According to a Censys research firm, there are more than 14,004 unique IP addresses that expose healthcare equipment and systems containing sensitive medical data to the public internet. report. The research shows that many more devices are at risk, but are not easy to detect.
Nearly half of these exposed IP addresses (6,884) are in the United States, while another 10.5% (1,476) are in India. More than a third (36%) of these exposures involve open DICOM (Digital Imaging and Communications in Medicine) ports and DICOM-compatible web interfaces.
Security issues
Himaja Motheram, security researcher at Censys, explained that DICOM, an old protocol used to exchange and view medical images, is known for its security issues.
“The most pressing threat comes from data extortion schemes and ransomware campaigns that target the least secure, publicly available assets, especially those that connect to healthcare databases,” she explains.
This most likely stems from exposed devices or systems that do not require authentication. This includes the DICOM interfaces and EHRs analyzed in the report, with Motheram noting that attackers are opportunistically exploiting these weaknesses.
“Health care organizations must prioritize completely removing public access to DICOM systems,” she said. “Implementing firewalls and VPNs can create more secure access points.”
Image security
Configuring DICOM-compliant interfaces that require authentication and encryption would help further protect sensitive medical images and patient data.
“These measures not only help mitigate the known vulnerabilities of the DICOM protocol, but also help organizations maintain HIPAA compliance,” Motheram said.
More than a quarter (28%) of exposures are linked to EPD systems. Motheram said the public disclosure of login interfaces for these systems seriously compromises personal health information, including medical history and social security numbers.
“To better protect EHR login interfaces, some basic security best practices include requiring multi-factor authentication by default and applying the principle of least privilege access should be limited to what is necessary for the specific role of every user,” she said.
Improving safety
Multi-factor authentication improves security by requiring an additional verification step beyond passwords, making it more difficult for attackers to gain unauthorized access.
Motheram explained that multi-factor authentication is not a “magic bullet,” but a crucial layer of protection, especially given the serious consequences of a data breach, she said.
She said that to maximize protection, organizations should at a minimum: enforce multi-factor authentication and data encryption on all systems that handle sensitive data, both in the cloud and on-premises, and prioritize patching the most critical of these systems when security updates occur. have been released.
“Configuring alerts to detect unusual activity, such as unauthorized access attempts or changes to critical configurations, can help organizations detect exploits and any gaps,” she says.
Unauthorized access
Motheram added that setting alerts in access logs for suspicious behavior and keeping software up to date can further reduce the risk of unauthorized access and data breaches. She explained that one of the most challenging aspects of managing large infrastructure is that healthcare IT leaders can’t protect what they don’t know.
“These environments tend to be complex and decentralized, with numerous devices communicating across different networks,” she says.
Obtaining a comprehensive inventory of their external attack surfaces and identifying highest priority exposures or vulnerabilities can be resource intensive.
“This is especially true for healthcare organizations that regularly exchange data with external parties and also need to manage risks in the supply chain,” Motheram said.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209
The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.