Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.
The starting position
X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.
Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.
Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.
Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.
As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.
In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.
This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.
Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.
The extent of the problem
The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.
Greenbone has written a complete report which can be downloaded here . The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper  is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.
Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.