Unprotected servers leave more than 45 million medical images accessible online

Over 120 Utah Auctions End Today - Bid Now
Over 3000 Total Lots Up For Auction at Six Locations - France 06/21, PA 06/22, OK 06/23, UT 06/24, CA 06/25, NJ Cleansweep 06/29

Unprotected servers leave more than 45 million medical images accessible online

por John R. Fischer, Senior Reporter | December 16, 2020
CT Cyber Security European News Health IT X-Ray
Unprotected servers have left more than 45 million medical images with sensitive patient information from 67 countries accessible online
Unprotected servers in 67 countries have made over 45 million medical images accessible online.

The discovery was made by an analyst team at CybelAngel, a data risk protection firm, during a six-month investigation. Compiling their findings in a report called “Full Body Exposure”, the group says the images include X-rays and CT scans that contain both personal health information and personally identifiable information for patients worldwide, including in the U.S., U.K., France and Germany.

"No hacking tools were used; millions of images were freely accessible and not encrypted. These could be accessed without password protection. Unprotected document storage servers are one potential source of data leaks, so it is important to remember that digital risk protection is about making sure all assets are secured whether these are on a connected storage device or a cloud application," David Sygula, senior cybersecurity analyst at CybelAngel and author of the report, told HCB News.

New & Refurbished C-Arm Systems. Call 702.384.0085 Today!

Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs

The images were found on more than 2,140 servers, with millions unencrypted and without password protection. The analysts made the discovery while investigating Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data.

Scanning approximately 4.3 billion IP addresses, the team found the openly available images could be accessed without inputting a user name or password. This included up to 200 lines of metadata per record that contained PII such as names, birth dates, and addresses; as well as PHI, such as height, weight and diagnosis. Login portals for some even accepted blank usernames and passwords.

Vulnerabilities such as this leave healthcare organizations at the mercy of ransomware attackers and blackmailers, according to CybelAngel. Fraud is also a big risk, due to medical images fetching good prices on the dark web. In addition, healthcare providers can be held liable under sanctions regulated by the GDPR in Europe and by HIPAA in the U.S.

Sygula says he and his team were "surprised" by the extent to which sensitive images were left open for exposure, considering the regulations in place for governing health data.

"Because of COVID-19 safety measures to socially distance, there has been increased remote access to medical images. If remote access is not properly secured with strong password protection protocols and encryption, the chance of a data leak and ultimately breached data increases exponentially," he said.

The report lists a number of steps that can be taken to share and store data more securely:

  • Determine if pandemic response exceeds your security policies: Ad hoc NAS devices, file-sharing apps and contractors may take data beyond your ability to enforce access controls.

  • Ensure proper network segmentation of connected medical imaging equipment to wider business or public networks

  • Conduct real-world audit of third-party partners

You Must Be Logged In To Post A Comment