The healthcare industry has long been a prime target for malicious cyber activity, given the potential for financial gains and abuse of patient data. Hospitals, despite recognizing the dangers, continue to utilize outdated protocols, presenting a severe vulnerability to cyberattacks.
At the recent Black Hat Europe 2023 event, Aplite GmbH discussed the risk of legacy protocols in the healthcare industry. The persistent use of outdated protocols is a common challenge in healthcare organizations, often due to the substantial cost associated with replacing equipment and systems. For instance, the replacement of an MRI scanner can amount to as much as $500,000. Consequently, many organizations continue to use equipment with outdated protocols, exposing themselves to potential cybersecurity threats.
One such issue highlighted by the Aplite team is with the DICOM (digital imaging and communications in medicine) protocol, which has been widely used in the medical imaging sector for over 30 years. The protocol, used for transmitting and managing medical images and related data, has undergone multiple revisions and updates. However, older versions of DICOM did not enforce the use of authorization to access data, potentially allowing unauthorized individuals to access or modify patient information.
According to the Aplite presentation, an alarming 3,806 DICOM servers are publicly accessible over the internet, containing data related to a staggering 59 million patients. Of these, over 16 million include identifiable information such as name, date of birth, address, or social security number. Shockingly, only 1% of the accessible servers had implemented the necessary authorization and authentication mechanisms available in the current versions of the protocol.
The misuse of data accessible from these servers presents a significant cyber threat. Cybercriminals can exploit patient information for various illicit activities, including extortion, creating false diagnoses, and spearphishing campaigns. Despite the strict regulations and legislation governing the healthcare sector, the exposure of 18.2 million records from these servers in the US is particularly troubling.
The exploitation of legacy systems and the vulnerabilities they present should raise concerns among regulators and lawmakers. Legislation needs to address the security risks associated with outdated protocols and demand confirmation from healthcare organizations regarding the implementation of necessary security measures to protect patient data. While replacing legacy systems may be financially burdensome, appropriate action is imperative to mitigate potential cyber threats.
It is crucial for organizations to recognize and address the risks posed by legacy systems, especially in industries where the replacement of outdated infrastructure is complex or expensive. Failure to secure these systems can lead to severe consequences, making it necessary for organizations to take proactive steps to ensure the protection of sensitive and personal data.
In conclusion, healthcare organizations must prioritize the security of their systems and the protection of patient data, especially when it comes to legacy protocols. Addressing these vulnerabilities is crucial in safeguarding against cyber threats and ensuring compliance with regulatory requirements.