In September 2019, ProPublica revealed millions of medical images were being exposed online through unsecured Picture Archiving and Communication Systems (PACS). But while other countries took swift action to secure these vulnerabilities, the U.S. continues to utilize PACS without first closing major security gaps.
What’s worse, the health systems employing unsecured PACS have also failed to close other critical vulnerabilities, according to data from Dirk Schrader, global vice president at New Net Technologies (NNT).
PACS servers are used by the majority of health care delivery organizations to archive medical images and enable providers to swiftly share these patient records and images with other providers.
However, the tool is ranked as one of the riskiest devices employed in the health care sector, according to Forescout.
The tech holds inherent vulnerabilities, including use of Digital Imaging and Communications (DICOM), which is the communication and management standard of medical imaging information and related data.
The DICOM standard is more than 30 years old and easily exploitable when left exposed to the internet. Cylera research found a flaw in the DICOM image format could even enable an attacker to install malicious code into the imaging files to corrupt patient data. Research has consistently shown that nation-state threat actors actively scan for the DICOM port.
As a whole, these vulnerabilities pose a serious risk to the health care enterprise. But the U.S. has taken minimal action since the initial 2019 report, and as such, millions of and medical images and case study data are currently exposed online, without the need for authorization.
Current exposure statistics
During the first reporting period, Schrader found about 180 health systems employing exposed PACS. After the report, those numbers dropped to about 100 systems, as providers took the vulnerable systems offline.
Upon finding these systems, Schrader promptly followed protocol and safely reported the flaws to the providers, as well as state, federal and global regulators. Across the globe, those regulators promptly took the vulnerable PACS offline.
In the U.S., however, providers and regulators have failed to take swift action, and in some instances, the number of exposed systems is increasing, according to Schrader's findings. The current tally shows there are 130 health systems actively exposing 8.5 million case studies. The data represents more than 2 million patients, with approximately 275 million images related to their exams.
“I’m very concerned about it, as a good portion of systems identified during the first round of reporting and on the list with the Department of Health and Human Services, US-CERT, and the FBI are still connected to the internet,” said Schrader. “What’s going on here? And what will it take for there to be action from law enforcement, such as a mandate to enforce?” he added.
And in recent months, Schrader has seen a steady rise in these vulnerable systems coming back online in the U.S., with new PACS systems being connected to the internet without adequate security measures. Previously exposed systems have also come back online without precautions.
For example, the data show the largest system exposing medical images holds about 700,000 studies, which includes medical information like names, dates of birth, date and reason for exams, and provider names. The oldest data set on the system dates back to August 1979.
The exposed data can be tied to about 200,000 patients.
“[These exposures] show a lack of knowledge or interest in the full security picture of how these systems operate.”
Dirk Schrader, global vice president at New Net Technologies
As shared in real-time with SC Media, Schrader used Shodan.io to find the IP addresses of the exposed PACS and DICOM ports. By leveraging the IP address, combined with the country, state, or city level, he was able to find the exposures and other vulnerable systems.
With only a few steps, Schrader was able to access patient names, dates of birth and patient identification. Patient IDs often mirror SSNs, and a quick internet search could allow an actor to verify whether it was a legitimate SSN. The information is also readily accessible to attackers.
Further, once an exposed provider is found through these means, the actor could then combine the IP with the provider name, and enter it into Shodan.io to find other infrastructure flaws.
As Schrader explained, a malicious actor could take the data corresponding to patient, provider and radiology service provider to infer the location of the individual, which can easily be paired with data from other public sources and social media.
The combination of data could readily enable social engineering attacks, fraud, full-fledged identity theft attacks, and other cybercrimes, he warned.
All signs point to overall security failings
To better understand the overall risk, Schrader hypothesized that if a health system was exposing data through PACS, it was likely the provider was operating with other system vulnerabilities. A simple scan using Shodan.io against the IP addresses found through the PACS research proved Schrader’s theory was accurate.
For the largest culprit, already exposing 200,000 patient imaging records, the health system was found to be employing tech with at least 23 other vulnerabilities with a CVSS severity ranking greater than five. The discovered flaws included remote code execution (RCE) vulnerabilities, an exposed port known to be used by trojan horse backdoors, Secure Shell Protocol (SSH) security gaps, and an end-of-life web server vulnerability.
A complete scan of all systems with vulnerable PACS found more than 400 high-severity vulnerabilities, including over 50 critical flaws on 16 PACS devices. "...[A]n attacker can safely assume that there is more to find,” said Schrader.
