- Modat found more than 1.2 million misunderstood devices leaking info
- This includes MRI scans, x-rays and other sensitive files along with patient contact data
- The health industry needs a proactive approach to cyber security, scientists warn
Researchers have warned that there are currently over a million Internet -connected health units that are wrongly configured, delicious all the data they generate online – puts millions of people at risk of identity theft, phishing, thread fraud and more.
Modat recently scanned the Internet in search of incorrectly configured, non-passport-protected, devices and their data, and by using the ‘Health Service’, they found more than 1.2 million devices that generated and leaked, confidential medical images, including MRI scans, X-rays and even blood work, hospitals around the world.
“Examples of data leaked in this way include brain scans and x -rays, stored together with protected health information and personally identifiable information about the patient that potentially represents both a breach of the patient’s confidentiality and privacy,” the researchers explained.
Weak passwords and other evil
In some cases, researchers found information unlocked and accessible to anyone who knows where to see – and in other cases the data was protected with such weak and predictable passwords that they did not form any challenge to break in and intervene.
“In the worst case, leaked sensitive medical information could leave unsuspecting victims open to fraud or even extortion over a confidential medical condition,” they added.
In theory, a threat actor could learn about a patient’s condition before doing so. Together with names and contact information, they can reach the patient and threaten to release the information to friends and family unless they pay a ransom.
Alternatively, they were able to emulate the doctor or hospital and send phishing -e emails inviting the victim to “view sensitive files” that would just redirect them to download malware or share login credentials.
The majority of the incorrectly configured units are located in the United States (174k+), where South Africa is close to second place (172K+). Australia (111K+), Brazil (82K+) and Germany (81k+) round off top five.
For modat “beats a proactive security culture” a reactive response “.
“This research reinforces the urgent need for widespread asset visibility, robust vulnerability management and a proactive approach to securing any Internet-associated unit in health environments, ensuring that sensitive patient data remains protected from unauthorized access and potential exploitation,” commented Errol Weiss, Chief Security Officer at Health-Isac.
