The following is a guest article by David Sygula, Senior Cybersecurity Analyst at CybelAngel.
They are the machines that take your X-rays, and conduct your MRI, CT and ultrasound scans. More than ever, they are linked to networks, workstations and servers – there are an estimated 450 million connected medical devices in the world and, by 2023, nearly seven of ten medical technology industry devices will be connected.
Subsequently, they create a tsunami of data which healthcare practitioners access and share via systems that – for years – have been primarily designed for productivity, frequently with only basic desktop controls implemented to address security. In fact, much of the medical equipment currently in operation relies on decades-old technology that predates today’s protection capabilities. Cyber criminals are well-aware of this, and view the data as low-hanging fruit – you don’t even need to be a particularly skilled hacker to steal it.
Today, we’re seeing the consequences of what’s become a thinly veiled data exchange at internet-level scale: After a six-month investigation, a CybelAngel Analyst Team has detected medical devices leaking more than 45 million unique imaging files on unprotected connected storage devices with ties to hospitals and medical centers. In most cases, the team found that a Network Attached Storage (NAS) solution – a relatively inexpensive product used by individuals and small companies – was the source of the leak.
The investigation focused on the Digital Imaging and Communications in Medicine (DICOM) protocol and international image standard. Established in 1985 and supervised by the National Electrical Manufacturers Association (NEMA), the DICOM format is used to compress, send and receive radiography, CT, MR and other images into files which may contain at least 200 lines of metadata. A centralized Picture Archiving and Communication System (PACS) server stores and distributes DICOM images to and from the devices conducting the scans and PACS workstations.
While official statements from NEMA’s Medical Imaging Technology Association (MITA) indicate that it has improved DICOM security by adding encryption, the investigation determined that the encryption is insufficient. Even worse, organizations and individuals are not obligated to adhere to existing DICOM application security recommendations because they are not mandatory, nor are they designated as “default.” This has led to an environment in which hospitals, insurers and other cogs in the global healthcare sector share information in “ad-hoc” fashion, further increasing the likelihood of compromises.
Revealing the resulting vulnerabilities, the investigation team successfully gained access in 44 of 50 random DICOM connection attempts. It also observed DICOM data transmitted as unencrypted text, meaning attackers can steal, alter or interfere with data directly from devices, while connecting to a medical organization’s network. Besides, it identified 20 million unique images left exposed on some 1,100 unprotected servers. In one particular case, the team’s analysts found a website advertising a paid service to “securely” host and manage DICOM images online. But the website is unprotected and is leaking more than 500,000 unique data files every single day.
Clearly, this can lead to data modification, medical fraud, ransomware and additional forms of cyber threats/scams. To effectively respond, it’s essential to understand the three “lessons learned” that the current state of data leakage has taught us:
Default security usually means zero security.
Over the years, technology vendors have provided solutions to enhance security: encryption, multi-factor authentication, etc. But they are worthless if not applied, which is generally the case “by default”. We want everything to work quickly and easily, but anything easy to access for the end user rhymes with easy to access for an intruder. Often disregarded, the lack of implementation of security policies also translates to a lack of compliance, which is not only a sign of disrespect towards the customers but can also trigger legal penalties.
The cybercrime underworld thrives on “obscure” data.
Years ago, if a file-type or access to it was less-obvious, “security through obscurity” lent a false sense of safety. Yet, the modern cybercrime economy and supply chain proves that there is plenty of profit to be made in obscurity. Almost any type of file with personally identifiable information that can be obtained can be monetized and sold to be a component in others’ fraud, extortion, espionage or other schemes. Assume that all of your publicly discoverable data is valuable to attackers and rethink your workflows and business practices to study “where” and “how” this data travels.
The healthcare industry must focus on visibility and control.
There is no “mission-critical” data without a mission – and in demanding healthcare and pharmaceutical sectors, that means delivering urgent, lifesaving care, analyzing pandemic data for public health or developing vaccines is the most important function. Technology is charged with empowering this work, but must do so in a risk-tolerant way, as new demands and circumstances continually unfold. A lesson for every industry from our investigation into widespread medical imagery leaks is that if you begin IT transformation and empowerment with a lot of disparate, ad-hoc assets and policies, you will quickly lose control of files and the ability to collaborate with others and rein-in control as risks evolve.
Our investigation in this case shows that the most severe data breaches can arise not from sudden, exotic threats in the headlines – but, instead from a long-term combustible mix of rapid digitization, collaboration-by-necessity and rise of cheap and powerful file-sharing platforms. This is a case where greater risk-based IT planning and leadership at the outset might have anticipated some of the gaps and driven greater consistency. No IT project or transformation wave is without security flaws. However, and above all else, you need to have visibility and a plan in place for when data escapes.