified in DICOM for almost two decades, and that it’s updated regularly to reflect recommendations from the
National Institute of Standards and Technology (NIST) and other international standard setting organizations.
"The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM Standard are the responsibility of the product vendors and their customers,” according to the statement. “Further, it is the responsibility of the vendors to provide and maintain software implementations. In short, proper security is a shared responsibility between device manufacturers and health delivery organizations. To claim it’s the sole responsibility of a standard is false."
[DO THE RESEARCHERS HAVE ANY RESPONSE TO THIS?]
Read more about:Black Hat News
About the Author(s)
With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
Strengthen Microsoft Defender with MDR
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
Buyer's Guide: Choosing a True DevSecOps Solution for Your Apps on AWS
Understanding AI Models to Future-Proof Your AppSec Program