[German]It's a very unpleasant situation: the DICOM protocol has been used for decades to exchange X-ray images or images from other imaging procedures with clinics and doctors, for example. It wasn't a problem until someone came up with the idea of moving the whole thing to the cloud. Security researchers have now discovered that many medical facilities are inadvertently making the private data and medical histories of millions of patients accessible via the internet.
DICOM as the standard for data transmission
Medical imaging includes a range of procedures such as X-rays, CT scans and MRIs that are used to visualize the internal body structures of patients. For decades, DICOM has been used as the standard protocol for storing and transmitting these images between the producing body and clinics or doctors.
DICOM stands for Digital Imaging and Communications in Medicine, and is implemented by almost all manufacturers of imaging or image processing systems in medicine in their products, such as digital X-ray, magnetic resonance imaging, computer tomography or sonography. This enables interoperability between systems from different manufacturers in the clinical environment. DICOM is also the basis for digital image archiving in surgeries and hospitals (Picture Archiving and Communication System, PACS).
The problem is the move to the cloud
For a long time, the use of DICOM was not a problem, as the data is transmitted via direct connections to local servers in practices or clinics and stored there. The security problems that have now emerged with DICOM are related to the use of legacy protocols when transferring and storing data to cloud-based solutions that are also publicly accessible via the internet. In other words, the departments that perform the imaging procedures on the patient then transmit the data to the department specified by the client (clinic, doctor) using the DICOM protocol. However, cloud storage is increasingly being specified as the destination, where the doctors then want to access the data via DICOM viewer. As a result, more and more DICOM endpoints can be accessed unprotected via the Internet.
I came across the topic yesterday via a Mastodon post, and a doctor among the readership also pointed out the problem to me by email. Sina Yazdanmehr and Ibrahim Akkulak are security experts at Aplite GmbH and have carried out research into DICOM endpoints accessible via the Internet where data is stored. In doing so, they came across a major problem: A large amount of personal information and medical records of patients transmitted via DICOM to doctors or clinics can be accessed by unauthorized third parties via DICOM endpoints (Internet-accessible servers and cloud solutions) without further authentication (or with standard passwords). They have documented their findings within the blog post Millions of Patient Records at Risk.
Many hospitals and medical stations are not aware, that they have exposed unintentionally the private data and medical histories of millions of patients accessible via the internet. As early as 2021, this report found that 45 million individual DICOM files were stored on over 2,140 servers in 67 countries and were accessible by unauthorized persons via the Internet. Since that time nothing has changed.
Patient data exposed via DICOM, source: BlackHat presentation, Aplite GmbH
The map above comes from a presentation by Aplite security experts and shows the countries in which DICOM endpoints with patient data are accessible via the Internet. The USA, with its cloud orientation, is probably very strongly represented with corresponding "open" DICOM endpoints. However, France and Italy are also among the countries with many "open" DICOM endpoints.
- A total of 3,806 DICOM servers from 111 countries were found that are freely accessible on the Internet.
- 1,159 of these servers contain more than 59 million patients' personal and medical data.
- Over 73% of these servers are hosted in the cloud or are accessible via the Internet using DSL.
- 2,920 DICOM endpoints do not use authentication, 785 instances are only weakly protected by authentication.
- Only 128 (less than 1%) of DICOM servers on the Internet use effective authorization.
More than 39.3 million health records on DICOM endpoints are at risk of tampering
The two security researchers documented the results of their research in the blog post Millions of Patient Records at Risk by Aplite and also presented it at the BlackHat 2023 security conference (December 4 – 7, 2023 in London). There, Aplite's expert showed how hackers can easily find and access the exposed DICOM endpoints. The presentation slides are available here.
But it's not just about extracting patient data from the DICOM endpoints, as the DICOM protocol can even be used to modify medical data. The two security researchers also explain how they were able to bypass the DICOM security controls. All that was needed could be gathered from the information provided by manufacturers and service providers to comply with DICOM standards.
Practical recommendations for security
At the BlackHat conference and in their blog post, the security researchers provided practical recommendations for medical facilities, healthcare providers and medical technicians to mitigate these security issues and protect patient data. For institutions in the EU, the topic also has GDPR relevance.
The proposed measures include ensuring that the DICOM endpoints are not publicly visible on the internet (and can be found by simple scans of TCP ports 104, 11112 and 4242). Securing the connection between the internal network and the remote DICOM server via a secure channel (e.g. IPSec) was also mentioned. In their blog post Millions of Patient Records at Risk, the security researchers also suggest segmenting the infrastructure and effective access control for authorized parties.
