IoT/IIoT Device Management , Asset Management , Cybersecurity

Why Legacy Medical Imaging Devices Are Leaking Data on Web

Researcher Sina Yazdanmehr of Aplite on What Needs to Be Done to Mitigate DICOM Risks
Why Legacy Medical Imaging Devices Are Leaking Data on Web
Sina Yazdanmehr, security researcher, Aplite.

Tens of millions of patient records are exposed on the internet as many healthcare providers and hospitals have moved their medical imaging system storage infrastructures to the cloud without putting adequate security measures in place, according to security researcher Sina Yazdanmehr of Aplite.

In scanning the internet, Yazdanmehr and his team late last year found 59 million patient records accessible on the internet due to Digital Imaging and Communications leakage. DICOM is the international standard for exchanging medical images between IoT devices. The exposed data included personal information such as full names, addresses, gender, telephone numbers, and in some cases, Social Security numbers. Providers also exposed more than 43 million health records, including the place, time, and type of examinations and the results of exams, he said.

The leakage is happening in large part because the DICOM protocol was originally designed more than 30 years ago for isolated medical imaging networks inside a hospital or other facility, he said.

"Back in the day, we didn't have many data protection laws and regulations like GDPR, for example. So this protocol was designed without having those concerns and security measures in mind."

Although the DICOM protocol has been updated for enhanced security - including access controls, TLS encryption and authentication - many makers of newer devices still haven't implemented those measures into their products because they are not mandated, Yazdanmehr said.

Meanwhile, healthcare organizations are still using the glut of legacy medical imaging products - such as X-ray, magnetic resonance imaging and computed tomography systems - and further exacerbating the problem, he said.

"The logistic of changing and buying a new device is not easy. So many hospitals and other medical centers keep using the old devices that cannot be updated and because of financial reasons."

But healthcare entities can still implement stronger security measures to help reduce the risk of leakage, Yazdanmehr said. This includes ensuring DICOM servers are not publicly exposed to the internet, establishing secure channels between cloud environments and internal networks, and implementing fine-grained access controls for users.

"When it comes to their users like doctors, nurses and remote users, I highly recommend using DICOMweb, a web-based version of the DICOM protocol. They can use a web application, firewall, or they can use a reverse proxy and integrate it with an access control system to have better control over what users access."

In this interview with Information Security Media Group (see audio link below photo), Yazdanmehr also discussed:

  • Other steps healthcare entities can take to better protect their medical imaging system records and related data;
  • What vendors, regulators and industry associations can consider doing to help improve the security of medical imaging products and data;
  • Security concerns involving other health IT and medical technology protocols.

Yazdanmehr is a senior information security consultant and researcher at Aplite GmbH. He has worked for many security firms and CERT and has strong expertise in cloud, application and telecom security. He has presented his research at conferences such as BlackHat. Recently, his expertise has extended to healthcare cybersecurity and discovering structural issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.