Leaky DICOM Medical Standard Exposes Millions of Patient Records

Leaky DICOM Medical Standard Exposes Millions of Patient Records

Around 60 million personal and medical records may have been exposed during the past few decades due to the use of a legacy protocol in medical equipment, researchers say.

Researchers from Aplite examined the Digital Imaging and Communications in Medicine (DICOM) protocol, which is an internationallyrecognized standard for medical imaging transfers that’s implemented in most radiology, cardiology imaging, and radiotherapy settings globally. They found that users of the protocol often do not use the security controls, according to research titled “Millions of Patient Records at Risk: The Perils of Legacy Protocols,” which they will present at Black Hat Europe in London in December.

Aplite senior IT security consultants Sina Yazdanmehr and Ibrahim Akkulak detected more than 3,800 servers using the DICOM protocol that were accessible on the Internet, and 30% of those were leaking sensitive data.

The researchers explained that the DICOM protocol does contain security measures such as TLS integration and user identification, but that most vendors don’t implement them, for a variety of reasons. These include a lack of awareness about the security risks; development of the hardware before the security measures existed — which makes upgrades complicated and time-consuming (and maybe not even feasible); and some vendors target smaller organizations that often lack the IT infrastructure needed to implement security measures such as access control and certificates.

“Managing TLS certificates is complicated. It demands significant expertise and resources to avoid resorting to insecure self-signed certificates,” Yazdanmehr says. He also claims that none of the security measures are mandatory, so a lack of regulatory governance could be seen as another cause of the insecurity.

Perhaps the security holes are to be expected, given that the most recent version of the protocol was introduced 30 years ago, in 1993, with the original published in 1985 and a revised edition in 1988. Yazdanmehr says there were some updates in 2021, “but not in regard to the security improvements that we wanted to see.”

Imaging Machine Exposure Affects Millions of Patients

The researchers say that over 30 years, they estimate that 59 million records could have been visible, “including personal information like names, addresses, dates of birth, gender — and in some cases, we could even see the Social Security numbers of those people.”

They also say there were medical records that showed examination results in some cases, such as an MRI, X-ray, or CT scan result, as well as the examination date and time.

Yazdanmehr says that the vendors of the machines they had spoken with were aware of the issues, but adds they were unaware of how big the risk is and what the volume of data leakage is.

He points out that the devices should be able to talk to each other and exchange data but that moving electronic records securely involves every link in the chain being secure and up to date, and that until the majority of equipment and medical devices can support advanced and complex security measures, there will be a problem.

The researchers have published an advisory on the security issues, and they suggest that users evaluate whether there is a genuine need to expose a DICOM server to remote access and to keep communications internal if possible.

DICOM: No Security Issues on Our End

A spokesperson for DICOM said in a statement that DICOM is a standard protocol that manufacturers choose to use, and that vendors and healthcare delivery organizations are the ones to ultimately decide which security mechanisms are appropriate for their environments.

Thus, the DICOM standard does not inherently pose a security risk, according to the statement, which pointed out that there’s a “Secure Connection capability” that’s been specified in DICOM for almost two decades, and that it’s updated regularly to reflect recommendations from the National Institute of Standards and Technology (NIST) and other international standard setting organizations. 

“The implementation, deployment, purchase, maintenance and configuration of systems that implement the DICOM standard are the responsibility of the product vendors and their customers,” according to the statement. “Further, it is the responsibility of the vendors to provide and maintain software implementations. In short, proper security is a shared responsibility between device manufacturers and health delivery organizations. To claim it’s the sole responsibility of a standard is false.”

The researchers say they agree with the statement, and that they hope the presentation at Black Hat Europe helps to sound the alarm on the data leakage issue.

“Hopefully, we can increase the awareness, make it better, and the number goes down and more vendors and hospitals start hardening their infrastructure,” Yazdanmehr says. “But I think it’s going to be a kind of a long journey.”