More than 45 million medical images – including X-rays, MRI and CT scans, as well as accompanying data that could identify the people in those images – are exposed online on unsecured servers and storage devices.
The exposed medical data leaking from hospitals and medical centres around the world has been discovered by cybersecurity company CybelAngel[1] over the course of a six-month long investigation into medical device security, which also found that outsiders could easily access sensitive medical data.
Cyber criminals who gain access to sensitive medical information could exploit it by selling it on the dark web, blackmailing identifiable individuals, or even potentially using the exposed servers as means of delivering ransomware[2] to hospital networks.
SEE: Network security policy[3] (TechRepublic Premium)
Many medical devices are vulnerable to cyberattacks or exposing data because the technology is often [4]outdated, and healthcare IT and security budgets are stretched[5].
The researchers were able to uncover more than 45 million unique cases of Digital Imaging and Communications in Medicine (DICOM) files being accessible without the need for hacking tools or even a password, but simply left visible to the open web
"The 45 million files are on unprotected servers. What we found was all this data was exposed for anyone," David Sygula, senior cybersecurity analyst at CybelAngel, told ZDNet.
In some cases identified by researchers, insecure network attached storage (NAS) was the reason for sensitive files potentially being able to be accessed. The use of FTP or SMB protocols and unpatched security flaws could provide outsiders with access to the machines and the data stored within.
Other cases involved servers and storage being attached to other network devices in order to meet a functional need, such as printing files, but