Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.
The starting position
X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.
Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.
Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.
Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.
As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.
In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.
This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.
Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.
The extent of the problem
The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.
Greenbone has written a complete report which can be downloaded here . The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper  is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
Note: We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.
https://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpg00Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-09-16 18:15:562019-09-18 16:50:47Confidential patient data accessible on the internet - a massive global data leak waiting to happen
Are cyber weapons worth it? A look at the economics of hacking back
On 12 May 2017, WannaCry was released into the wild and an epic story began to unfold.
Spawned from a cyber weapon that had been lost by a government agency, WannaCry was a major wake up call for industries around the globe, reminding them in the very loudest way possible that their dependency on tech carries existential risks to their operations.
Yet despite the fallout of WannaCry, governments still contemplate the idea of collecting, storing and using cyber weapons for so-called ‘hack backs’, where they counter-attack an adversary to destroy, disable or snoop on their servers and data.
This grey market for vulnerabilities and cyber weapons is already a highly lucrative one. To provide some context, potent vulnerabilities and their related exploits already reach (and can even exceed) sums of $1m if they target Windows desktops and servers. The figure can doublefor exploits affecting mobile devices (notably, Apple).
If governments follow through with their plans to ‘hack back’, we can expect this market to become even more profitable in the future.
The story of EternalBlue
Eternal Blue, was name given to a Microsoft vulnerability ‘discovered’ by the National Security Agency at some point in 2011 or 2012. The NSA didn’t share its knowledge of the vulnerability with Microsoft, at least not until it was forced to.
By mid-2016, information about the vulnerability and how it can be exploited had somehow been lost by the NSA, and leaked to a hacking group called Shadow Brokers. Shadow Brokers tried (unsuccessfully) to sell this information in August 2016, deciding to publish the files around the turn of the year.
With the cat out of the bag, the NSA’s hand was forced. It had little choice but to come clean about the vulnerability. It informed Microsoft about EternalBlue in March 2017 and, mid-way through the same month, Microsoft released a series of patches to plug the exploit.
Fast forward to almost two months later; WannaCry was wreaking havoc on many organisations all across the globe, exploiting this very same vulnerability. News channels, TV and radio stations, online media, all covered the immediate impact and fallout. Some were even impacted themselves.
It’s been reported that WannaCry and other malware variants exploiting EternalBlue – NotPetya being perhaps the next most famous – caused $9bn worth of damage in just one year. The world’s largest shipping company, Maersk, was hit to the tune of $300m, while costs to the UK National Health Services (NHS) exceeded $100m.
There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage; a figure that can be added to the $9bn total price tag mentioned earlier.
The story of EternalBlue isn’t over yet. Research indicates that millions of computers connected to the internet are still vulnerable.
The economics of the cyber weapons market
There’s no doubt that spending time and money on finding vulnerabilities is financially rewarding. Take the CryptoWall virus – in all its various guises – as an example. CryptoWall v3 alone has generated ‘revenues’ of more than $325m.
The business model and margins in the retail and wholesale of cyber weapons, not to mention the revenue opportunities from offering ‘Cybercrime-as-a-Service’, don’t just make economic sense; they are relatively risk free. Different countries’ cyber legislation is so diverse that a cybercriminal can operate from a safe harbour without fear of prosecution or extradition.
As already stated, vulnerabilities that fulfill certain criteria are particularly sought after and large sums are paid for them. The easier it is to use and the more systems and devices it will affect, the better. In turn, the higher the price it will command.
Selling a high-profile vulnerability to a single user seems to be the least profitable way of running this ‘business’. Instead, the seller will more likely try to sell a vulnerability more than once. On the flipside, any buyer – regardless of their motivation for making the purchase – will want exclusive use of the vulnerability. Requests for exclusivity will increase the price tag placed on any vulnerability. There are no documented cases for this, but an educated guess would suggest the price would go up by a factor of ten, or even more.
If a vulnerability is sold to multiple customers or governments (it doesn’t matter whether they are allies as this can quickly change in politics), the likelihood of losing the vulnerability due to leaks or because it is discovered in the wild is large. That will put deflationary pressure on the price tag and the seller has to maintain a balance between how often a vulnerability is sold and the money requested for it from each buyer.
A game-changing approach is to build up a service model around vulnerabilities. Instead of selling the vulnerability, the cybercriminal licenses its use, simply by providing a platform for ransomware or botnets. This shared use of a vulnerability by many, with all buyers paying a ‘fair’ share (up to 50%) of their own returns to the platform provider, is the modern way of running a cybercrime business. The actors behind this can afford to pay the developers maintaining the platform (even adopting an ‘Amazon’-style approach with recommendations written by happy users) and can also pay for hackers to search for new vulnerabilities, thereby increasing the platform’s coverage and usability.
There are many examples of these ‘as-a-service’ platforms, called CERBER, SATAN, or DOT. It is difficult to gauge their success. But the figures discussed around CryptoWall give some indication of the amount of money that is on the table.
State-sanctioned, state-sponsored, or state-owned
The relationship between these actors and nation states must be put under the microscope.
It makes no difference whether these actors are owned and directed by a government, whether they are funded by a government but act outside the legal controls of an agency setup, or whether they are state-sanctioned. Whatever the nature of the relationship, they have some sort of motivation to support a certain government’s political goals.
Every state-driven actor must maintain its own list of cyber weapons to use as and when needed. There is an intrinsic danger to this, as EternalBlue depicts. Even if that actor is able to maintain the secrecy of such an exploit (and history suggests secrets tend to surface), there will always be other state actors doing exactly the same thing, looking for the same high-profile vulnerabilities to use.
Governments must question whether the likely costs of their societies being impacted by a vulnerability, which once was or still is a national secret, outweigh the benefits of keeping it. There are many government committees around the world discussing the pros and cons of hacking back and keeping vulnerabilities undisclosed. Those in favour cite ‘interests of national security,’ yet what happens if an undisclosed vulnerability – that was previous known to the state – turns against its own critical infrastructure? This is exactly what happened with EternalBlue and WannaCry, but perhaps those lessons have still to be learnt.
Is it worth keeping cyber weapons? A look at the maths
Estimating the global damage of cybercrime each year is not easy, but figures exist. One figure cited is in the range of $6tn, a figure with 12 zeros. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect – currently $1.3tn globally.
The maths can be simplified like this:
$6tn in damage multiplied by an average corporate income tax rate of 22 percent, equals $1.32tn in taxes not realized due to reduced income related to damages or costs incurred.
Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.
Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?
It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.
Here are Greenbone Networks’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:
1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.
2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.
3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.
4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.
5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.
Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.