Thousands of storage servers housing more than 45 million medical images can be accessed from the public Internet, with the majority using default ports and many showing signs of already being accessed by malicious actors, cybersecurity firm CybelAngel stated in a research report published on Dec. 15.
Over a six-month investigation, researchers from the firm discovered more than 3,000 servers that allowed connections to port 104 — one of the network ports used by the manufacturers of medical imaging machines — and presented a banner for the medical file format DICOM. A test of 50 randomly sampled servers found that 44 — or 88% — allowed connection attempts, according to the report.
While the largest volume of files was stored in the server of a Russian health center, the largest number of unsecure servers— 819 — were located in the United States, says David Sygula, senior cybersecurity analyst at CybelAngel.
These exposed servers "are totally widespread," he says. "There are some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, ... some of the biggest ones belong to medical centers."
The research underscores that storage servers and cloud storage services continue to suffer from misconfiguration problems that expose them to data leaks and breaches. While the healthcare industry has seen its share of data breaches — such as tens of millions of records stolen from medical debt collector American Medical Collection Agency (AMCA) in 2019 — the threat of ransomware attack eclipsed run-of-the-mill data leaks in 2020.
Yet CybelAngel found that many medical organizations aren't aware that they are leaking sensitive image files. Despite a focus on securing data, many companies and industries are still unprepared for attackers, the researchers state in the report.
An initial scan of the entire IPv4 range allowed the company to detect 20 million unique DICOM images left exposed on approximately 1,1000 unprotected servers in 57 countries worldwide. At the end of the six-month investigation, the firm had found 45 million unique images on more than 2,100 servers in 67 different countries. Twelve of the servers had more than a million DICOM files each, with a total of 9.8 million files found in the United States, 9.6 million files found in South Korea, and 8.8 million files found in Russia, according to the report.
"[I]ronically more and more personal data is left exposed across the internet," the report states. "Unfortunately, despite many ... newer versions of protocols, we still rely on old technology that was not purposefully-built for secure exchanges."
The researchers used a number of Internet-scanning technologies to find open servers, including looking for publicly accessible DICOM headers on servers, focusing on other metadata to determine whether the servers were accessible to the Internet, and scans using services such as Shodan. The researchers also identified the official Web portals used by the three major vendors, and a search of the Internet turned up 300 open portals, the company says in the report.
CybelAngel did not report the issues to the owners of the servers. The company could not always identify affected organizations, and "since this is a leak — public images, no hacking involved — versus a data breach, it is CybelAngel's experience that leaks of this nature don't necessarily have to be reported," the company says through a spokesperson.
Unfortunately, there is very little that is difficult about Internet scans. A variety of companies regularly scan for exposed services. Under the moniker of Project Sonar, vulnerability management firm Rapid7 scans 70 different services and protocols to determine the level of exposure of common ports. The security searching service Shodan scans the 4.3 billion IP addresses on the IPv4 Internet and keeps track of which services are available.
Companies need to regularly scan their own networks to be aware of what services they're exposing to attackers, CybelAngel's Sygula says.
"The first thing is that people need to read the documentation and find the best way to secure the services," he says. "They should be also scanning the server and change the default password."
While the company did not attempt to use default or common passwords against the services, Sygula predicts that the number of accessible servers would be much higher. "I think if we did the same survey with default passwords," he says, "then we would find 10 times the number of images."