During the past year, we’ve made considerable progress at Greenbone. We have added virtual machines to our solutions portfolio and have entered into new distribution partnerships to help us target the North American market, amongst others. We have grown our team significantly and continue to recruit. Currently, we are preparing to launch our first cloud-based managed service platform giving companies the choice over whether to deploy our technology as a service, by virtual appliance or by physical appliance, depending on their needs and requirements. Our goal is to always stay one step ahead of attackers and make businesses of all sizes more resilient to cyber attacks through effective resilience and vulnerability management (RVM).

Sophisticated cyber attacks are commonplace, and it’s inevitable that organizations will be targeted by hackers. This means companies need to find a way to remain operational even in the event that they are attacked. Business disruption from cyber attacks are among the greatest risks facing companies today.

Effective RVM plays a crucial role in an organisation’s business continuity planning. To make companies more resilient, our technology enables them to identify, classify and eradicate threats to their infrastructures. We continuously scan the entire enterprise network for weak points and possible attack vectors. At the same time, we help organizations identify and visualize the various risks to their operations, allowing them to prioritize those that threaten their critical business processes and associated assets. Leveraging a high degree of automation and scanning as widely and deeply as possible, we help our customers establish a state of sustainable resilience.

Our customers recognize the benefits of RVM. However, opinions do differ on how the technology is integrated into their own IT environments. And rightly so, after all, every company has its own competencies, preferences and compliance requirements. Our new cloud-based services, together with our more established physical and virtual appliances, will ensure our customer have wider choice over how to deploy and manage their RVM solution.

We also continue to take our responsibility seriously and provide our technology as a transparent, open solution. Critical infrastructures, in particular, remain an important focus of our security research. Last year, our research into vulnerable imaging servers used by healthcare providers all over the world, helped open the sector’s eyes to a considerable yet largely unknown privacy and security risk. Following this research, we helped hundreds of healthcare facilities bolster their defenses and protected the data of millions of patients. We intend to carry on along this path, making the digital world more secure for everyone.

Enormous demand for Vulnerability Management-as-a-service and as a virtual application

We are currently beta testing our new Greenbone Managed Service Platform, and have been for many weeks. From April, we will be able to offer our proven vulnerability management solution as a cloud service, which customers can use for a monthly fee. Smaller businesses, such as local medical practices, will be able to protect their networks quickly and easily, without in-house expertise. For global corporations, managed services are an interesting option as they make it easy to equip new locations with effective vulnerability management without any great expense. We have recruited an entire team of experts to develop and manage these cloud-based services for our customers. They are configuring these services with great care and diligence, and will, of course, pay particular attention to secure data exchange.

Our mid-range Greenbone Security Manager virtual appliances have been available since mid-2019 and have helped us increase revenues from our virtual solutions by almost ten times between 2018 and 2019. Although the greatest control over security data is still offered by physical appliances, confidence in virtualization solutions has grown significantly as they have advanced. As our CEO, Jan-Oliver Wagner, says: “This cross-architecture flexibility helps our customers meet their own requirements for a Resilience & Vulnerability Management solution in a targeted and efficient way.”

New distributors support international growth

Growing customer demand has validated our decision to offer a wider range of virtual appliances.To help meet this demand, we entered into a strategic partnership with the value-added distributor (VAD) ADN in 2019. This complements our long-standing cooperation with Exclusive Networks, which are distributors specializing in physical systems. In the DACH region, we now have strong distribution partners for both our physical and virtual systems.

We are also expanding more and more into the English-speaking world. For example, we recently signed a deal with InfoSec Industries, based in Florida, which gives us increased access to the North American market in particular, but also support in Central and South America.

New colleagues and a bigger HQ

To meet higher demand, we’ve also increased our headcount. Indeed, in 2019, we welcomed 21 new colleagues to the Greenbone team. This additional expertise has helped us to develop the professional service we offer. With the appointment of Elmar Geese as Chief Operating Officer (COO), we have gained a capable leader with a strong entrepreneurial background who will help us evolve our strategy, process optimization and operational controls.

