Based on a recent investigation by ProPublica, Bayerischer Rundfunk (a German public broadcaster), and Greenbone Networks (vulnerability and analysis firm, 24.3 million medical images in medical image storage systems are publicly accessible on the internet and does not need authentication to view or download the images.
Those images, which consist of CT scans, X-rays, and MRI, are stored in picture archiving and communications systems (PACS) linked to the web.
Greenbone Networks audited 2,300 Internet-connected PACS from July to September 2019 and established a RadiAnt DICOM Viewer to acquire the images saved on open PACS servers.
Those servers were observed to have about 733 million medical images of which 399.5 million can be accessed and downloaded. The researchers discovered 590 servers required no authentication in order to view the medical images.
PACS utilize the digital imaging and communications in medicine (DICOM) standard to view, process, keep, and transfer the images. In many cases, a DICOM viewer would be needed to access the images, yet in certain cases, all that is necessary is a web browser or a couple of lines of code. Anybody with basic computer knowledge could view and download the images.
The exposed PACS were seen in 52 countries and the maximum concentration of unprotected PACS, which is 187, were identified in the United States. The unsecured U.S. PACS contained 13.7 million data sets and 303.1 million medical images of about 5 million U.S. patients.
The researchers identified over 10,000 security problems on the audited systems. There were 20% high-severity issues and 500 critical issues and had a CVSS v3 score of 10.
The images consisted of personal and medical information such as patients’ names, dates of birth, scant date, range of the investigation, type of imaging process conducted, institute name, attending doctors’ names, and the amount of generated images. A few of the images also included Social Security numbers.
The images contained patient information that could be used for identity theft, insurance fraud, and medical identity theft. The data could also be employed for extortion of patients or the creation of very convincing spear-phishing emails.
Although there was no proof discovered that indicate any of the exposed information was copied and posted on the internet during the investigation, the probability of data theft can’t be ruled out.
PACS are created to allow healthcare experts to access the images quickly, but the systems usually lack security measures to restrict access. It is the duty of healthcare delivery organizations (HDOs) to make sure to implement safeguards to secure their PACS, but HDOs can encounter big challenges dealing with vulnerabilities and securing their systems without negatively impacting workflows.
To help deal with the problem, the National Cybersecurity Center of Excellence (NCCoE) recently issued new guidance for HDOs to enhance security controls on PACS and minimize risks without negatively impacting user productivity and system performance.