Posts

It’s four months since Bayerischer Rundfunk and ProPublica ran reports on our research, which revealed that vast numbers of Picture Archiving & Communication Systems (PACS) – which are widely used by health providers to share and store medical scans – were leaking confidential patient data.

X-rax from 19th century, source WikiCommons

X-rax from 19th century, source WikiCommons

During the last days we sent faxes (haven’t used fax in years) to more than 40 institutions, which should help to secure about 10 million studies and 460 milllion images from unprotected access.

We think that now’s the time for a new instalment and, while this blog post isn’t a new report, it does shine a spotlight on a few barely mentioned aspects of the data leak. It also highlights some extra noteworthy things that have happened since September 17th 2019.

A bit of history

It was Spring 2019 when we found the first example of a PACS system leaking data. We weren’t searching for one specifically, we were actually conducting some different research at the time.  However, because we discovered it, our first step was to alert the affected organization about the problem (they acted quickly and removed the system). We didn’t think much more about it at the time, other than writing the words “PACS server” on a Post-It and pinning it on our notice board.

In August 2019, we decided to revisit the topic and initial work began by establishing a base data set of connected and accessible (aka unprotected) PACS systems. We soon realized the immense scale of the issue and it became obvious that we would need the help of authorities and media outlets around the globe to draw much-needed attention to the problem. Simply put, it wouldn’t have been possible to get so many systems off the public Internet without their help. (This process still remains very much a ‘work in progress,’, as January’s story on TechCrunch highlights.

I’m thankful for the work done by so many around the globe; from authorities in Germany, the United Kingdom, France, Switzerland, the United States, Malaysia, and many other countries. This extends to all the news outlets that highlighted the need to check and change PACS systems, as well as to the hospitals and clinics who took their responsibilities seriously, and asked for specific advice. We have also spoken with quite a few information security professionals, and they all deserve kudos too. THANK YOU!

Some untold chapters

While on the topic of history, one particularly interesting aspect of our research was the sheer volume of historic medical data that was freely available on the Internet, and how this could be used to generate medical profiles.

For example, we selected a few systems, each allowing access to data that goes way back in time. The youngest archive in the sample dated from December 11th 2007.

The following graph & timeline visualizes what we found on those selected systems.

 

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

By ‘history-building’ in this way we could see:

  • a person who had their first examination back in March 1987 and has since had 55 other radiology examinations, most recently in December 2019
  • another person who had more than 130 radiology examinations over a span of 22 years
  • The oldest data set which dated back to January 3rd, 1980; an examination that took place in the evening.

We also uncovered some further aspects that, although they don’t necessarily place patients at risk of medical identity fraud, are still important from a data privacy perspective, for example:

  • one PACS system contained usual data like the patient’s full name, DoB and examination details, however, the origin of the data was from a range of prisons and correction centers dating back to 2007. You could easily work out if someone had served prison time, which could be a clear breach of their privacy
  • Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.

It’s not just past data that’s at risk, its future information too. One system we found offered a very easy way to view future appointments, with each patient’s full name and DoB on display.  And because this PACS server was used by a regional health provider, it could be relatively easy to find out the patient’s address, phone number, work place and any other details, thanks to the amount of information that’s readily available to view on Facebook, Instagram, etc.

 

Some extra plot twists

As we are talking about the future, which includes the bright new world of Artificial Intelligence, its noteworthy that we were even contacted by vendors of medical AI solutions asking us for access the data, presumably so they could use the data to improve their algorithms. We obviously said no, not just because of EU privacy laws, but also to protect patient security and on ethical grounds. It might be better to leave that piece of the story as it is.

When we first published our research, a typical reaction from medical interest groups was: “No, no that can’t be. System used by veterinarians maybe, or education/university systems. But our hospitals and doctors take good care of privacy.” We did indeed find 72 vulnerable PACS systems being used by vets, but we didn’t use them for our research. While there is a chance that these servers hold a good amount of personal data (i.e. billing information), the health of animals is a different story than the health of people. Diligence was also needed to distinguish between the abbreviations VET and PET, as the former can relate to both veterinarians and veterans, while the latter could be a technical term for a scan: PET-CT.

It will come as no surprise that were also contacted by lawyers seeking class-action lawsuits. We did not – and will never – share details of our methodology or any detailed findings; that’s not our business.

While speaking about legal aspects, when we sent out the 140+ individual responsible disclosures to the effected health providers, we prepared ourselves to receive a bunch of ‘cease and desist’ letters. But we haven’t received any. Those organizations who received the disclosure and contacted us for more information, all (re)acted with  intent to remedy the problem and not to ‘shoot the messenger’. I’d like to thank Troy Hunt [add link] again for his work on how to handle responsible disclosures, it helped us a lot.

Randomly, we even received a message over Twitter, asking whether we found images of bone spurs. No, we didn’t, but then again, we didn’t search for any.

What’s next

We will keep an eye on the issue of unprotected PACS systems around the globe and will certainly help data protection and law enforcement authorities worldwide with their ongoing work to get the identified systems off grid. There are still more than 400 PACS systems unprotected out there, with more than 27 million studies affecting an estimate of 9 million persons.

For us, this exercise was an important example of how information security and data privacy isn’t always about highly sophisticated APTs, devious social engineering tricks, and BlackHats doing some code magic. It’s about being diligent with the basics. And basic is exactly how we kept it: no coding, no automation, no scripting. Anyone would have been able to do it.

We intend to keep this approach in mind as we conduct future research into the resilience of other critical national infrastructures.

60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.

1.19 billion images

That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.

Is it ignorance or negligence?

“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.

There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.

“Good, bad, and ugly”

Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.

  • The “Good”
    Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
  • The “Bad”
    Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
  • The “Ugly”
    That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.

New datapoints

For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.

Extra focus: USA

The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.

One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.

Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).

The following graphic highlights the situation in the US, per state affected.

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.

Recommended actions

In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.

The report

Greenbone’s updated report can be downloaded here [1].

Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Outlook

The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely

  • Health
  • Finance
  • Transport
  • Energy
  • Water
  • IT&Telecommunications

More to come in our blog.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] Greenbone Security Report – Unprotected Patient Data, a review

[2] Greenbone Whitepaper – Health Sector

Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.

The starting position

X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.

Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.

Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.

Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.

The weaknesses

As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.

In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.

This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.

Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.

The extent of the problem

The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.

The report

Greenbone has written a complete report which can be downloaded here [2]. The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper [3] is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] McAfee.com and CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

[2] Greenbone Security Report – Confidential patient data freely accessible on the internet

[3] Greenbone Whitepaper – Health Sector