Black Hat Europe 2023: The past could return to haunt you

The healthcare industry will, I am sure, remain a significant target for cybercriminals due to the huge potential it provides them to monetize their efforts through ransomware demands or by abusing the exfiltrated data of patients. Operational disruption and sensitive data, such as medical records, combined with financial and insurance data offer a potential payday that simply does not exist in many other environments.

At Black Hat Europe 2023, the issue of legacy protocols being used by many healthcare organizations was presented by a team from Aplite GmbH. The issue of legacy protocols is nothing new; there have been numerous instances where equipment or systems remain in use due to the significant cost associated with replacement despite them utilizing protocols not suitable for today’s connected environment. For example, replacing an MRI scanner can cost as much as 500,000 USD and if the need to replace the device is due to an end-of-life notice on the software operating the device, then the risk may seem acceptable given budgetary requirements.

The troubles with DICOM

The Aplite team highlighted issues with the DICOM (digital imaging and communications in medicine) protocol, which is used for the management and transmission of medical images and related data.

The protocol has been widely used in the medical imagery sector for more than 30 years and has been subject to many revisions and updates. When a medical image scan is conducted, it typically contains several images; the images are grouped as a series, and associated patient data is then stored with the image, along with any notes from the patient’s medical team, including diagnoses. The data is then accessible using the DICOM protocol through software solutions that allow access, addition, and modification.

Legacy versions of DICOM did not force the use of authorization to access the data, allowing anyone who could establish a connection to the DICOM server to potentially access or modify the data. The Aplite presentation detailed that 3,806 servers running DICOM are publicly accessible over the internet and contain data relating to 59 million patients, with just over 16 million of these including identifiable information such as name, date of birth, address, or social security number.

The study found that just 1% of the servers accessible via the internet had implemented the authorization and authentication mechanisms available in the current versions of the protocol. It’s important to note that organizations that understand the risk associated and have taken prior action may have removed the servers from public access by segmentation onto networks that have the appropriate authentication and security measures in place to protect the patient and medical data.

Healthcare is a sector that has strict legislation and regulations, such as HIPPA (US), GDPR (EU), PIPEDA (Canada), etc. This then makes it surprising that 18.2 million of the records accessible on these publicly-facing servers are located in the US.

Related reading: 5 reasons why GDPR was a milestone for data protection

Protecting critical systems

The misuse of the data accessible from these accessible servers provides cybercriminals with huge opportunity. Extorting the patients due to the threat of publicly disclosing their diagnoses, modifying data to create false diagnoses, holding the responsible hospitals or other healthcare providers to ransom over what data had been changed, abusing patients' social security numbers and personal information, or using that information in spearphishing campaigns are just a few potential ways such data could be used to monetize the cybercrime.

Issues of securing legacy systems, that have known potential security issues, such as DICOM, should be on the radar of regulators and legislators. If regulatory bodies that have the power to impose financial or other penalties specifically request confirmation from organizations that these vulnerable systems have the appropriate security measures in place to secure medical and personal data, it would be the motivator for those in procession of such systems to secure them.

Many industries suffer from the burden of expensive replacement of legacy systems, including the likes of utility, medical, and maritime to name but a few. It’s important that these systems are either replaced, or in situations where it may be too complex or financially difficult to replace the systems, then appropriate action must be taken to avoid these past protocols from haunting you.