Researchers from Aplite have identified potential exposure of around 60 million personal and medical records due to vulnerabilities in the Digital Imaging and Communications in Medicine (DICOM) protocol. The 30-year-old protocol, widely used in radiology, cardiology, and radiotherapy settings, needs proper security implementation, leading to data leaks.
Aplite’s investigation found over 3,800 servers using DICOM accessible online, with 30% leaking sensitive information. Despite the DICOM protocol having security measures, many vendors do not implement them, citing a lack of awareness, outdated hardware, and targeting smaller organizations.
A DICOM spokesperson argues that the standard is not inherently insecure, placing responsibility on manufacturers and healthcare organizations to implement appropriate security mechanisms.
Why Does It Matter?
Over the past 30 years, an estimated 59 million records may have been visible, including names, addresses, dates of birth, and even Social Security numbers. The potential exposure of medical records, such as MRI and X-ray results, poses a significant risk to patient privacy.
What’s the Fix?
Aplite suggests users evaluate the necessity of exposing a DICOM server to remote access and keep communications internal whenever possible. It calls for heightened awareness and security measures in the healthcare sector.
Responsibility in the Spotlight
DICOM, the protocol in question, claims manufacturers and healthcare organizations decide on security mechanisms. The protocol itself, they argue, is relatively safe. Proper security, they say, is a shared responsibility between device manufacturers and healthcare organizations.
The Aplite team hopes to raise awareness with their findings. As they head to Black Hat Europe, they envision a future where vendors and hospitals fortify their infrastructure, reducing risks and securing sensitive medical data.