More than 45 million medical images have been leaked, including X-rays, MRIs and CT scans, with data indicating who they belong to, all of them posted online on insecure servers.
Has been the cybersecurity company CybelAngeHe who has raised the problem, exposing how exposed medical data leaked from hospitals and medical centers around the world. As the information was found, outsiders could easily access sensitive medical data.
The problem here is that medical devices are often vulnerable to cyberattacks or data exposure, because technology is often outdated and healthcare IT and security budgets are overstretched.
How the data can be accessed
The filtered data can be accessed without the need for hacking tools or even a password, since they are on the open web, being only necessary to type the url of the files.
What they found were 45 million files on unprotected servers, many times with FTP or SMB protocols and unpatched security flaws. Other times they were servers and storage units (NAS) connected to other network devices to satisfy a functional need, such as printing files, but the way they had been configured meant that they had become back doors to networks.
The example is easy to understand:
Let’s say you have a NAS and you need to share a printer, you create guest access to the printer, and all your security breaks down because when the printer accesses your NAS, it leaves the door open.
Malicious scripts, including cryptocurrency miners, were also found on the examined servers, suggesting that the researchers were not the first to identify and access the insecure devices.
The danger of information leaking
The problem is that all this information could potentially be exploited for fraud and other malicious purposes. It is possible that they were sold on the dark web, it is not known where the data may have circulated. If someone accesses a confidential medical report on a patient, they could call you on the phone posing as a medical facility and perform any kind of fraud.
Researchers have managed to communicate the problem to many of the centers with problems, but with hundreds of them, they have not been able to communicate, which is why all statistics have been published around this research. anonymously, as a warning to verify the security of your networks and storage.
And ZDNET have spoken with those responsible, who indicate that to prevent data from being exposed, it is recommended that networks are properly segmented so that critical diagnostic equipment, such as X-ray machines and support systems, are not connected to the broader commercial or public networks.