Earlier this summer, researchers at German company Greenbone Networks decided to spend a few weeks trawling the internet to see how many medical imaging archives might be exposing patient data.
Presumably, they had a hunch they’d turn up something but appear to have been taken aback by the scale of the data leakage they uncovered.
Of the 2,300 archiving systems looked at, 590 were accessible from the internet, exposing 24 million medical records from 52 countries.
Linked to this patient data were 737 million medical images from x-rays, CT and MRI scans, including 400 million in a state that meant they could be downloaded and viewed using easily available software.
Just to rub in the lack of care and attention, a further 39 were so weakly secured that they allowed access to patient data using nothing more specialised than a web browser and HTTP.
In the US, the exposure was 45.8 million medical images associated with 13.7 million records which almost makes the UK’s figures of 5,000 images and 1,500 medical records sound good.
Clearly, something is going very wrong here, not only because so much medical data and imagery has been exposed but because it has taken a security company to point out this out.
The internet will see you now
What happened to medical confidentiality?
And why haven’t supposedly stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and GDPR in the EU prevented this?
In fact, they almost certainly have but the scale of the problem, and the potential for technical controls to be misconfigured or forgotten, has simply left too many holes for regulation to cope with.
Let’s start with the system used to put all these images within reach of people with bad intentions – the Picture Archiving and Communication Systems (PACS) – which relies on a protocol called Digital Imaging and Communications in Medicine (DICOM).
In layman’s terms, PACS are the servers on which images are stored, while DICOM offers a universal way to store, transmit and view medical images in a standard format.
But that standardisation, and the use of 2,300 known IP addresses communicating across ports 104 and 11112, makes it easy to fire up things like Shodan and Censys to look for exposed servers.
Once that’s done, all you need is a viewer to check them for exposed images and their associated medical data, and some time on your hands.
Meanwhile, hospitals and physicians have become used to the convenience of being able to move images around and store them in databases that link them together.
According to Greenbone, the medical data stored with an exposed image might contain the following:
- First name and surname
- Date of birth
- Date of examination
- Scope of the investigation
- Type of imaging procedure
- Attending physician
- Number of generated image
As with any server system, PACS and DICO can suffer from software vulnerabilities that put security at risk – lo and behold the company found 10,000 of these on the servers, including 2,000 falling into the ‘high severity’ and ‘critical’ categories.
This discovery – and the number of servers offering up a range of weak security and configuration problems – might offer a clue as to what’s been going wrong.
Taken at face value, it suggests that many of these servers are set up and then forgotten about, or at least irregularly patched.
Perhaps it’s a problem caused by the fragmentation of private health care in countries such as the US, or perhaps medical IT teams just have other stuff to worry about and make the dangerous assumption that because nobody has (as far as we know) attempted to breach this data on a large scale, attackers aren’t interested.
For medical organisations lucky enough to have dodged attacks so far, there is still time to act.