Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago. What else can we do to get as […]
https://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpg00Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-12-10 16:18:062019-12-17 17:09:43Responsible Disclosures sent to over 140 health care organizations in the US
60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.
1.19 billion images
That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.
Is it ignorance or negligence?
“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthycombination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.
There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.
“Good, bad, and ugly”
Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.
The “Good”
Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
The “Bad”
Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
The “Ugly”
That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.
New datapoints
For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.
Extra focus: USA
The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.
One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.
Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).
The following graphic highlights the situation in the US, per state affected.
(click here for a hires version, usage is allowed given that the copyright is properly displayed).
The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.
Recommended actions
In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.
The report
Greenbone’s updated report can be downloaded here [1].
Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
Outlook
The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely
Health
Finance
Transport
Energy
Water
IT&Telecommunications
More to come in our blog.
Note: We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.
https://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpg00Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-11-18 13:44:352019-11-18 13:44:35The „Good“, the „Bad“, and the “Ugly” - the amount of confidential patient data accessible on the internet is still rising
Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.
The starting position
X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.
Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.
Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.
Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.
The weaknesses
As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.
In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.
This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.
Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.
The extent of the problem
The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.
The report
Greenbone has written a complete report which can be downloaded here [2]. The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper [3] is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
Note: We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.
https://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpg00Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-09-16 18:15:562019-09-18 16:50:47Confidential patient data accessible on the internet - a massive global data leak waiting to happen
This portal uses cookies to optimise the browser function. Find out how we use cookies and how you can change your settings.Accept CookiesReject CookiesMore Info
Responsible Disclosures sent to over 140 health care organizations in the US
BlogSince we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago. What else can we do to get as […]
The „Good“, the „Bad“, and the “Ugly” – the amount of confidential patient data accessible on the internet is still rising
Blog60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.
1.19 billion images
That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.
Is it ignorance or negligence?
“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.
There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.
“Good, bad, and ugly”
Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.
Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.
New datapoints
For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.
Extra focus: USA
The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.
One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.
Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).
The following graphic highlights the situation in the US, per state affected.
(click here for a hires version, usage is allowed given that the copyright is properly displayed).
The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.
Recommended actions
In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.
The report
Greenbone’s updated report can be downloaded here [1].
Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
Outlook
The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely
More to come in our blog.
Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.
[1] Greenbone Security Report – Unprotected Patient Data, a review
[2] Greenbone Whitepaper – Health Sector
Confidential patient data accessible on the internet – a massive global data leak waiting to happen
BlogMedical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.
The starting position
X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.
Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.
Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.
Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.
The weaknesses
As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.
In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.
This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.
Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.
The extent of the problem
The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.
The report
Greenbone has written a complete report which can be downloaded here [2]. The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper [3] is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.
[1] McAfee.com and CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning
[2] Greenbone Security Report – Confidential patient data freely accessible on the internet
[3] Greenbone Whitepaper – Health Sector