Researchers Find 45 Million Unsecured X-rays and CT Scans

Researchers have discovered over 45 million medical imaging files which are openly accessible on unprotected connected storage devices linked to hospitals and medical centers worldwide.

The scope of the research

These recent findings are the result of a six-month investigation conducted by cybersecurity firm CyberAngel. The investigation looked into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), which are standards for communicating medical data between healthcare professionals.

They scanned roughly 4.3 billion IP addresses, uncovering more than 45 million medical images on over 2,140 unprotected servers across 67 countries.

The images they found contained up to 200 lines of metadata per image, which revealed personally identifiable information such as name, birthdate, height, weight, etc. These images could be accessed without a username or password.

This included images like these:

And information on patients, which the researchers had to heavily redact:

David Sygula, Senior Cybersecurity Analyst at CybelAngel, shared his thoughts about the research.

"The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files. This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach."

IoT search engine Shodan

Shodan, an open source search engine for searching many Internet of Things (IoT) devices, displays 134,031 results on port 104 and 11112. The IANA registered ports for DICOM are 104 and 11112. 

A second more precise investigation was executed with "FINDSCU," a parameter which is present in the DICOM banner. The result was approximately 3,092 real DICOM devices were found to be communicating over the internet.

Consequences of medical data breaches

There are some significant consequences and risks associated with a medical data breach. Most commonly these are:

• Privacy: Medical images and their metadata contain personally identifiable information that can reveal health concerns.
• Blackmail/ransomware: Those with access to medical data can use it against the person by threatening to make private information public.
• Modification of data: Changes can easily be made to medical data, adding or removing information that can be damaging.
• Financial fraud: Having a real patient's data can be used to commit medical fraud and scam the healthcare system.

Hopefully, medical organizations can learn from this research and use it to help reduce cyber and privacy risk.