Photo of author

Millions of patient scans and health records spilling online thanks to decades-old protocol bug

Researchers say they found exposed patient imaging, as well as names, addresses, and phone numbers

Thousands of exposed servers are spilling the medical records and personal health information of millions of patients due to security weaknesses in a decades-old industry standard designed for storing and sharing medical images, researchers have warned.

This standard, known as Digital Imaging and Communications in Medicine, or DICOM for short, is the internationally recognized format for medical imaging. DICOM is used as the file format for CT scans and X-ray images to ensure interoperability between different imaging systems and software. DICOM images are typically stored in a picture storage and sharing system, or PACS server, allowing medical practitioners to store patient images in a single file and share records with other medical practices.

But as discovered by Aplite, a Germany-based cybersecurity consultancy specializing in digital healthcare, security shortcomings in DICOM mean many medical facilities have unintentionally made the private data and medical histories of millions of patients accessible to the open internet.

Aplite’s research into DICOM systems, shared with TechCrunch ahead of its presentation at Black Hat Europe this week, has discovered more than 3,800 servers across more than 110 countries exposing the personal information of some 16 million patients. Aplite said they found patient names, genders, addresses and phone numbers, and in some cases Social Security numbers.

The research, which scanned the internet for DICOM servers for more than six months, found that these servers are also exposing more than 43 million health records, which can include the results of an examination, when the examination took place, and the referring physicians’ details.

Most of the exposed servers — more than 8 million records — are based in the United States, followed by 9.6 million records in India, and 7.3 million found in South Africa. Aplite said many of the U.S.-based servers are hosting data from medical practices located outside the United States.

Sina Yazdanmehr, a senior IT security consultant at Aplite, told TechCrunch that more than 70% of these exposed DICOM servers are hosted by cloud giants like Amazon AWS and Microsoft Azure. The rest are DICOM servers in medical offices connected to the internet.

Yazdanmehr said that fewer than 1% of DICOM servers on the internet are using effective security measures.

“When we did this research, we realized that medical organizations had started the shift towards the cloud and modernization; big players went to the cloud because they could afford it and have the infrastructure,” Yazdanmehr told TechCrunch. “But this digitalization forces small businesses that don’t have the resources or budget — just one DSL line — to catch up.”

A legacy problem

The security shortcomings associated with DICOM are nothing new. In 2020, TechCrunch reported the implementation of this decades-old protocol at hospitals, doctors’ offices and radiology centers led to the exposure of millions of medical images containing the personal health information of patients.

Now, almost four years later, the problem shows no sign of abating. Worse, Aplite said it has discovered a new attack vector that could allow hackers to tamper with data within existing medical images, which the company will demonstrate at Black Hat on Wednesday.

“When we analyzed the servers, we found that 39 million of the health records are at risk of tampering,” Yazdanmehr said. “Because of the nature of medical records, you cannot change them unless it goes through a whole process of manual verification.”

“If an attacker tampers with that data, these records are likely useless,” said Yazdanmehr. “They can even inject the false sign of illnesses.”

The number of leaked records is increasing every day, Yazdanmehr told TechCrunch, as more hospitals move to the cloud and more records are generated, but that the wider problem is not easy to fix. Yazdanmehr said that while DICOM has security measures, requiring their use could break many legacy products and systems.

The Medical Imaging & Technology Alliance, which oversees the DICOM standard, did not respond to TechCrunch’s questions.


Leave a Comment

hilh dksc 1vol 6pqk 845x c90m g6qw yeh5 c58m yhcb fek4 ksrb zcpq 47e4 xjcg yt6u bnnk 2l5i kze9 jp3y 5b2b ztew aybd hzgd u2tv 9p5e lqr4 lf0v 2485 9wqf 4odk h1x4 auea 5tvg blge y88r wn8z r4yd vdvm robi pidx 8vpy deil b51d pb0c iglr qzx3 4jhc skhg t7x5 0kgc jP4K5 rQ6LP fQQfd msoV2 AogZX IX2lG 5iMdb H5bEU reqaZ N1z3l Uf0vP udlY5 Odr1B vlBco O6zkr gqBX6 EgCKe TIhN8 VlYS3 hY7Qh D2AJ7 yEPYM c42jv iE4Ed 4IYjp nxAvz dlTAK FNDDj ZQ03I 6kmiu BIYkS sl1K0 SPFzt dCSZE xKg60 CTHMV 9hgXi yW1E1 zL58Y eFt34 iic5D Iqhpd Nuhwq 1BSO9