Greenbone - Massive security vulnerability discovered in medical databases

As you will have noticed this week, security researchers at Greenbone Networks discovered that patient data was freely available on the internet worldwide. This involved over 24 million data records with more than 700 million linked images, spread across 52 countries. In Germany alone, there are 15,000 records of German citizens with 2.85 million images, many of which can be accessed without password or authentication. This information was reported to Bayerischer Rundfunk by CMO Dirk Schrader and checked and confirmed by BR Recherche.

So-called PACS (Picture Archiving and Communication Systems) servers, which communicate with each other via the DICOM (Digital Imaging and Communications in Medicine) protocol, were affected. These are used worldwide and are considered standard in the medical sector.

The patient data contained at least the name, date of birth, date of the examination and medical notes on the reason for the examination. Depending on the data set, other information as well as images could also be included.

This is not only a fatal offence from the perspective of the GDPR, but also a potentially big problem for the patients concerned. This starts with facilitating phising attacks with personalised salutation and address, so-called spear phishing. However, it continues with identity theft and even blackmail or public display in the case of potentially embarrassing visits to the doctor. The spectrum of possible uses is varied. It is estimated that this amount of information on the darknet would have an equivalent value of over one billion euros.

Greenbone also conducted a security analysis of the open systems with the help of the Greenbone Security Manager. This identified more than 10,000 vulnerabilities, of which more than 20% were highly dangerous. There were even more than 500 vulnerabilities identified with the highest severity in the Common Vulnerability Scoring System (CVSS 10.0). This means that anyone could remotely take over the system completely.

Even though well-documented software is usually required on the Internet that even a technical layman can use, various systems were also directly accessible via web browsers and/or FTP.

What are possible countermeasures?

Since this is not a classic security vulnerability that can be eliminated with a simple software update, the infrastructure must be adapted. For example, with access control lists so that only certain IP addresses or IP ranges can access the systems. In addition, an authentication system should be used, which only allows incoming connections after successful login.
The use of VPN connections for authorised persons is also strongly recommended, as this enables end-to-end encryption to be provided.
In addition, the corresponding system should also be brought up to date in terms of software technology, so that any existing security gaps cannot be exploited.

Who is Greenbone Networks?

Greenbone Networks was founded in 2008 in Osnabrück and offers an open-source based solution for vulnerability analysis and management, the Greenbone Security Manager (GSM). With this, one is able to continuously check the network and the devices in the company for known vulnerabilities. These can be not only security gaps, but also misconfigurations, such as default passwords that have not been changed. These are then collected in a report and recommendations are made on how to eliminate the problem. Apart from scanning, the GSM acts purely passively and does not make any changes to the device or network itself. Greenbone offers both hardware and virtual appliances that can cover all areas, from small companies to large corporations. In addition, Greenbone Netzworks has the advantage in licensing that the performance of the appliance is licensed and not the number of devices/IPs in the company. This means that you can, for example, purchase an appliance with a performance of up to 500 IPs per day, even if you have 2,000 IPs in the company. You could then scan every IP every 4 days.

If you are interested in a trial or a project with the Greenbone Security Manager, please feel free to contact us by phone, email or via our contact form.