Investigators say they found exposed patient imagery, as well as names, addresses and phone numbers
Thousands exposed Servers are spilling the medical records and personal health information of millions of patients because of security weaknesses in a decades-old industry standard designed to store and share medical images, researchers have warned.
This standard, known as Digital Imaging and Communications in Medicine, or DICOM for short, is the internationally recognized format for medical imaging. DICOM is used as a file format for CT scans and X-ray images to ensure interoperability between different imaging systems and software. DICOM images are typically stored in an image storage and sharing system or PACS server, allowing physicians to store patient images in a single file and share files with other medical practices.
But as Aplite, a Germany-based cybersecurity consultancy specializing in digital healthcare, discovered, security flaws in DICOM mean that many medical facilities have inadvertently made the private data and medical history of millions of patients accessible on the open internet.
Aplite’s investigation of DICOM systems, shared with TechCrunch ahead of its presentation at Black Hat Europe this week, found more than 3,800 servers in more than 110 countries exposing the personal information of about 16 million patients. Aplite said they found patient names, genders, addresses and phone numbers, and in some cases Social Security numbers.
The research, which scoured the Internet for DICOM servers for more than six months, found that those servers also expose more than 43 million health records, which can include the results of a test, when the test was performed and details of referrals doctors.
Most of the exposed servers – more than 8 million records – are located in the United States, followed by 9.6 million records in India and 7.3 million in South Africa. Aplite said many of its US-based servers host data from medical practices located outside the United States.
Sina Yazdanmehr, senior IT security consultant at Aplite, told TechCrunch that more than 70% of these exposed DICOM servers are hosted by cloud giants such as Amazon AWS and Microsoft Azure. The rest are DICOM servers in doctor’s offices connected to the internet.
Yazdanmehr said that less than 1% of DICOM servers on the internet use effective security measures.
“When we did this research, we realized that medical organizations had begun to shift to the cloud and modernize. The big players went to the cloud because they could afford it and have the infrastructure,” Yazdanmehr told TechCrunch. “But this digitization is forcing small businesses that don’t have the resources or the budget — just a DSL line — to catch up.”
A legacy problem
Security flaws related to DICOM are nothing new. In 2020, TechCrunch reported that the implementation of this decades-old protocol in hospitals, doctor’s offices and radiology centers led to the exposure of millions of medical images that contained personal patient health information.
Now, nearly four years later, the problem shows no signs of abating. Worse, Aplite said it discovered a new attack vector that could allow hackers to compromise data in existing medical images, which the company will present at Black Hat on Wednesday.
“When we analyzed the servers, we found that 39 million of the health records were at risk of being compromised,” Yazdanmehr said. “Because of the nature of medical records, you can’t change them unless they go through a whole manual verification process.”
“If an attacker falsifies this data, these files are probably useless,” Yazdanmehr said. “They can even inject the false sign of diseases.”
The number of leaked files is growing daily, Yazdanmehr told TechCrunch, as more hospitals move to the cloud and more files are created, but the broader problem isn’t easy to fix. Yazdanmehr said that while DICOM has security measures, requiring them to be used could break many legacy products and systems.
The Medical Imaging & Technology Alliance, which oversees the DICOM standard, did not respond to TechCrunch’s questions.
