Researchers at CybelAngel have found hundreds of servers and systems leaking patients’ medical data for a long. The research has identified over 45 million images of MRI scans, X-rays, and CT scans along with PII of patients from several medical centers and hospitals, which could be exploited, warned researchers.
Freely Accessible From Surface Web
A cybersecurity firm called CybelAngel has investigated medical device security for over six months and shared a report calling it utterly poor. Their researchers have discovered over 45 million medical images classified as X-rays, MRI, and CT scans exposed to everyone.
The medical data is also accompanied by personally identifiable information like the patient’s name, date of birth, physician’s name, type of body part photographed, and the medical center he’s been treated. All these were obtained from hundreds of hospitals and medical centers across the world.
Researchers warned that exposing this type of data can lead to various exploitations. Hackers stealing this data can sell them on the dark web or blackmail patients with medical proofs for money, extortion, etc. If not, they can use the exposed servers and systems to inject ransomware.
As if this isn’t worse, researchers have identified scripts and cryptocurrency miners in some of the devices in their investigation. This confirms that researchers at CybelAngel aren’t the first ones to discover these exposed machines. They blamed poor security practices like connected devices and not setting passwords.
The Digital Imaging and Communications in Medicine (DICOM) files are accessible to everyone from the surface web, with simple browsing. Usage of FTP or SMB protocols and unpatched security flaws are the cause. Since contacting every single institution isn’t possible, they left the investigation’s statistics to warn about potential attacks.