45 million medical imaging files, personal data left discoverable on the open web, across 67 countries including the US, UK, France, and Germany.
Unsecured Servers & Storage Devices:
The analyst team at CybelAngel, discovered more than 45 million medical images – including X-rays, MRI and CT scans are freely accessible on unprotected servers.
Moreover, The analysts discovered millions of sensitive images, including Personal Healthcare Information (PHI), were available unencrypted and without password protection.
A six-month-long investigation into medical device security found the medical data exposed from hospitals and medical centers around the world.
And, due to insecure storage, the sensitive medical data were easily accessible to outsiders on the open web.
Above all, the researchers were able to access 45 million unique cases of Digital Imaging and Communications in Medicine (DICOM) without any hacking tool or even a password.
CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers.
Importantly, insecure Network Attached Storage (NAS), the use of FTP or SMB protocols and unpatched security flaws could provide outsiders with access to sensitive data.
Followingly, researchers found malicious scripts (cryptocurrency miners) suggesting, the researchers weren’t the first to identify and access the unsecured devices.
Security Recommendations — Medical Information:
Cybercriminals gain access to sensitive medical information could exploit it and:
- Sell it on the Dark Web
- blackmailing identifiable individuals
- by delivering ransomware to hospital network
In short, Simple steps for healthcare facilities can take to safeguard
- Strengthen user authentication & Encrypt data
- Implement policies to support your data protection strategy
- Implement multiple-layered security devices & Train end-users
- Certainly, implement HIPAA, GDPR safeguards policies
- Supporting systems aren’t connected to the wider business or public-facing networks