CHICAGO - Nearly 3,000 DICOM servers worldwide remain open and unsecured against external data access, representing a considerable ongoing cybersecurity threat to radiology, according to a presentation on Monday at the RSNA 2017 conference.
What's more, 25% of the unprotected DICOM servers are accepting foreign DICOM "handshakes" -- meaning they are fully open to DICOM communication with outside computers. Unfortunately, this cybersecurity risk has not improved since the researchers from Massachusetts General Hospital (MGH) began tracking the number of unsecured DICOM servers worldwide in 2014, said presenter Oleg Pianykh, PhD.
Learning the hard way
DICOM and HL7 standards were initially developed in the late 1980s, a time when there was no concept of security and networking in general, Pianykh said. Technology has obviously evolved since then, and security features have been added to DICOM.
"But they kind of got added too late," he said. "Part 15 [Security and Management Profiles] of the DICOM Standard was introduced a long time after DICOM went into production and went into so many hospitals. DICOM devices got installed all over, so what happens right now is we still have pretty much unsecured DICOM."
Even today, DICOM conformance statements from PACS vendors may indicate that the product does not conform to any defined security profiles and that it's assumed that the product is used within a secured environment, according to Pianykh..
"Well, that's a very dangerous assumption," he said. "Many people don't even know they have to provide a secured environment. Many small medical facilities have no clue that they have to provide a secured environment."
A global problem
For the past few years, the MGH researchers have repeated the same test to explore the scope of unsecured DICOM servers worldwide. The idea behind the project was to take a clinical data networking protocol such as DICOM or HL7 and design an application to test whether an arbitrary computer -- via its remote IP address -- supports this protocol or not, Pianykh said.
The researchers would then try a large sample of IP addresses; identify the ones that responded positively to the request, thus indicating they were a medical device; and utilize geolocation techniques to map the identified unprotected IPs and pinpoint their coordinates, providers, and owners.
Using some multicore programming and a highly parallel server cluster, the researchers scanned the entire IP space -- 4 billion IP addresses. They found that the cybersecurity situation in radiology has not improved since 2014, when they first performed the study.
Clinical security study results | ||
2014 | 2016/2017 | |
Unprotected IP addresses corresponding to DICOM servers worldwide | 2,774 | 2,782 |
IP addresses fully open to DICOM "handshake" | 719 | 821 |
Even more troubling, 750 of the 821 IP addresses fully open to DICOM handshakes were fully open to protocols for finding patient information.
On a per-country basis, the U.S. remains at the top of the list of countries with the most unprotected DICOM servers:
- U.S.: 1,150
- India: 229
- Turkey: 153
- China: 116
- Egypt: 115
- Brazil: 93
- Iran: 93
- Republic of Korea: 70
- South Africa: 51
- Canada: 49
"Forty percent of all DICOM vulnerabilities belong to the U.S.," he said.
A persistent problem
Over the past four clinical security studies, the researchers also found that 50% of unsecure DICOM servers remained unsecure the next year. Eight countries -- Thailand, China, Iran, Hungary, Egypt, Germany, Russia, and India -- had a visible increase in the number of unprotected DICOM servers from 2014 to 2016, while seven -- Turkey, Spain, South Africa, Italy, Canada, Australia, and the U.S. -- had no improvement.
Only four --- Taiwan, Brazil, Columbia, and the Republic of Korea -- were found to have achieved some improvement in the number of unprotected DICOM servers.
In addition to being open in DICOM, many of these unsecured DICOM devices also had web pages with login information for a PACS or hospital system, Pianykh noted.
"Not only are they vulnerable from a DICOM point of view, but they also have web pages that can be used to hack into the same patient records," he said.
The security situation in radiology is not getting better, Pianykh concluded.
"If we want to secure our devices and our patient information, it's probably time to start thinking about how at least we isolate our DICOM records from the public network," he said.