400 Million Medical Photos Are Openly Available on the Web Through Unsecured PACS

According to the latest investigation by ProPublica, Greenbone Networks (vulnerability and analysis company) and Bayerischer Rundfunk (a German public broadcaster), 24.3 million medical photos in medical image storage systems are openly accessible on the web and does not require authentication to access or download the photos.

Those photos, which comprise of CT scans, MRI and X-rays, are kept in picture archiving and communications systems (PACS) connected to the net.

Greenbone Networks reviewed 2,300 web-connected PACS beginning July up to September 2019 and created a RadiAnt DICOM Viewer to get the photos kept on accessible PACS servers.

Those servers were determined to consist of roughly 733 million medical photos of which 399.5 million may be viewed and downloaded. The researchers identified 590 servers needed no authentication in order to access the medical photos.

PACS employ the digital imaging and communications in medicine (DICOM) standard to access, process, save, and send out the photos. In the majority of instances, a DICOM viewer will be necessary to view the photos, however in several cases, all that is needed is an internet browser or several lines of code. Any person with general computer skills can access and download the photos.

The compromised PACS were found in 52 countries and the greatest concentration of unsecured PACS, which is 187, were seen in the U.S,. The unprotected U.S. PACS comprised 13.7 million sets of data and 303.1 million medical photos of close to 5 million American patients.

The researchers discovered 10,000+ security concerns on the audited systems. There were 20% high-severity problems and 500 critical problems and had a CVSS v3 rating of 10.

The images comprised of personal and medical data like patients’ names, birth dates, scant date, the extent of the investigation, kind of imaging treatment done, institute name, names of attending physicians, and the quantity of generated photos. A number of the photos also had Social Security numbers.

The photos contained patient data that may be employed for insurance fraud, identity theft, and medical identity theft. The information may also be utilized for extortion of patients or making of extremely convincing spear-phishing emails.

Whilst there was no information found that show any of the compromised data were duplicated and publicized on the web during the investigation, the likelihood of data theft cannot be ruled out.

PACS are intended to enable healthcare specialists to access the photos conveniently, however, the systems generally do not have safety controls to limit access. It is the job of healthcare delivery organizations (HDOs) to make certain to use safety measures to protect their PACS, however, HDOs could experience big issues handling vulnerabilities and protecting their systems without adversely affecting workflows.

To help handle the issue, the National Cybersecurity Center of Excellence (NCCoE) lately presented new guidance for HDOs to strengthen security measures on PACS and reduce risks without adversely affecting user output and system performance.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone