• DICOM servers were accessible without protection

EUR 1.7 millions in funding was available to the six project partners of MITSicherheit.NRW (IT Security in North Rhine-Westphalia) to analyze weak points in IT security in the healthcare sector and to develop recommendations for action. Due to reasons of Corona, the project has not yet come to an official conclusion, but the final findings are already available. And in parts, they reveal a picture that should make many practices, but also patients, ponder.

Christoph Saatjohann
From the scientific side, the project was accompanied by the Laboratory for IT Security at Münster University of Applied Sciences. In an interview with VIEW, Christoph Saatjohann, a member of the IT Security Laboratory, reports on the results and the concrete need for action.

Christoph Saatjohann

Laboratory for IT Security at Münster University

Mr. Saatjohann, why did Münster University apply for the project at the time? What was your motivation?

The Laboratory for IT Security at Münster University of Applied Sciences is a specialist in cryptographic protocols, in other words, the encrypted exchange of data. We conducted a substantial amount of research here in the past in the area of e-mail security. It was exciting for us to put this expertise at the service of IT security in hospitals. Especially as the project was extremely interdisciplinary and we obtained many different perspectives on the issues. Our knowledge was enriched by that of the users in practices and hospitals and by that of the developers of health IT, for example VISUS. This collaboration across the network was extremely stimulating, and that in itself was a huge success for the project.

What exactly was your task?

We scrutinized the communication protocols used in hospitals, mainly HL7 and DICOM, and looked for sources of error. For example, by manually analyzing the specifications, the documents that described the protocol. Our objective was to determine the status quo with regard to the security of these protocols and to develop recommendations for action on this basis.

Did you find security gaps?

Yes, indeed. And they were not entirely harmless either. We built a scanner that we used to search the Internet specifically for different communication protocols. This was legally possible within the context of this research project. And we found what we were looking for: various DICOM, HL7, web servers and TI connectors were accessible with only little - or no - protection and security measures. The patient data - mostly radiological - could theoretically have been downloaded without any effort.

What happened with these " open " servers?

We contacted the operators via the German Federal Office for Information Security (BSI) and drew their attention to their serious flaw in security. The server operators in Germany all responded and plugged the gaps. Among the foreign DICOM server operators, interest was not quite as pronounced. Many operators did not respond at all or deliberately chose this option. These servers continue to be susceptible to attack.

What do these serious gaps mean for the future exchange of medical data or radiological images? And what are your conclusions?

For future radiology applications, one lever is the DICOM standard itself. DICOM is an old protocol with few security mechanisms. When DICOM was developed in the 1980s, it simply was not that important.

For the future, it would certainly make sense - and this is a recommendation for action on our part - for the standard to be developed further in terms of security. It already contains the essential elements required for this purpose. However, these are not supported by the modality manufacturers. Another problem that needs to be resolved is the management of key certificates to be able to use encrypted DICOM communication universally in practice.
It would be desirable to establish a binding obligation for manufacturers and, after a transitional period, to only permit modalities that support the security requirements.

That is one lever, what others are there?

In principle, responsibility for IT security lies with the operators, in other words the practices and hospitals themselves. In the meantime, it is no longer just KRITIS (critical infrastructure) houses that have to ensure that data are protected in the best possible manner based on the current state of technology, but also all other institutions. However, at present many still do not comply with this obligation. One reason being that they shy away from the costs involved.
For me, this is somewhat paradoxical: no practice would think of taking the utilities technology of a building into its own hands. This outsourced to service providers. But as no one wants to spend money on IT, one would rather hire the nephew of an acquaintance. This attitude, that IT security should cost nothing, needs to change fundamentally on the part of those responsible. And, of course, users also have the leverage to put pressure on the manufacturers.

Thank you for the interview!


 

MITSicherheit.NRW Logo

Under the leadership ofMedEcon Ruhr, the sponsor of the West German Teleradiology Network, the companies G Data Advanced Analytics, Visus Health IT and the Radprax company for medical care centers in 400 hospitals in North Rhine-Westphalia have been testing new IT products and IT services. Research results from the Ruhr University in Bochum and the Münster University of Applied Sciences were incorporated into the development. The solutions developed in the project will be openly accessible to the healthcare sector via a competence platform for cybersecurity.

Project partners

  • MedEcon Ruhr
  • G DATA
  • VISUS
  • Radprax
  • Münster University of Applied Science
  • Ruhr University Bochum
  • Hospital Association NRW

Further information: mits.nrw