In order to accommodate our rapidly growing team, we have once again significantly expanded our Osnabrück headquarters.

Conclusion: Focus on customer cyber security and more customers

Cyber attacks can have extremely serious consequences. Our mission is to provide companies of all sizes – from local medical practices to international corporations – with effective vulnerability management that is straightforward to deploy and manage. The considerable international demand for our virtual machines and the already substantial interest in our new managed service platform shows that we are on the right track. We will continue to do everything in our power to stay one step ahead of future attacks.

Osnabrück, March 13, 2020 – Vulnerability management specialist, Greenbone Networks, today announced it has appointed Elmar Geese to the newly created role of Chief Operating Officer (COO). Geese, who joins the company’s senior management team, will play a key role in Greenbone’s future growth, overseeing the company’s expanding operations.

Geese will take responsibility for Greenbone’s overall corporate strategy as well as process optimisation within the company. He will also focus on adding value to Greenbone’s range of products by, for example, making its vulnerability management solution available as a managed service, so it is more accessible to companies that do not have the in-house capabilities or resources to deploy and manage their own hardware.

“With its solutions for intelligent vulnerability management, Greenbone has the potential to develop from a European market leader to a global player,” said Geese. “The security of information systems is fundamental for companies and our modern society, demonstrated by the many security incidents we now witness every day. Greenbone plays a decisive role in making our world safer and I look forward to taking a major part in this.”

Geese has over three decades of experience within the IT sector, working as founder, manager and consultant. Most recently, he was CIO at the Berlin health start-up machtfit, where he was responsible for the company’s SaaS platform for occupational health management. As head of product development and operations, he also contributed to the long-term acquisition of customers such as Bayer AG, Deutsche Bahn, Lufthansa, Edeka and Lanxess.

“We are thrilled to welcome Elmar onto the Greenbone team,” said Jan-Oliver Wagner, Greenbone founder and CEO. “As we continue to grow, it’s essential that we have someone to support us at management level with a capable head for business and a strong entrepreneurial background. Elmar offers just that, and we are very much looking forward to working with him and are confident that with him on board, we will easily master the tasks that accompany rapid company growth.”

It’s four months since Bayerischer Rundfunk and ProPublica ran reports on our research, which revealed that vast numbers of Picture Archiving & Communication Systems (PACS) – which are widely used by health providers to share and store medical scans – were leaking confidential patient data.

X-rax from 19th century, source WikiCommons

X-rax from 19th century, source WikiCommons

During the last days we sent faxes (haven’t used fax in years) to more than 40 institutions, which should help to secure about 10 million studies and 460 milllion images from unprotected access.

We think that now’s the time for a new instalment and, while this blog post isn’t a new report, it does shine a spotlight on a few barely mentioned aspects of the data leak. It also highlights some extra noteworthy things that have happened since September 17th 2019.

A bit of history

It was Spring 2019 when we found the first example of a PACS system leaking data. We weren’t searching for one specifically, we were actually conducting some different research at the time.  However, because we discovered it, our first step was to alert the affected organization about the problem (they acted quickly and removed the system). We didn’t think much more about it at the time, other than writing the words “PACS server” on a Post-It and pinning it on our notice board.

In August 2019, we decided to revisit the topic and initial work began by establishing a base data set of connected and accessible (aka unprotected) PACS systems. We soon realized the immense scale of the issue and it became obvious that we would need the help of authorities and media outlets around the globe to draw much-needed attention to the problem. Simply put, it wouldn’t have been possible to get so many systems off the public Internet without their help. (This process still remains very much a ‘work in progress,’, as January’s story on TechCrunch highlights.

