Research: More than 1B images, patient data are unprotected
The problem of unfettered access to medical images and data on unprotected servers appears to be getting worse.
An estimated 1.19 billion images associated with unprotected medical studies were found to be available on medical archives connected to the Internet, according to ongoing research on healthcare organization servers that contain unprotected images and other personal health information.
The latest estimate was revealed in a blog on Monday by Greenbone Networks, a German company that offers an open-source solution for vulnerability analysis and management.
In an updated report, Greenbone found that the number of images associated with unprotected medical studies is up 60 percent from the 737 million images it found last fall. The 1.19 billion images were related to 35 million studies, up 40 percent from 24.5 million studies of patients from around the world last fall.
Greenbone’s earlier research was detailed in September in ProPublica, and it had hoped to see progress in protecting medical images.
“To find even more studies, with more images related to them, isn’t what we expected to see,” Greenbone noted in the blog. “For most of the systems we scrutinized we had—and still have—continued access to the personal health information” associated with the images.
Greenbone’s research has found that hundreds of hospitals, medical office and imaging centers are using insecure storage systems—the lack of security enables anyone with an Internet connection and easily downloadable software to access medical images of patients. About half of the exposed images—including X-rays, ultrasound and CT scans—are from patients in the U.S.
The images are in DICOM standards, typically stored on a server linked to a picture archiving and communications system (PACS) to permit easy storage and sharing. Many providers leave these servers connected to the Internet, without a password, to facilitate sharing. Greenbone contends that unprotected servers also expose patients’ personal health information that’s associated with the images, available on digital “cover sheets” connected to the DICOM files.
In the U.S., “not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems,” the Greenbone blog noted. “One very large archive allows full access to PHI, including all images related to the 1.2 million examinations, in addition—for about 75 percent of the individual names stored—it also discloses the Social Security numbers.”
Another archive appears to hold data from military personnel, including their DoD ID, when the names of the institutions are used as an indicator.
Greenbone’s report can be accessed here.
Healthcare organizations need to step up efforts to protect images, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
“Generally speaking, in this kind of situation, it’s the configuration of the network which is at fault before anything else,” Hahad says. “No system handling sensitive data should be accessible from the internet without … a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity.
"It is often the case when legacy applications are moved from fortified data centers into cloud environments that data leaks occur,” he adds. “Those applications and databases may not have the adequate security considerations to guarantee confidentiality of data.”
To both successfully protect images and data, and yet provide access to those digital assets as needed, requires granular protection for information systems that is difficult for most organizations to manage, according to Appsian CEO Piyush Pandey.
“Health data has increased 878 percent since 2016 with no signs of slowing down and no easy answers,” he says. “A critical component to ensuring data integrity is implementing features that place granular security challenges on specific data elements (inside systems and applications) along with features that enhance the organization’s ability to see who is accessing sensitive data—from where and on what device.”
Security measures should enable users to access only the information that they need, Pandey adds.
“Healthcare organizations can establish strong business policies that are ‘data-centric’ and can adapt accordingly to various contexts of access,” he adds. “Users only (can) gain access to the data they are authorized to view and modify. Thus, providing maximum security and compliance; all without limiting user productivity.”