November 10, 2023 at 01:12PM
Researchers have discovered that around 60 million personal and medical records may have been exposed due to the use of a legacy protocol in medical equipment. The researchers found that many users of the protocol do not implement security controls, leading to data leakage. The protocol does have security measures, but vendors often do not implement them. Lack of awareness, outdated hardware, and targeting of smaller organizations are cited as reasons for this. The researchers estimate that over 30 years, 59 million records could have been visible, including personal information and examination results. The researchers hope to raise awareness about the issue and encourage vendors and hospitals to strengthen their infrastructure. The DICOM protocol, however, argues that security responsibility lies with vendors and healthcare organizations, not solely with the protocol.
Key Takeaways from Meeting Notes:
1. Researchers from Aplite have found that around 60 million personal and medical records may have been exposed due to the use of a legacy protocol called DICOM in medical equipment.
2. The DICOM protocol, which is used for medical imaging transfers, often lacks proper security controls, leading to data leakage.
3. Aplite detected over 3,800 servers using DICOM that were accessible on the Internet, with 30% of them leaking sensitive data.
4. While DICOM does contain security measures, vendors usually do not implement them due to factors such as a lack of awareness, complex upgrades, or targeting smaller organizations with limited IT infrastructure.
5. Lack of regulatory governance and outdated versions of the protocol contribute to the security risks.
6. Over the past 30 years, an estimated 59 million records may have been visible, exposing personal information and medical examination results.
7. Machine vendors are aware of the risks but may not fully understand the extent of data leakage.
8. Secure and up-to-date communication between medical devices is crucial, but advanced security measures are not widely supported yet.
9. The researchers recommend evaluating the need for remote access to DICOM servers and keeping communications internal if possible.
10. According to DICOM, the responsibility for implementing security mechanisms lies with manufacturers and healthcare organizations, and the standard itself does not pose an inherent security risk.
11. The researchers agree with DICOM’s statement and aim to raise awareness of the data leakage issue through their presentation at Black Hat Europe.
12. Increasing awareness and improving infrastructure security will be an ongoing journey for vendors and hospitals.
Overall, the meeting notes highlight the security risks associated with the use of the DICOM protocol in medical equipment and the need for greater attention to secure data transfer and storage in the healthcare sector.