Measuring Healthcare Data Leaks and Security Flaws at Internet Scale
2026-07-06 • Cryptography and Security
Cryptography and Security
AI summaryⓘ
The authors studied the security of medical data services that use DICOM, HL7, and FHIR protocols. They ran a special fake system to see how these services are scanned and found lots of scans targeting DICOM but almost none for HL7 or FHIR. Their large internet scans revealed many healthcare systems with serious security problems like missing authentication, no encryption, and known software vulnerabilities. The authors highlight that healthcare cybersecurity is weak and share ideas to fix it, along with reporting their findings to improve patient data safety.
DICOMHL7FHIRhoneypotauthentication flawsTLS encryptionhealthcare cybersecurityIPv4 and IPv6software vulnerabilitiescoordinated disclosure
Authors
Nico Brüggemann, Lukas Schmidt, Marvin Dölzer, Marius Brockhoff, Fabian Ising, Christoph Saatjohann, Sebastian Schinzel
Abstract
Systems that process medical data should be meticulously secured. Yet, network services in healthcare environments often fail to implement basic security measures. For example, previous studies showed that network segmentation flaws led to DICOM systems leaking millions of patient records. In addition to DICOM, healthcare facilities rely heavily on the HL7 and FHIR protocols to transmit data. For nine months, we operated a low-interaction honeypot for medical protocols. We found it was regularly scanned for DICOM but never for HL7 or FHIR, indicating that despite their widespread use and importance for patient data security, the security of these services remains underexplored. In this paper, we present the first large-scale study on HL7 and FHIR services and expand previous work on DICOM. Our large-scale Internet scans, covering the three major healthcare protocols across IPv4 and IPv6 address spaces, identify healthcare systems and uncover data leaks due to authentication flaws. Additionally, we scanned for deficiencies in TLS configurations of these services and known insecure healthcare software. In total, we found \TotalEndpointsAuthFlaws ~healthcare services with authentication flaws. \NonTLSPercentage{}\% of all exposed systems do not support transport encryption, and \AllServerCVE{} systems have known software vulnerabilities, including those with potential for system takeover and CVSS scores up to 9.8. Overall, our study reveals an alarming state of cybersecurity in healthcare deployments, for which we discuss potential reasons and countermeasures. Finally, we report on the coordinated disclosure campaign we initiated to improve the security of patient data.