"These 16 PACS systems store about 2 million studies, representing about 500,000 U.S. citizens whose medical data is at high risk of being stolen from these devices,” Schrader added. “The operator of these devices is at high-risk to be infiltrated, have their network exploited and their systems encrypted after the data has been copied, and finally to receive a ransom notice.”
Overall, the complete dataset reveals that these health systems lack proper configuration management, device hardening, vulnerability management and change controls.
Impact on patient privacy and security
The College of Healthcare Information Management Executives (CHIME) has repeatedly reported that health IT cybersecurity gaps, such as those in PACS, lie in challenges with data inventory and patch management.
The Health Insurance Portability and Accountability Act (HIPAA) was crafted long before the age of digital health, which means there are a number of technologies and security needs missing from the regulation. CHIME has stressed that, combined with the lack of an established national health cybersecurity standard, providers are burdened with the daunting task of securing patient data – often without the budget or resources to effectively accomplish the task. And without an adequate, real-time inventory of devices, a list of connections, and patch updates, many health care entities are failing to keep pace with these threats.
Unfortunately, real-time inventory and connections are what will enable providers to gain true insights into potential exposures and weaknesses.
But as Schrader puts it, closing PACS’ security gaps can be accomplished easily and without extra resources, as the real issue around PACS is a lack of understanding the full security picture.
“Health systems are connecting systems within the enterprise network without considering the security precautions needed to use PACS,” said Schrader. “It shows a lack of knowledge or interest in the full security picture of how these systems operate.”
“They want the systems online, but aren’t first verifying the potential side effects of doing so,” he added. “Any system connected to the internet, based on current standards or not, will be scanned for by attackers. And when there’s no matter of protection for these systems, it opens the playing field.”
On the other hand, providers who’ve ensured these systems are blocked from outside or unwanted access will complicate the attack chain and are less likely to be exploited, explained Schrader.
The attitude of some providers is that “No one will find me. I’m too small to attack,” or “ No one is interested in my data.” Schrader stressed that these are myths, as anything connected to the internet with vulnerabilities will be exploited, particularly as more attackers employ automated kits to scan for system vulnerabilities.
“At the end of the day, attackers will ask: If you’re neglecting security here, where else are [you] failing?”
Dirk Schrader, global vice president at New Net Technologies
A call to action
To Schrader, there’s a simple way to secure PACS: Check all connections. It’s an easy fix, to block off access and ensure configurations are validated. As PACS come with a manual, those tasked with leveraging its connections should review the best practices to ensure they understand how to securely bring the systems online.
For those with PACS connected to a public internet, Schrader reminded those entities to enable “HTTPS” to ensure data is encrypted between the interface with patients and referring physicians.
It’s understood that access is needed for the images generated by the health system, stressed Schrader. But providers are failing to check what is needed to securely connect devices to the internet. It’s as simple as determining how a device should work and how it’s connected, verifying the security of the connection, then connecting it safely to the internet, he added. Those concerned about side effects or other unwanted functions need only refer to the configurations found within the manual.
Cyber professionals need to understand the overall goals for certain devices and the potential impacts it could have on the network. “There’s a lot of reasoning for keeping these systems as simple as possible: doctors forget passwords, or the processes are too complicated for the network,” he said. “These systems are needed to share images on behalf of providers and hospital chains.”
“Access is needed, but if you want constant access, why not implement a virtual private network? Too many providers are neglecting the value of data in the hands of an adversary,” he continued. “At the end of the day, attackers will ask: If you’re neglecting security here, where else are [you] failing?”
While waiting for enforcement arms and regulators to take action, Schrader reiterated the need for health systems to review inventories and connections to ensure they’re not inadvertently exposing themselves to heightened exploit risks.
Network visibility is a crucial step to mapping devices and how they communicate, which can shed light into security gaps facing a health care entity. Segmenting vulnerable tech from the main network can also stymy the impact of a successful exploit.
Failing to act will not only increase the likelihood of a successful attack, but it can also lead to regulatory investigations. As seen with the initial ProPublica report, Sen. Mark Warner, D-Virginia, launched an investigation into one provider found to be leaking millions of medical images.
Warner’s investigation shed light on simple cybersecurity methods providers must implement to ensure they’re effectively protecting health information, such as employed audit and monitoring tools, compliance with industry standards and HIPAA, and encryption practices.
