More than 737 million medical radiological images found on open PACS servers

Pierluigi Paganini September 18, 2019

Researchers at Greenbone Networks vulnerability analysis and management company discovered 400 Million medical radiological images exposed online via unsecured PACS servers.

The experts at Greenbone Networks vulnerability analysis and management company discovered 600 unprotected servers exposed online that contained medical radiological images. The research was conducted between mid-July 2019 and early September 2019.

The unprotected medical image storage systems were located in 52 countries, the experts discovered that they were affected by 10,000 vulnerabilities, more than 500 of them rated with the highest severity score (CVSS 10 out of 10).

Greenbone Networks researchers analyzed about 2,300 Picture Archiving and Communication System (PACS) systems exposed online.

PACS servers are used in the healthcare industry to archive images created by radiological processes and to make them available to medical staff for analysis and diagnosis. These systems use the DICOM (Digital Imaging and Communications in Medicine) standard to manage medical imaging data.

The experts discovered 590 PACS servers that allowed them to retrieve about 24.3 million patient records.

“Of the 2,300 archive systems worldwide that were analyzed, 590 of them have been identified as accessible on the internet; together they contain over 24 million data records from patients from across 52 countries.” reads the report published Greenbone. “There are more than 737 million images linked to this patient data, around 400 million of which are accessible or can be easily downloaded from the internet. In addition, there are 39 systems that allow access to patient data via an unencrypted HTTP Web Viewer, without any protection.”

Most of the exposed records included the following personal and medical details:

  • First name and surname
  • Date of birth
  • Date of examination
  • Scope of the investigation
  • Type of imaging procedure
  • Attending physician
  • Institute/clinic
  • Number of generated images

The researchers used a RadiAnt DICOM Viewer to analyze data from open PACS servers exposed online, they were able to download and view 399.5 million images out of 733.5.

Giving a look at the geographic distribution of the PACS servers that were leaking the images, most of unprotected PACS servers is in North America is in the U.S.

“In the US, the number is orders of magnitude higher with 13.7 million data sets and 45.8 million images freely accessible on the internet.” continues the report.

Experts discovered that Italy has the highest number of affected systems (10) in Europe and it is also the country with the largest number of leaked medical information.

PACS servers

In South America, most of the exposed images were stored on PACS servers in Brazil (34), in the country the experts found 640,000 data sets, and 31.1 million images.

Most of the open servers in Asia are in India (100), while most of the number of data records (4.9 million) is in Turkey.

Apart from these problems, the audit discovered that 45 PACS provided data over an insecure protocol such as HTTP or FTP, instead of DICOM. Thus, data stored on them could be accessed without authentication.

One of these had the files of the DICOM archive available in a directory listing, allowing access to anyone via a web browser.

Researchers estimated that the value of leaked data on the Darknet would probably be in excess of one billion US dollars.

“This data could be exploited by attackers for various purposes. These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as Social Security Numbers, in preparation for identity theft.” concludes the report.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PACS servers, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment