Protected patient data, including medical images, accessed through the public internet is a ticking bomb waiting to explode with a data breach. According to TechCrunch, nearly one billion medical images have been exposed online and this is just the beginning. The basis of this revelation comes from a study conducted by Greenbone Networks, a German cybersecurity firm, in September, 2019.
Greenbone carried out an analysis of over 2,300 medical Picture Archiving and Communication Systems (PACS) servers. PACS servers are governed by a standard called DICOM (Digital Imaging and Communications in Medicine). This standard lays the guideline for medical imaging devices that are networked in order to exchange and archive information about patients and images. DICOM makes use of the IP protocol. PACS servers digitally archive medical images (such as X-ray, CT, MRI scans etc.), which can be shared with or accessed by the attending provider from anywhere across the globe.
Of the 2,300 archive systems analyzed by Greenbone, 590 were identified as accessible on the internet. Collectively, they contain over 24 million data records of patients from across 52 countries. There are more than 737 million images linked to this patient data and around 400 million of them are accessible or can be easily downloaded from the internet. In addition, there are 39 systems that allow access to patient data via an unencrypted HTTP Web Viewer, without any protection.
In November 2019, the firm reported that there has been a rise in the number of exposed servers, by more than half, to 35 million patient records, exposing 1.19 billion scans and representing a considerable violation of patient privacy.
Felix Rosbach, Product Manager at comforte AG, said, “The massive amount of data sets combined with the number of freely accessible PACS systems shows that protecting data is still a major challenge for organizations in all verticals. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information–especially Personally Identifiable Information (PII) and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there might be fines coming up for this shortly.”
Often, security compliance is managed as a subset of medical compliance, and therefore cybersecurity takes a back seat.
Earlier a data breach at Inmediata Health Group, a Puerto Rico-based health care center, stated that a technical glitch in the webpage settings permitted search engines to expose internal webpages online, which contained patients’ sensitive information. According to Inmediata, the exposed data included patients’ names, addresses, social security numbers, and other personal health information.