Thousands of exposed servers are spilling the medical records and personal health information of millions of patients due to security weaknesses in a decades-old industry standard designed for storing and sharing medical images, researchers have warned.
This standard, known as Digital Imaging and Communications in Medicine, or DICOM for short, is the internationally recognized format for medical imaging. DICOM is used as the file format for CT scans and X-ray images to ensure interoperability between different imaging systems and software. DICOM images are typically stored in a picture storage and sharing system, or PACS server, allowing medical practitioners to store patient images in a single file and share records with other medical practices.
But as discovered by Aplite, a Germany-based cybersecurity consultancy specializing in digital healthcare, security shortcomings in DICOM mean many medical facilities have unintentionally made the private data and medical histories of millions of patients accessible to the open internet.
Aplite’s research into DICOM systems, shared with TechCrunch ahead of its presentation at Black Hat Europe this week, has discovered more than 3,800 servers across more than 110 countries exposing the personal information of some 16 million patients. Aplite said they found patient names, genders, addresses and phone numbers, and in some cases Social Security numbers.
The research, which scanned the internet for DICOM servers for more than six months, found that these servers are also exposing more than 43 million health records, which can include the results of an examination, when the examination took place and the referring physicians’ details.
Most of the exposed servers — more than 8 million records — are based in the United States, followed by 9.6 million records in India and 7.3 million found in South Africa. Aplite said many of the U.S.-based servers are hosting data from medical practices located outside the United States.
Sina Yazdanmehr, a senior IT security consultant at Aplite, told TechCrunch that more than 70% of these exposed DICOM servers are hosted by cloud giants like Amazon AWS and Microsoft Azure. The rest are DICOM servers in medical offices connected to the internet.
Yazdanmehr said that fewer than 1% of DICOM servers on the internet are using effective security measures.
“When we did this research, we realized that medical organizations had started the shift towards the cloud and modernization; big players went to the cloud because they could afford it and have the infrastructure,” Yazdanmehr told TechCrunch. “But this digitalization forces small businesses that don’t have the resources or budget — just one DSL line — to catch up.”
A legacy problem
The security shortcomings associated with DICOM are nothing new. In 2020, TechCrunch reported the implementation of this decades-old protocol at hospitals, doctors’ offices and radiology centers led to the exposure of millions of medical images containing the personal health information of patients.
Now, almost four years later, the problem shows no sign of abating. Worse, Aplite said it has discovered a new attack vector that could allow hackers to tamper with data within existing medical images, which the company will demonstrate at Black Hat on Wednesday.
“When we analyzed the servers, we found that 39 million of the health records are at risk of tampering,” Yazdanmehr said. “Because of the nature of medical records, you cannot change them unless it goes through a whole process of manual verification.”
“If an attacker tampers with that data, these records are likely useless,” said Yazdanmehr. “They can even inject the false sign of illnesses.”
The number of leaked records is increasing every day, Yazdanmehr told TechCrunch, as more hospitals move to the cloud and more records are generated, but that the wider problem is not easy to fix. Yazdanmehr said that while DICOM has security measures, requiring their use could break many legacy products and systems.
The Medical Imaging & Technology Alliance, which oversees the DICOM standard, did not respond to TechCrunch’s questions prior to publication. MITA later told TechCrunch that DICOM does not inherently pose a security risk, but noted proper security “requires more than just technical measures.”
“It requires shared responsibility — specifically the implementation of institutional plans and policies to address various aspects of security, such as infrastructure, device configuration, procedures, policies, training, auditing and oversight,” said DICOM general secretary Carolyn Hull.
“The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM Standard are the responsibility of the product vendors and their customers. Further, it is the responsibility of the vendors to provide and maintain software implementations. In short, proper security is a shared responsibility between device manufacturers and health delivery organizations. To claim it’s the sole responsibility of a standard is false,” said Hull.
Updated on December 11 with comment from MITA regarding the DICOM standard.