A 10-year-old bug in DICOM has leaked 59 million Patients personal data & medica...
Digital Imaging and Communications in Medicine (DICOM), the internationally accepted standard for medical images and related information protocol, encounters what is known to be the most critical healthcare data leak of 2023. Aplite security researchers identified a decade-old critical vulnerability present in DICOM protocol, exposing millions of critical patient personal and medical records globally.
The dichotomy of DICOM's viable role in healthcare and its susceptibility to data leaks, which has now become a globally recognized source of data leaks, according to Aplite, is setting the stage for a healthcare cybersecurity crisis on a new level.
## **Key Findings**
Aplite's extensive analysis for the past 6 months thoroughly reveals staggering statistics turning out to be one of the biggest healthcare data leaks before 2024. Over 3,800 DICOM accessible servers across 111 countries exposed 1,159 of these servers leaking over 59 million patients' personal and medical records, including names, addresses, phone numbers, and even Social Security numbers, in some cases highlighting the precarious state of millions of patient records.
The analysis also reveals that over 73% of these servers are hosted on the Cloud or exposed via DSL, signifying a shift towards cloudification in the healthcare industry.
Meanwhile, it was also found that India took a critical spotlight with over 9.6 million records at risk, making it a focal point of concern, unlike attacks on [SAFDARJUNG Hospital](https://www.secureblink.com/cyber-security-news/another-indian-hospital-servers-down-for-24-hours-following-hack) & [AIIMS](https://www.secureblink.com/cyber-security-news/200-cr-ransom-demanded-from-aiims-after-hitting-nearly-3-4-cr-patients). Following closely, the United States hosts over 8 million records, and South Africa adds to the urgency with 7.3 million at stake.
## **Root Cause: Modernization Meets Legacy**
The healthcare industry's pivotal transition to cloudification, catalyzed by major players like Amazon AWS and Microsoft Azure, inadvertently exposes underlying vulnerabilities as legacy protocols like DICOM persist, housing 73% of their exposed servers, as mentioned above.
A clash between modernization and dated infrastructure ensues, leaving a staggering 39.3 million health records at the risk of getting tempered anyway.
## **DICOM's Security Measures**
DICOM's legacy clashes with modern security demands and the standard organization's efforts fall short. Aplite's research reveals that less than 1% of internet-accessible DICOM servers have effective authorization, which translates to nearly 128, with over 85% vulnerable to dictionary attacks due to weak authorization out of 23% of the servers having authorization enabled.
## **Patient Data at the Mercy of Hackers**
The sheer magnitude of exposed personally identifiable information (PII) and protected health information (PHI) now open on the internet makes things even more alarming than ever. A staggering 16.1 million PII and 43.5 million PHI records are open to being exploited by hackers, leading to identity theft, social engineering, and potential blackmail.
## **Tampering with Integrity**
Hackers now pose a severe threat by systematically disrupting medical images or injecting false signs of illnesses using the [DICOM store service](https://dicom.nema.org/dicom/2013/output/chtml/part07/sect_9.3.html). Aplite's [findings](https://aplite.de/2023/12/06/millions-of-patient-records-at-risk-118/) indicate a vulnerability in DICOM's inability to close a series after storing via a modality, allowing hackers to inject new images at will. This poses a direct risk to those 39.3 million health records, as mentioned already.
## **Mitigation Strategies**
To address this critical issue, a multi-faceted approach is imperative. The [DICOM standard](https://en.m.wikipedia.org/wiki/DICOM) organization must enforce mandatory security measures, while medical institutions, vendors, and country CERTs should collaborate for immediate mitigation.
##### **Medical Institutions: Prioritized Actions**
1. **Exposure Control:**
- Prevent public internet access.
- Secure connections using IPSec.
- Regularly scan TCP ports for potential exposures.
- Create a dedicated DICOM segment.
- Restrict access to modalities via DICOM protocol.
- Deploy Web Application Firewall (WAF) for TLS protection.
3. **Access Control:**
- Authorize only modalities' IP addresses.
- Implement strong [AET](https://www.dicomstandard.org/news/supplements/view/dicom-conformance-statement) authorization.
- Integrate DICOMweb with Identity and Access Management (IAM).
##### **Vendors: Enhanced Security Measures**
1. **Authorization Implementation:**
- Implement AET authorization.
- Disallow new images for an existing series after a set time.
- Conduct regular security tests, including fuzzing and penetration tests.
##### **Country CERTs: Collaborative Efforts**
1. **Regular Scanning:**
- Scan a country's IP ranges to identify DICOM servers.
- Assist in hardening DICOM setups for identified IP owners.
## **Persistent Legacy Problems**
Despite previous [warnings and reports](https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/), the persistent issue with DICOM security remains. Aplite's findings indicate an escalating issue with an increasing number of leaked records each day. The disclosed attack vector allowing data tampering within existing medical images adds a new layer of urgency to address DICOM's inherent security flaws.
## **Dilemma of Security vs. Legacy Compatibility**
While DICOM has security measures, their non-mandatory nature poses a challenge. Enforcing these measures could disrupt many legacy products and systems, creating a dilemma for the Medical Imaging & Technology Alliance, overseer of the DICOM standard.