Millions of people will go to hospitals across the globe for a variety of appointments such as pregnancy scans, x-rays for broken bones, and other routine procedures, as well as more complex operations. Each of these situations demands the same level of privacy and patient protection; however, the sensitive information shared between patient and hospital could be a click away from falling into the hands of cybercriminals.
Digital Imaging and Communications in Medicine (DICOM), an essential protocol used by medical professionals, is the international standard for the transmission, storage, retrieval, print, and display of medical images and related information. Whilst DICOM has revolutionised the medical imaging industry, it also presents potential vulnerabilities.
We spoke with Christiaan Beek, Senior Director of Threat Analytics at Rapid7, on the risks associated with DICOM and what hospitals can do to protect themselves and their patients.
How does DICOM work?
DICOM serves as the global standard for managing, storing, and transmitting medical images and relevant information. DICOM is not just an image format. It incorporates a comprehensive set of protocols that facilitate seamless communication between various medical imaging equipment—like MRI scanners, X-ray machines, and specialised computer workstations.
When you look at a DICOM file, you’re not just seeing the medical image itself. You’re also accessing an extensive array of intrinsically linked metadata with that image. This metadata can carry essential information, from patient demographics and clinical details to, in some cases, highly sensitive data like the patient’s full name and date of birth.
DICOM is a cornerstone in modern healthcare, allowing for a robust, versatile exchange of medical images and information. However, it comes with its own security challenges, and one of the biggest issues for DICOM occurs when it interacts with the open internet.
Why is DICOM unsecure?
The architecture of DICOM was designed primarily for facilitating the exchange of medical images and relevant data. Security was not the main focus during its initial development, so it’s susceptible to cyberattacks when exposed online. This lack of robust, built-in security measures means that when DICOM systems are not properly configured and safeguarded, they become potential entry points for cybercriminals.
In our investigation, we scanned DICOM ports exposed to the internet and found that hackers could access sensitive patient information without any form of authentication. Our findings also revealed vulnerabilities in veterinary clinics and private medical practices, not just hospitals. A cybercriminal could potentially obtain highly sensitive data just by searching for it on the internet.
Our study showed that 45% of the remote servers we connected to were susceptible to unauthorised data retrieval. Furthermore, out of 1,921 systems that responded to our verification scripts, 43% were open to a connection for data extraction. Alarmingly, basic Google searches could even download complete DICOM medical image sets, including MRIs.
So, whilst DICOM brings remarkable benefits to healthcare, it needs to be more secure. It requires additional layers of protection to defend against the cybersecurity risks it naturally introduces.
What are the exposure risks associated with DICOM?
There are several different risks around DICOM exposure, potentially harming both healthcare providers and their patients.
Patients trust hospitals to safeguard their personal information. Hence, jeopardising patient confidentiality and trust is the most prominent issue. If DICOM files are exposed to the internet without adequate security, there is a risk of unauthorised access to sensitive medical and personal data. Breaches like this have severe consequences, ranging from legal troubles and financial penalties to reputational damage for healthcare providers.
Not only does an unsecure system allow malicious entities to view medical data, but it also allows them to alter it. Such unauthorised modifications can result in inaccurate diagnoses, inappropriate treatments, and medical errors with potentially life-threatening consequences. The absence of robust security measures jeopardises the immediate wellbeing of patients, and it has long-term implications for their healthcare and treatment plans.
Another thing to consider: healthcare organisations have become a popular target for ransomware attacks in recent years. An exposed DICOM system can act as a stepping stone for cybercriminals to infiltrate, encrypt vital medical data, and hold it hostage for ransom payments.
Lastly, service interruptions due to denial-of-service (DoS) attacks are another concern. An unprotected DICOM server is a ripe target for these kinds of attacks, which could severely disrupt medical services and patient care.
What can healthcare organisations do to mitigate the risk?
Given the ever-changing cyber threat landscape, it’s crucial for healthcare organisations to update and fortify their cybersecurity strategies continually. This starts with regular scans to assess internet exposure and extends to the identification of all external-facing assets linked to known IP ranges or domain names. Our research found that in 45% of the cases we reviewed, the remote server accepted a connection that could be used to exfiltrate information. Scanning these servers regularly can reduce the possibility of an attack.
In cybersecurity, there’s a prevailing belief that visibility is paramount for protection. Quite often, especially among smaller healthcare institutions with limited resources, there’s a lack of awareness about the extent to which their devices are connected to the internet. Therefore, identifying exposed DICOM ports through extensive scanning is an important first step. It’s necessary to establish a routine for these scans, to consistently identify and address potential vulnerabilities in the DICOM data exposed.
Additionally, healthcare institutes must follow basic cyber hygiene practices like multi-factor authentication (MFA). It’s worth noting that in the first half of 2023 alone, weak MFA accounted for approximately 40% of security incidents. This emphasises the urgent need for rigorous MFA protocols, particularly for Virtual Private Networks (VPNs) and virtual desktop infrastructures.
Alongside this, healthcare institutes should invest in security controls such as network segmentation. This involves dividing an institute’s network into distinct segments, each of which is isolated from the others. Hence, if a security breach occurs, the potential damage is confined to that specific segment, effectively mitigating the overall impact of the attack.
Last but not least, healthcare providers must implement safeguards against data exfiltration. This could range from alert mechanisms for large file uploads to blocking recognised file-sharing sites and monitoring data archiving utilities.
Ultimately, by investing in a multi-layered defensive strategy, healthcare institutions can significantly mitigate the risks associated with DICOM data and protect the trust of their patients.
By Christiaan Beek, Senior Director, Threat Analytics at Rapid7