Censys, a company that provides an Internet intelligence platform for threat hunting and attack surface management, discovered thousands of IP addresses that leak medical devices and systems online, 49% of which are from the United States.
Himaja Motheram, Censys security researcher, said that the research was about the identification of publicly available interfaces and services from the viewpoint of an external threat actor wanting to carry out an attack on a healthcare company or acquire access to healthcare information. The company found 14,004 unique IPs that openly leaked healthcare-related devices and apps online but said their research possibly only obtained a part of the compromised devices. Many other systems were possibly compromised but not accessible to the public. The data of the research was included in Censys 2024 report entitled Global State of Internet of Healthcare Things (IoHT) Exposures on Public-Facing Networks.
The most frequently compromised medical assets included the following:
- 5,100 DICOM servers, which are employed for viewing and transmitting medical images
- 4,031 EMR/EHR systems
- 2,530 PACS imaging servers
- 2,520 data integration platforms
Exposed DICOM servers have databases with medical images that are often accessible without required authentication. The researchers mentioned 2023 research that revealed only 400 of 4,000 scanned DICOM servers are enabled with proper authentication.
After identifying false positives and honeypots, the researchers found 5,100 exposed DICOM hosts. A review of those hosts indicated that most had connections with third-party radiology and pathology service companies and imaging service departments at big hospitals. The breaches were most probably caused by wrong and insecure settings, as accessibility is prioritized over security, and third parties outside of their networks usually access these systems.
The researchers learned that many DICOM hosts had insecure settings permitting remote access to medical image databases without authentication, possibly endangering patient privacy. These breaches are serious not just because of the potential exposure of patient information but also because of some vulnerabilities identified in the DICOM protocol, making malware embedding in DICOM images undetected.
The compromise of EMRs/EHRs could mean a privacy violation. Most hosts had their login interfaces over HTTP exposed. This is used by patients to access the portals where they can view their medical records or protected health information (PHI) on the internet. The report mentioned these systems because security weaknesses and wrong configurations can allow brute-force attacks on EMRs/EHRs. These systems frequently do not have multifactor authentication or VPN tunneling. It’s good that most of the identified hosts were used for Epic EMR (3,678) which have MFA enabled.
The Picture Archiving and Communication System (PACS) is used to access and keep medical images and is dependent on the DICOM protocol for the transfer and storage of medical images. Like in the DICOM servers, the breaches are most probably because of prioritizing accessibility over security. The breaches present a security risk to EMRs/EHRs since a vulnerability in any single login gateway can give access to hackers.
18% of exposed hosts involved data integration systems, like the Mirth Connect platform of NextGen Healthcare. These systems help manage the flow of a large volume of data from different locations, such as hardware, databases, EHRs, and doctor-patient interactions. The exploitation of vulnerabilities in these platforms allows attackers to obtain access to sensitive information. For example, a Mirth Connect platform vulnerability identified in 2023 enabled the compromise of login gateways. Two Mirth Connect vulnerabilities identified in 2024 were exploited by ransomware groups and nation-state actors.
Motheram explained the importance of having effective access controls like multi-factor authentication in protecting EMR/EHR platform and other sensitive systems from being accessed online. Use protective barriers like firewalls to limit potential unauthorized access. Use tools like automated scanning platforms for continuous checking of the attack surface.