Hospitals are leaving millions of sensitive medical images exposed online

Cybersecurity researchers discover millions of medical files and associated personal data left discoverable on the open web due to being stored insecurely.
Written by Danny Palmer, Senior Writer

More than 45 million medical images – including X-rays, MRI and CT scans, as well as accompanying data that could identify the people in those images – are exposed online on unsecured servers and storage devices.

The exposed medical data leaking from hospitals and medical centres around the world has been discovered by cybersecurity company CybelAngel over the course of a six-month long investigation into medical device security, which also found that outsiders could easily access sensitive medical data.

Cyber criminals who gain access to sensitive medical information could exploit it by selling it on the dark web, blackmailing identifiable individuals, or even potentially using the exposed servers as means of delivering ransomware to hospital networks.

SEE: Network security policy (TechRepublic Premium)

Many medical devices are vulnerable to cyberattacks or exposing data because the technology is often outdated, and healthcare IT and security budgets are stretched.

The researchers were able to uncover more than 45 million unique cases of Digital Imaging and Communications in Medicine (DICOM) files being accessible without the need for hacking tools or even a password, but simply left visible to the open web

"The 45 million files are on unprotected servers. What we found was all this data was exposed for anyone," David Sygula, senior cybersecurity analyst at CybelAngel, told ZDNet.

In some cases identified by researchers, insecure network attached storage (NAS) was the reason for sensitive files potentially being able to be accessed. The use of FTP or SMB protocols and unpatched security flaws could provide outsiders with access to the machines and the data stored within.

Other cases involved servers and storage being attached to other network devices in order to meet a functional need, such as printing files, but the way they'd been set up meant they've become backdoors into networks.

"Let's say you have a NAS and you need to share a printer, it creates guest access to the printer and all your security falls apart because when the printer accesses your NAS, it leaves the door open," Sygula explained.

CybelAngel identified malicious scripts, including cryptocurrency miners, on a number of the servers examined, suggesting that the researchers weren't the first to identify and access the unsecured devices.

Snooping on sensitive medical information like X-Rays and scans is intrusive enough, but it's also possible that malicious hackers who gain access to this are also able to identify patients via metadata stored in images, which could even include the physician's name, the medical centre, the body part photographed, and the patient's name, or date of birth. All of this information could potentially be exploited for fraud and other malicious purposes.

"If these documents were also accessed by cyber criminals, they could have been sold on the dark web," Sygula explained.

SEE: Lightning does strike twice: If you get hacked once, you'll probably be attacked again within a year

Researchers identified servers around the world that are leaking data, although with hundreds of them out there, it hasn't been possible for them to contact every health institution to let them know – which is why all of the statistics around this research have been released anonymously. But all healthcare providers should regard this as a warning to check the security of their networks and storage.

"This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach," said Sygula.

In order to avoid data being exposed, it's recommended that networks are properly segmented so critical diagnostic equipment such as X-Ray machines and supporting systems aren't connected to the wider business or public-facing networks, so they can't be accessed directly from outside.


Editorial standards