Despite widespread focus on the critical need for healthcare data security, many institutions still aren't getting the message. More than 800 servers worldwide storing DICOM image data are fully open to outside computers that could steal their data, according to a study presented at last week's ECR 2016 in Vienna.
Repeating a study that was presented at ECR 2015, researchers from Massachusetts General Hospital (MGH) in Boston unfortunately found no improvement in 2016 for DICOM security after a worldwide search for unprotected DICOM servers. Of the 2,773 unprotected DICOM servers found by the researchers this year, 29% were completely open to DICOM communication with outside computers and were capable of transferring patient data.
The troubling findings show that patient data is still not secured, according to presenter Oleg Pianykh, PhD.
"If you think that your hospital has not been hacked yet, then most probably you just don't know that it was," Pianykh said.
Assessing clinical security
Pianykh and colleague Sampson Abiola of MGH wrote an application designed to probe remote computers over an Internet protocol (IP) address and see if it would respond to a query to communicate. The idea was to survey a large sample of IP addresses and identify the ones that responded positively to the request.
Using geolocation technology, they would then map these unprotected IP addresses, pinpointing the coordinates and their providers/owners, he said. Pianykh noted that the search was conducted only for protocol verification purposes; no clinical data were accessed.
Thanks to some multicore programming and a highly parallel Amazon computing cluster, the researchers were able to scan 4 billion IP addresses -- the entire IP space -- in 12 hours, Pianykh said. They calculated the number of overall unprotected DICOM IP addresses, as well as those that also accepted external DICOM "handshakes" (i.e., communication requests), meaning they were fully open to DICOM communication with outside computers.
Number of unprotected DICOM computers | |||
2014 | 2016 | Change | |
Number of unprotected DICOM IP addresses | 2,774 | 2,773 | 0% |
Number of unprotected DICOM IP addresses that were fully open to outside communication | 719 | 804 | 11% |
Percent of unprotected DICOM servers fully open to outside communication | 25% | 29% | 4 percentage points |
"Obviously, we don't know the actual [total] number of DICOM servers; nobody knows how many servers are being kept behind firewalls, so there's no way to count them," he said. But at least the number of unprotected DICOM addresses and the number of unprotected DICOM IP addresses that were fully open to outside communication give you a "fair idea of what's going on," he noted.
The biggest offenders
Pianykh noted that the total number of overall clinical servers was the major predictor for the number of unsecured servers.
Countries with the highest ratios of open DICOM servers accepting foreign handshakes to all detected DICOM servers included the following:
- Iran 34/40 (85%)
- Thailand: 10/14 (71%)
- Spain: 11/23 (48%)
- Argentina: 6/13 (46%)
- Russia: 8/18 (44%)
- Brazil: 51/118 (43%)
- Germany: 9/22 (41%)
- Bolivia: 4/10 (40%)
- Australia: 12/32 (38%)
- Turkey: 49/143: (34%)
- Taiwan: 41/114: (34%)
- Poland: 4/12 (33%)
- Japan: 3/11 (27%)
- Chile: 7/27 (26%)
- U.S.: 346/1335 (26%)
- China: 11/43 (26%)
- Canada: 13/52 (25%)
- Philippines: 6/24 (25%)
- Mexico: 14/57 (25%)
- Hungary: 4/20 (20%)
"You see some unusual [countries] on this list, but you also see countries that you would expect to take better care of their DICOM communications," he said.
The researchers also found open HL7 servers when they performed a similar search of all IP addresses for the HL7 protocol.
Countries with the most open HL7 servers:
- U.S.: 89
- Brazil: 26
- Egypt: 25
- Japan: 18
- China: 15
- Netherlands: 15
- Chile: 11
- France: 11
- Denmark: 9
- India: 8
- Italy: 8
- Russia: 8
- Canada: 6
- Singapore: 6
- Columbia: 5
- Germany: 5
- Puerto Rico: 5
- Ecuador: 4
- South Korea: 4
- Taiwan: 4
More than 20 years after digital medicine began to be implemented, patient data still remain unsecured, according to Pianykh.