The past may come back to hate you

Critical Infrastructure

Legacy protocols in the healthcare industry present dangers that can make hospitals more vulnerable to cyberattacks.

Black Hat Europe 2023: The past may come back to haunt you

The healthcare industry, I am sure, will remain an important target for cybercriminals because of the great potential it gives them to monetize their efforts through ransomware demands or by -abuse of exfiltrated patient data. Operational disruption and sensitive data, such as medical records, combined with financial and insurance data offer a potential payoff that simply doesn’t exist in many other environments.

At Black Hat Europe 2023, the issue of legacy protocols used by many healthcare organizations was presented by a team from Aplite GmbH. The issue of legacy protocols is not new; There are many instances where equipment or systems remain in use due to significant costs associated with replacement even though they use protocols that are not suitable for today’s connected environment. For example, replacing an MRI scanner may cost 500,000 USD and if the need to replace the device is due to an end-of-life notification of the software operating the device, then the risk seems acceptable. given budget requirements.

The troubles of DICOM

The Aplite team highlights the issues of DICOM (digital imaging and medical communication) protocol, which is used for the management and transmission of medical images and related data.

The protocol has been widely used in the medical imaging sector for more than 30 years and has been subject to many changes and updates. When a medical image scan is performed, it usually contains several images; the images are grouped as a series, and associated patient data is stored with the image, along with any notes from the patient’s medical team, including diagnoses. The data is then accessed using the DICOM protocol through software solutions that allow access, addition, and modification.

Legacy versions of DICOM do not enforce the use of data access permissions, allowing anyone who can establish a connection to the DICOM server to potentially access or modify the data. Aplite’s presentation detailed that 3,806 servers running DICOM are publicly accessible on the internet and contain data related to 59 million patients, with more than 16 million of them including identifiable information. such as name, date of birth, address, or social security number.

The study found that only 1% of servers accessible via the internet implement the authorization and authentication mechanisms available in the current version of the protocol. It is important to note that organizations that understood the risk involved and took early action could have removed the servers from public access by dividing the networks with appropriate authentication and security measures. security to protect patient and medical data.

Healthcare is a sector with strict legislation and regulations, such as HIPPA (US), GDPR (EU), PIPEDA (Canada), etc. It is surprising that 18.2 million records accessible on public-facing servers are located in the US.

Related reading: 5 reasons why GDPR is a milestone for data protection

Protecting critical systems

the misuse of data accessible from these accessible servers gives cybercriminals a great opportunity. Extorting patients by threatening to publicly disclose their diagnoses, altering data to create false diagnoses, preventing responsible hospitals or other healthcare providers from retrieving what data altered, misuse of social security numbers and personal information of patients, or use of that information in spearphishing campaigns are just a few possible ways that such data can be used to monetize cybercrime .

Issues of securing legacy systems, aware of potential security issues, such as DICOM, should be on the radar of regulators and policymakers. When regulatory bodies with the power to impose financial or other sanctions specifically request confirmation from organizations that these vulnerable systems have appropriate security measures to capture medical and personal data, it is encourage for those who process such systems to ensure. they.

Many industries suffer from the burden of expensive replacement of legacy systems, including the likes of utility, medical, and maritime to name but a few. It is important that these systems are replaced, or in situations where it becomes too complex or financially difficult to replace the systems, then appropriate action NEED be careful to avoid these previous protocols from bothering you.

Before you go: RSA – Digital healthcare meets security, but do you really want to?

Leave a comment