From the May 2020 issue of HealthCare Business News magazine
By Ido Geffen
In hospitals, cyber risks tend to be most prevalent in the radiology department.
Radiology departments largely integrated their devices into networks 30 years ago, long before the boom in cybersecurity risks and despite being early adopters, they often struggle to keep up with the pace of security. The reality is that today over 55% of imaging devices run deprecated or otherwise unpatched versions of Windows, ostensibly vulnerable to exploits such as BlueKeep or DejaBlue. But the problem goes beyond a wide attack surface for known vulnerabilities and includes easily preventable risks around poor, outdated IT design and security practices.
Designed long before modern cybersecurity risks arose, data centers and systems serving medical imaging and file management needs are rarely installed and configured with even a modicum of security in mind. The issue is further exacerbated by the fact that most hospitals only have a few PACS servers receiving and storing all their imaging data — jeopardizing an enormous swath of their exploitable attack surface with only a few points of failure.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
In late 2019 Greenbone Networks conducted some research around imaging server practices and their data privacy impact. Greenbone’s investigation revealed the staggering amount of medical images and associated personal information (like medical records, social security numbers, and financial details) that is openly accessible from the internet.
According to the Greenbone report, the number of private medical images currently online stands at 1.19 billion. Of those, 370 million images (over 30% of those images) can be accessed from the internet without requiring any type of password protection or authentication. Not all those images belong to different patients or different records, however. When grouping those images and associated data into contained, individualized data sets, Greenbone estimated that there around 9 million separate patients all over the world whose private data is available for public consumption. Six million of those patients are believed to be U.S. citizens.
The unsecured data infrastructure at the heart of this problem is the Picture Archiving and Communication System (PACS). PACS servers are used to store images taken by devices such as Ultrasound, X-ray, CT, and MR machines. After one of these devices takes a picture, it is sent to the PACS server, where it is stored and — if configured properly — only accessed thereafter for legitimate medical purposes and by authorized individuals.