Hundreds of Internet-accessible, unprotected medical imaging systems expose data on millions of patients worldwide, German security firm Greenbone reveals.
The analysis conducted by Greenbone, a vulnerability analysis and management solutions provider, focused on Picture Archiving and Communication Systems (PACS), which are used by healthcare organizations to capture, store and distribute medical images.
The company’s study aimed to shed some light into how well patient data is protected within healthcare organizations, and the results were not encouraging: nearly a quarter of the analyzed PACS servers exposed data to the Internet.
Specifically, out of 2,300 systems analyzed between July and September 2019, 590 were accessible from the Internet and had no protection for the personal or medical data stored on them. Such data included patient name and date of birth, date of examination, some details on the reason for examination, and even image data for those patients.
Overall, the 590 exposed systems contained more than 24.5 million data records from patients across 52 countries, including 737 million images (from X-ray, CT, MRI devices), with 400 million of these images easily downloadable over the Internet.
In November 2019, the security firm revisited the study, only to discover that the amount of exposed data had increased. Although 129 new archiving systems were found and 172 went offline, a total of 35 million data records were publicly accessible. Furthermore, the number of exposed images had increased from 737 million to 1.19 billion (1,193,404,000).
In an updated report (PDF), Greenbone revealed that the number of patient records for which it was possible to access images had doubled from 4.4 million to 9 million between September and November. The number of images that could easily be downloaded over the Internet had declined from 400 million to 370 million.
A re-run of the analysis performed at the beginning of January has showed a slight decrease in the number of exposed PACS, though tens of millions of medical studies remain exposed to the Internet.
At the beginning of 2020, more than 460 of the previously exposed systems were still connected to the Internet, “allowing uncontrolled, unprotected access to patient information,” Dirk Schrader, cyber resilience strategist at Greenbone, told SecurityWeek in an email conversation.
“More than half of them allow even access to the images contained (not only to study data like name, DOB, date of exam, method of exam, physician name, etc),” he continued.
Globally, between November and early January, 5.9 million patient records were taken offline and 100 million images went down with them.
However, around 1 million studies were added to the systems that were still connected to the Internet. These, Schrader says, also included 30 million images.
Given that there was only a small change in the amount of exposed data within an 8-week timeframe and considering the off-peak due to Christmas, Schrader paints a rather bleak picture of the foreseeable future.
“This means that in about 3-4 months, the situation will be back and above the level of November 2019, if the number of unprotected systems isn’t reduced drastically,” he said.
Should the top 10% PACS in terms of number of studies stored on them be taken offline, the number of patient records exposed to the Internet would be reduced by more than 15 million, he explains.
“In addition it would substantially decrease the number of studies added over time as they are the largest ‘contributors’,” Schrader continues.
In terms of the most affected countries, the United States takes the leading position. Greenbone has informed over 140 U.S. organizations that they expose patient data, but their November 2019 report says there are over 800 impacted institutions, including clinics, hospitals, and radiology service providers.
Turkey, South Africa, Ecuador, India, and Brazil are also highly impacted.
The issue, Greenbone says, can be mitigated through security awareness: organizations should increase visibility into their assets and check whether they are exposed to the Internet; physicians should verify that medical information transmitted in electronic form is encrypted and inquire why if not; and patients should ask doctors about their data protection regime.