While vulnerabilities in medical systems continue to leave patients and their data vulnerable to ransomware attacks, researchers identified a new way patients can put hospital networks at risk.
In addition to the obvious threat of opening oneself to doxing attacks, which could be enabled by disclosing personal information on the forms themselves, researchers warn you could also jeopardize hospital networks by posting X-ray pictures, according to a June 9th blog post.
Even if a user takes the precaution to crop out data, they could unintentionally leave information such as the server name.
“Perhaps the server receiving the image is a local machine that's air-gapped from the Internet but needs to receive images from multiple machines in an office or hospital,” the report said. “If you are a security professional reading this, we know that this is extremely unlikely.”
This could tip attackers off to potential access points or worse. Photos could also disclose active user account in the program, and other information that could allow an attacker to identify whether or not a server is web facing, if the WHOIS on the web server is public, if the server's subdomains are enumerated, and the possibility to traverse the subnet of the medical record server.
Researchers recommend users take extra precaution, if they must post the pic at all, to crop out any data to ensure they don't compromise their own personal information, or that of others.
