From the May 2020 issue of HealthCare Business News magazine
Based on findings from Shodan, a free scanner for internet-connected devices, over 55% of the PACS servers are accessible through port 104 — the default port used for Digital Imaging and Communications in Medicine (DICOM).
DICOM is an unencrypted network protocol used for transferring medical images that is well-known and thoroughly documented. As a result, a malicious actor with even a low level of skill can structure their communications to match the protocol and, using the correct conventions, make requests over the network that DICOM machines are designed to oblige. In this manner, hackers can poke around a network and gather information, looking for exploitable weaknesses to launch an attack or move to exfiltrate data.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
So how can hospitals and medical networks minimize this risk? As with so many other issues of information security, the first step is taking stock and developing a thorough index and inventory of your networked devices; here, that would mean all connected DICOM and PACS devices. Using that information, you’ll want to check the connectivity configurations for those devices and identify which machines are open to the wider internet.
If you enlist a scanning tool to accelerate the process, it’s important that the scanning be passive so as not to interfere with or crash medical technologies incompatible with aggressive scanning techniques.
From there, the process boils down to five relatively simple steps:
1. If there are any servers that do not require remote access, apply firewall rules to block access to those servers from any external endpoints.
2. Close all operational unnecessary ports — especially ports used for the transfer of medical information. Necessary ports can be identified based on MDS2 documentation and, if needed, consultation with the vendor.
● In many cases, there will be multiple ports left open on the device by default — even as the device is configured to communicate through a specific port. For example, the primary port for DICOM traffic is port 104. This port will typically be open by default. At the same time, some devices may be configured to use other ports for DICOM. In such a case, leaving port 104 open would constitute a completely unnecessary risk to your device, network, and data security.
3. Wherever possible, restrict out-of-network communications to those managed and secured through (properly patched and encrypted) virtual private networks.
4. If out-of-network communications cannot be restricted to VPN-managed sessions, limit the access to these servers to only necessary connections: use role-based authentication and allow only preapproved IP address ranges to access the servers.