Unprotected DICOM servers remain a security risk

2017 01 09 17 39 30 32 Skull Error Danger 400

Thousands of radiology archives worldwide have serious security gaps that could leave them vulnerable to denial-of-service attacks or potentially even theft of patient data, according to research from Massachusetts General Hospital (MGH). And the situation isn't getting any better.

When the MGH team repeated a global search it performed in previous years to find unprotected DICOM servers, it still found nearly 2,800 unprotected DICOM servers worldwide. What's more, over 800 (25%) of these servers were fully open to communication with outside computers.

"Their vulnerabilities can be exploited even with the most basic, legal DICOM-compliant tools," said Oleg Pianykh, PhD, of MGH. He shared the findings in a scientific session at RSNA 2016 in Chicago.

A global security search

In an attempt to ascertain security risks, the researchers designed an application to test whether or not an arbitrary computer -- via their Internet Protocol (IP) address -- supports a clinical data networking protocol such as DICOM or HL7.

"If you connect to something in DICOM and that something replies back to you, you are talking to a medical device [that] is not secured," he said. "It's as simple as that."

After querying all possible IP addresses and identifying the ones that responded positively to the DICOM protocol requests, they used geolocation techniques to map the unidentified and unprotected IP addresses to pinpoint their coordinates, providers, and owners. Thanks to some multicore programming and a highly parallel Amazon computing cluster, the researchers were able to scan 4 billion IP addresses -- the entire IP space -- in 22 hours, Pianykh said.

They calculated the number of overall unprotected DICOM IP addresses, as well as those that also accepted external DICOM "handshakes" (i.e., communication requests), meaning they were fully open to DICOM communication with outside computers. The group performed the study in 2014, in 2015, and again in late 2016.

Pianykh noted that their application was used only for protocol verification purposes. No clinical data were accessed or manipulated during the tests, he said.

No. of unprotected DICOM servers
  2014 2016 Change
No. of unprotected DICOM addresses 2,774 2,782 0.2%
No. of unprotected DICOM IP addresses that were fully open to outside communication 719 821 14.2%

Of the 821 IP addresses that were open to outside communication, 750 were also fully open to DICOM protocols for finding patient information, Pianykh said. The U.S. had the most unprotected DICOM servers in 2016.

No. of unprotected DICOM servers in 2016 by country
  1. U.S.: 1,150
  2. India: 229
  3. Turkey: 153
  4. China: 116
  5. Egypt: 115
  6. Brazil: 96
  7. Iran: 93
  8. Republic of Korea: 70
  9. South Africa: 51
  10. Canada: 49
  1. Thailand: 45
  2. Hungary: 36
  3. Taiwan: 35
  4. Germany: 34
  5. Italy: 32
  6. Australia: 29
  7. Columbia: 24
  8. Spain: 24
  9. Russia: 22
  10. Greece: 21

Not getting any better

After comparing the 2016 search results with previous years, Pianykh found that half of unsecure DICOM servers remained unsecure the next year. A denial-of-service attack could potentially be used to take down those servers, he said.

"Three hundred medical devices in the U.S. could be taken down right now instantaneously," he said. "[The security situation] is bad."

He also noted that the number of clinical servers in a country is the major predictor for the number of unsecure servers.

After "20-plus years of digital networking in healthcare, patient data is still unsecured," Pianykh said. "If you think that your hospital has not been hacked yet, then most probably you just do not know that you have been hacked."

Page 1 of 603
Next Page