Thousands of Medical Devices and Data Systems Exposed Over the Public Internet
Censys, a provider of an Internet intelligence platform for threat hunting and attack surface management, has identified thousands of IP addresses that expose medical devices and systems over the Internet, almost half of which (49%) are located in the United States.
Censys security researcher Himaja Motheram explained that the research was focused on identifying publicly accessible interfaces and services from the perspective of an external threat actor looking to conduct an attack on a healthcare organization or gain access to healthcare data. The company identified 14,004 unique IPs that publicly exposed healthcare-related devices and applications on the Internet but suggests that their research likely only captured a portion of exposed devices, with many other systems likely exposed but not openly accessible. The findings of the study have been published in the Censys 2024 Global State of Internet of Healthcare Things (IoHT) Exposures on Public-Facing Networks report.
The most commonly exposed medical assets were DICOM servers (5,100), which are used for viewing and transferring medical images, as well as EMR/EHR systems (4,031), PACS imaging servers (2,530), and data integration platforms (2,520). Exposed DICOM servers contain databases of medical images that can often be accessed without authentication. The researchers cite a separate 2023 study that revealed only 1% of 4,000 scanned DICOM servers had proper authentication in place.
After removing false positives and honeypots, the researchers identified 5,100 exposed DICOM hosts. An analysis of those hosts revealed the majority were linked to independent radiology and pathology service providers as well as imaging departments at large hospitals. The exposures were most likely due to misconfigurations and insecure configurations due to the prioritization of accessibility over security, since these systems often have to be accessed by third parties outside of their networks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The researchers found many of the DICOM hosts had insecure configurations that allowed remote access to databases of medical images without authentication, putting patient privacy at risk. These exposures are especially serious not only due to the risk of exposure of patient data but also due to the number of vulnerabilities with the DICOM protocol, such as allowing malware to be embedded, undetected, in DICOM images.
The exposure of EMRs/EHRs can be a privacy risk; however, the majority of hosts were exposed login interfaces over HTTP, which include portals available to patients to access their medical records online. These were included in the report because security weaknesses and misconfigurations can expose EMRs/EHRs to brute force attacks. These systems often do not include multifactor authentication or VPN tunneling. That said, the majority of identified hosts were for the Epic EMR (3,678) which does support MFA.
The Picture Archiving and Communication System (PACS) is used to access and store medical images and relies on the DICOM protocol for the transmission and storage of medical images. Similar to DICOM servers, the exposures are most likely due to the prioritization of accessibility over security. The exposures are a security risk as a vulnerability in any single login gateway could open the door to hackers.
Data integration systems, such as NextGen Healthcare’s Mirth Connect platform (18% of exposed hosts), are used to manage the flow of large amounts of data from a variety of locations, including databases, hardware, EHRs, and interactions between practitioners and patients. Vulnerabilities in these platforms could be exploited to gain access to sensitive data. For instance, a 2023 vulnerability in the Mirth Connect platform allowed login gateways to be compromised, and two 2024 vulnerabilities in Mirth Connect have been exploited by nation-state actors and ransomware groups.
“The critical importance of implementing robust access controls, such as multi-factor authentication, is hard to exaggerate,” explained Motheram. “This is a must for securing sensitive systems like EMR/EHR platforms that must be accessible over the web.” She also suggests using protective barriers such as firewalls to reduce the risk of unauthorized access and continuous monitoring of the attack surface with tools such as automated scanning platforms.
