Full Body Exposure: CybelAngel Analysis of Medical Data Leaks
Full Body Exposure: CybelAngel Analysis of Medical Data Leaks (Press Release).
CybelAngel identifies medical devices and web portals leaking unprotected images including X-rays and CT Scans PARIS and NEW YORK, December 15, 2020 – The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that more than 45 million medical imaging files – including
X-rays and CT scans – are freely accessible on unprotected servers, in a new research report released today. The report “Full Body Exposure” is the result of a six-month investigation into
Network Attached Storage (NAS) and Digital Imaging and Communications in
Medicine (DICOM), the de facto standard used by healthcare professionals to
send and receive medical data. The analysts discovered millions of sensitive
images, including personal healthcare information (PHI), were available
unencrypted and without password protection.
CybelAngel tools scanned approximately 4.3 billion IP addresses and detected
more than 45 million unique medical images left exposed on over 2,140
unprotected servers across 67 countries including the US, UK, France and
Germany.
The analysts found that openly available medical images, including up to 200
lines of metadata per record which included PII (personally identifiable
information; name, birth date, address, etc.) and PHI (height, weight,
diagnosis, etc.), could be accessed without the need for a username or
password. In some instances login portals accepted blank usernames and
passwords.
“The fact that we did not use any hacking tools throughout our research
highlights the ease with which we were able to discover and access these
files,” says David Sygula, Senior Cybersecurity Analyst at CybelAngel and
author of the report. “This is a concerning discovery and proves that more
stringent security processes must be put in place to protect how sensitive
medical data is shared and stored by healthcare professionals. A balance
between security and accessibility is imperative to prevent leaks from becoming
a major data breach.”
Todd Carroll, CybelAngel CISO further commented, “Medical centers work with a
vast, interconnected web of third-party providers and the cloud is an essential
platform for sharing and storing data. However, gaps in security, such as this,
present a huge risk, both for the individuals whose data is compromised and the
healthcare institutions that are governed by regulations to protect patients’
data. The health sector has faced unprecedented challenges this year, however
the security and privacy of their patients’ most personal records must be
protected, to prevent highly confidential data falling into the wrong hands.”
The report highlights the security risks of publicly accessible images
containing highly personal information including ransomware and blackmail.
Fraud is a particular risk, as this type of imagery fetches a premium on the
dark web.
From a compliance standpoint, healthcare providers are also liable to sanctions
under regulations such as GDPR in Europe, and HIPAA in the US, for breaches of
sensitive patient information.
CybelAngel advises there are simple steps that healthcare facilities can take
to safeguard the way they share and store data including to:
Determine if pandemic response exceeds your security policies: Ad hoc NAS
devices, file-sharing apps and contractors may take data beyond your ability to
enforce access controls
Ensure proper network segmentation of connected medical imaging equipment:
Minimize any exposure critical diagnostic equipment and supporting systems have
to wider business or public networks
Conduct real-world audit of third-party partners: Assess which parties may be
unmanaged or not in compliance with required policies and protocols.
CybelAngel provides a complimentary, comprehensive 30-day data exposure
assessment healthcare and other organizations use to measure their risk and
uncover priority issues.
The full report can be found here.
About CybelAngel
CybelAngel is a leading digital risk management platform that provides
enterprises with actionable threat intelligence from data leaks both inside and
outside the firewall. CybelAngel enables effective remediation and improved
cybersecurity posture. By leveraging artificial intelligence and proven machine
learning capabilities, it monitors, detects and manages digital risk from third
parties and across all layers of the Internet. Global organizations rely on
CybelAngel to protect their intellectual property, brand, and reputation. Every
day, CybelAngel detects data leaks that others don’t. To learn more, visit
CybelAngel.com
Quelle: Press Release, 14.12.2020
