An analysis of medical image storage systems exposed to the public web reveals that almost 600 servers in 52 countries are completely unprotected against unauthorized access.

Audited systems were unpatched against thousands of vulnerabilities, more than 500 of them having the highest severity score.

Huge, worrying numbers

Greenbone Networks, a German-based vulnerability analysis and management company, looked at about 2,300 Picture Archiving and Communication System (PACS) systems connected to the public internet and found significant issues that expose confidential information.

PACS are used in the healthcare sector to store and serve medical information retrieved from imaging devices such as X-Ray, CT, or MRI machines. They use the DICOM (Digital Imaging and Communications in Medicine) standard to transmit, store, retrieve, print, process, and display medical imaging data.

Using public device discovery engines between mid-July and early September, Greenbone Networks identified 590 PACS servers that could be reached over the internet and allowed retrieving about 24.3 million patient records.

Most records included the following personal and medical details:

  • First name and surname
  • Date of birth
  • Date of examination
  • Scope of the investigation
  • Type of imaging procedure
  • Attending physician
  • Institute/clinic
  • Number of generated images

Attackers could use this information to deploy more efficient social engineering and phishing attacks that have financial rewards as the final goal.

The researchers set up a RadiAnt DICOM Viewer to pull the data from open PACS servers in the world. Out of an estimated 733.5 million images, only 399.5 million could be downloaded and viewed.

In Europe, Italy has the highest number of affected systems, 10, and is also the country with the largest number of leaked medical information.

The highest concentration of unprotected PACS in North America is in the U.S.

This is also the country with the largest number of exposed data sets, 13,7 million, and accompanying medical images, over 300 million, and exposed machines: 187.

Brazil leads in South America, with 640,000 data sets, 31.1 million images, and 34 leaky servers.

In Asia, the largest number of open machines are in India but Turkey leads as far as the number of data records (4.9 million) and their associated medical images (4.9 million) is concerned.

India has close to 100 unprotected PACS and 627,000 records with over 105 million images attached.

10,000+ vulnerabilities identified

The report reveals that audited systems suffer from more than 10,000 security issues, 20% of which being labeled with a high-severity score.

500 of them met all the conditions for the highest mark on the Common Vulnerability Scoring System (CVSS), 10 out of 10.

The researchers note that some of the vulnerabilities identified were several years old, although they did not offer additional details in the public report. A larger version, 300MB in size, is available to authorized organizations.

Apart from these problems, the audit discovered that 45 PACS provided data over an insecure protocol such as HTTP or FTP, instead of DICOM. Thus, data stored on them could be accessed without authentication.

One of these had the files of the DICOM archive available in a directory listing, allowing access to anyone via a web browser.

The risks associated with exposing this sort of data are clear. Among the most obvious are targeted attacks, extortion attempts, and even medical identity theft to obtain medical treatment or health insurance fraud.

A report in April from the Department of Health and Human Services (HHS) in the U.S. estimates that the average value of a health records on the dark web is $250 but it could be as high as $1,000, so cybercriminals are definitly interested in this sort of information.