There are more than 14,004 unique IP addresses that expose healthcare devices and systems containing sensitive medical data to the public internet, according to a Censys report. The study noted many more devices may be at risk but are not easily detectable.
Nearly half of these exposed IP addresses (6,884) are in the United States, with another 10.5% (1,476) found in India. More than a third (36%) of these exposures involve open Digital Imaging and Communications in Medicine (DICOM) ports and DICOM-enabled web interfaces.
Security vulnerabilities
Himaja Motheram, security researcher at Censys, explained DICOM, a legacy protocol used for exchanging and viewing medical images, is known for its security vulnerabilities.
“The most pressing threat comes from data extortion schemes and ransomware campaigns that seek to target the least secure publicly available assets, particularly those that connect to healthcare databases,” she explained.
This is most likely to stem from any exposed devices or systems that do not require authentication. That includes the DICOM interfaces and EHRs analyzed in the report, with Motheram noting attackers opportunistically exploit these weak points.
“Healthcare organizations should prioritize removing public access to any DICOM systems entirely,” she said. “Implementing firewalls and VPNs can create more secure access points.”
Safeguarding images
Configuring DICOM-enabled interfaces to require authentication and encryption would help further safeguard sensitive medical images and patient data.
“These measures not only help mitigate the known vulnerabilities of the DICOM protocol but also help organizations maintain HIPAA compliance,” Motheram said.
More than a quarter (28%) of exposures are linked to EHR systems. Motheram said the public exposure of login interfaces for these systems puts personal health data, including medical histories and social security numbers, at severe risk.
“To better protect EHR login interfaces, some fundamental security best practices are to require multi-factor authentication by default and apply the principle of least privilege-access should be limited to what is necessary for each user’s specific role,” she said.
Enhancing security
Multi-factor authentication enhances security by requiring an additional verification step beyond just passwords, making it more difficult for attackers to gain unauthorized access.
Motheram explained multi-factor authentication is not a “silver bullet,” but it is a critical layer of protection, especially considering the serious consequences of a data breach, she said.
She said to maximize protection, organizations should, at minimum: enforce multi-factor authentication and data encryption across all systems that handle sensitive data, whether cloud-based or on-prem, and prioritize patching of the most critical of these systems when security updates are released.
“Configuring alerts to detect unusual activities, such as unauthorized access attempts or changes to critical configurations, can help organizations detect exploitation and any holes,” she said.
Unauthorized access
Motheram added setting up alerts on access logs for suspicious behavior and ensuring software is kept up to date can further lower the risk of unauthorized access and data breaches. She explained one of the most challenging aspects of managing a large infrastructure is that healthcare IT leaders can’t protect what they don’t know about.
“These environments tend to be complex and decentralized, with numerous devices communicating across different networks,” she said.
Getting a comprehensive inventory of their external attack surfaces and identifying the highest priority exposures or vulnerabilities can be resource intensive.
“This is particularly true for healthcare organizations that regularly exchange data with external parties and need to manage supply chain risks as well,” Motheram noted.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.