I’m thankful for the work done by so many around the globe; from authorities in Germany, the United Kingdom, France, Switzerland, the United States, Malaysia, and many other countries. This extends to all the news outlets that highlighted the need to check and change PACS systems, as well as to the hospitals and clinics who took their responsibilities seriously, and asked for specific advice. We have also spoken with quite a few information security professionals, and they all deserve kudos too. THANK YOU!

Some untold chapters

While on the topic of history, one particularly interesting aspect of our research was the sheer volume of historic medical data that was freely available on the Internet, and how this could be used to generate medical profiles.

For example, we selected a few systems, each allowing access to data that goes way back in time. The youngest archive in the sample dated from December 11th 2007.

The following graph & timeline visualizes what we found on those selected systems.

 

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

By ‘history-building’ in this way we could see:

  • a person who had their first examination back in March 1987 and has since had 55 other radiology examinations, most recently in December 2019
  • another person who had more than 130 radiology examinations over a span of 22 years
  • The oldest data set which dated back to January 3rd, 1980; an examination that took place in the evening.

We also uncovered some further aspects that, although they don’t necessarily place patients at risk of medical identity fraud, are still important from a data privacy perspective, for example:

  • one PACS system contained usual data like the patient’s full name, DoB and examination details, however, the origin of the data was from a range of prisons and correction centers dating back to 2007. You could easily work out if someone had served prison time, which could be a clear breach of their privacy
  • Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.

It’s not just past data that’s at risk, its future information too. One system we found offered a very easy way to view future appointments, with each patient’s full name and DoB on display.  And because this PACS server was used by a regional health provider, it could be relatively easy to find out the patient’s address, phone number, work place and any other details, thanks to the amount of information that’s readily available to view on Facebook, Instagram, etc.

 

Some extra plot twists

As we are talking about the future, which includes the bright new world of Artificial Intelligence, its noteworthy that we were even contacted by vendors of medical AI solutions asking us for access the data, presumably so they could use the data to improve their algorithms. We obviously said no, not just because of EU privacy laws, but also to protect patient security and on ethical grounds. It might be better to leave that piece of the story as it is.

When we first published our research, a typical reaction from medical interest groups was: “No, no that can’t be. System used by veterinarians maybe, or education/university systems. But our hospitals and doctors take good care of privacy.” We did indeed find 72 vulnerable PACS systems being used by vets, but we didn’t use them for our research. While there is a chance that these servers hold a good amount of personal data (i.e. billing information), the health of animals is a different story than the health of people. Diligence was also needed to distinguish between the abbreviations VET and PET, as the former can relate to both veterinarians and veterans, while the latter could be a technical term for a scan: PET-CT.

It will come as no surprise that were also contacted by lawyers seeking class-action lawsuits. We did not – and will never – share details of our methodology or any detailed findings; that’s not our business.

While speaking about legal aspects, when we sent out the 140+ individual responsible disclosures to the effected health providers, we prepared ourselves to receive a bunch of ‘cease and desist’ letters. But we haven’t received any. Those organizations who received the disclosure and contacted us for more information, all (re)acted with  intent to remedy the problem and not to ‘shoot the messenger’. I’d like to thank Troy Hunt [add link] again for his work on how to handle responsible disclosures, it helped us a lot.

Randomly, we even received a message over Twitter, asking whether we found images of bone spurs. No, we didn’t, but then again, we didn’t search for any.

What’s next

We will keep an eye on the issue of unprotected PACS systems around the globe and will certainly help data protection and law enforcement authorities worldwide with their ongoing work to get the identified systems off grid. There are still more than 400 PACS systems unprotected out there, with more than 27 million studies affecting an estimate of 9 million persons.

For us, this exercise was an important example of how information security and data privacy isn’t always about highly sophisticated APTs, devious social engineering tricks, and BlackHats doing some code magic. It’s about being diligent with the basics. And basic is exactly how we kept it: no coding, no automation, no scripting. Anyone would have been able to do it.

We intend to keep this approach in mind as we conduct future research into the resilience of other critical national infrastructures.