Critical Infrastructure
Legacy healthcare industry protocols present dangers that can leave hospitals extremely vulnerable to cyberattacks.
December 08, 2023
•
,
3 minutes. read
The health sector will, I am sure, remain a important goal for cybercriminals due to the enormous potential it offers them to monetize their efforts via ransomware demands or by misusing exfiltrated patient data. Operational disruptions and sensitive data, such as medical records, combined with financial and insurance data, provide earning potential that simply does not exist in many other environments.
At Black Hat Europe 2023, the issue of existing protocols used by many healthcare organizations was presented by a team of Aplite GmbH. The question of existing protocols is not new; There are many cases where equipment or systems remain in use due to the significant cost associated with replacing them, even though they use protocols not suited to today’s connected environment. For example, replacing an MRI scanner can cost up to $500,000 and if the need to replace the device is due to an end-of-life notice on the software operating the device, then the risk may seem acceptable taking into account budgetary requirements.
Problems with DICOM
The Aplite team has highlighted issues with the DICOM (digital imaging and communications in medicine), which is used for the management and transmission of medical images and associated data.
The protocol has been widely used in the medical imaging industry for over 30 years and has undergone numerous revisions and updates. When a medical image scan is performed, it usually contains multiple images; the images are serially grouped and associated patient data is then stored with the image, along with any notes from the patient’s medical team, including diagnoses. The data is then accessed via the DICOM protocol through software solutions that allow access, addition and modification.
Older versions of DICOM did not require the use of authorization to access data, allowing anyone who could establish a connection to the DICOM server to potentially access or modify the data. Aplite’s presentation clarified that 3,806 servers running DICOM are publicly available on the Internet and contain data relating to 59 million patients, of which just over 16 million include identifiable information such as name, date of birth , address or social security number.
The study found that only 1% of servers accessible via the Internet had implemented the authorization and authentication mechanisms available in current versions of the protocol. It is important to note that organizations that understand the associated risk and have taken advance steps may have removed servers from public access by segmenting them onto networks with appropriate authentication and security measures to protect patients and medical data.
Healthcare is an industry subject to strict laws and regulations, such as HIPPA (US), GDPR (EU), PIPEDA (Canada), etc. It is therefore surprising that 18.2 million files accessible on these public servers are located in the United States.
Related reading: 5 reasons why GDPR was a milestone for data protection
Protection of critical systems
THE misuse of data accessible from these accessible servers provides cybercriminals with a huge opportunity. Extort patients due to the threat of publicly disclosing their diagnoses, alter data to create false diagnoses, demand ransom from responsible hospitals or other healthcare providers for data that has been altered, misuse numbers social security and personal information of patients, or use this information. The information contained in spearphishing campaigns is just some of the possible ways this data can be used to monetize cybercrime.
Problems of secure existing systems, which have experienced potential security issues, such as DICOM, should be on the radar of regulators and legislators. If regulators that have the power to impose financial or other sanctions specifically ask organizations to confirm that these vulnerable systems have appropriate security measures in place to secure medical and personal data, this would incentivize those using such systems to secure them.
Many industries suffer from the burden of costly replacement of existing systems, including utilities, medical and maritime, to name a few. It is important that these systems are replaced or, in situations where it may be too complex or financially difficult to replace the systems, then appropriate action is taken. must be taken to prevent these past protocols from haunting you.
Before you leave: RSA – Digital health meets security, but does it really want it?