Security
Statements

mbits imaging GmbH

CVE-2021-4428 - Java log4j

13-12-2021

Concerns the vulnerability in the Java Library log4j (see BSI [1]). After checking the facts, we can inform you that this vulnerability does not pose a threat to your mRay installation. Java is only used on the server side of mRay and only if an HL7 interface is configured as a plugin. This interface is usually set up in connection with our photo documentation or report generation. The log4j version we use there is not affected by the security vulnerability. According to BSI, all log4j versions >=2.0 and =<2.14.1 are affected. Nevertheless, we will update to the latest log4j version with a future update. We will inform you about this separately. So currently there are no further measures to be taken. If you have any further questions, please do not hesitate to contact us.

See: Message from the Federal Office for Information Security (BSI) 

How mRay protects your data in connection with the article "Millions of patient data unprotected on the internet" (Bayerischer Rundfunk)

Vom 17.09.2019

With reference to the article "Millions of patient data unprotected on the internet" by Bayerischer Rundfunk [1], we would like to inform you again about how extensively "mRay" protects your data.

The leaks mentioned in the report involve unprotected PACS systems via the Internet. According to ARD Tagesschau, these breakdowns occurred during the import of CDs or due to misconfigurations of the computers carrying the data [2].

Our mRay application offers a wide range of protection so that such mishaps cannot occur. Images downloaded through the mRay app are stored in a proprietary format and contain only the information necessary for display. There is no way in the app to gain access to the original DICOM files. The transfer of this proprietary data format is also done via an AES-256-bit encrypted connection. Access to the data is controlled via password-protected authentication and authorization management.

DICOM data is only cached on the appropriate hospital server running mRay so that it can be converted to the proprietary format. At no time is the storage done via a cloud service provider, the data sovereignty remains with you. Again, this caching is done via encryption. Since mRay is not a PACS or data archive, the data is only kept on the server for a preset time (default setting: 2 days). The same applies to the end devices (default setting: 8 hours).

According to the recommended scenario, all mRay servers are located in the hospital's internal network and not in the DMZ, so that direct access from outside is not possible. In this case, the gateway in the DMZ only acts as a data mediator, which forwards the encrypted data traffic and accordingly serves as a link between the mRay app and the mRay server. No data is stored in the DMZ. After random analysis of customer servers, no unusual data traffic or strange behavior patterns were observed.

The security architecture of the mRay application is a continuously tested key component of the software to ensure that data leaks like the ones mentioned in the article will be a thing of the past in the future. More information about mRay's security concept and data protection handling can be found in the attached infosheets.

We thank you and are at your disposal for any further questions.

[1] https://www.br.de/nachrichten/deutschland-welt

[2] https://www.tagesschau.de/investigativ/br-recherche/patientendaten-leck-suche-101.html

EN

Vielen Dank für Ihre Anmeldung

In Kürze erhalten Sie eine E-Mail, mit der Sie das Abonnement unseres Newsletters bestätigen können.