New research carried out by Greenbone Networks has revealed that over 24 million records of X-ray, CT, MRI, and other medical scans can be viewed by anyone with an Internet connection as the PACS systems storing such records are freely accessible on the internet.
The security research firm found that out of 2,300 medical image archive systems (PACS systems) used worldwide by healthcare organisations to store medical data records, such as X-ray, CT, MRI, and other medical scans, 590 systems are freely accessible on the internet as they lack adequate protection.
These unprotected archive systems are potentially exposing confidential medical information of millions of people located in 52 countries across the world as apart from their scans, data records stored in such systems include names, dates of birth, dates of examination, and other details of patients.
PACS systems based on protocol developed in the 1980s
The medical data archive systems are based on the Digital Imaging, and Communications in Medicine (DICOM) protocol that allows healthcare professionals across the world to share medical reports, scans, and other data with each other.
Considering that the DICOM protocol was standardised in the 1980s, Greenbone Networks found that 39 archive systems based on the protocol allow access to patient data via an unencrypted HTTP Web Viewer, without any protection and a number of other servers allow anyone with an Internet connection to access individual image data of any patient.
The firm added that there are more than 737 million images linked to patient data stored in PACS systems (Picture Archiving and Communication Systems) that are connected to the public Internet, and 400 million of these images can be viewed and downloaded on the Internet.
According to the study, approximately 1,500 medical records, including X-ray, CT, MRI, and other medical scans, of patients located in the UK are publicly accessible as PACS systems storing them do not have any protection from public access and around 5,000 images are associated with these patient records.
The exposure is much worse for patients located in the United States. The researchers counted as many as 13.7 million data sets pertaining to US patients in the exposed PACS systems and also found that nearly 46 million images are associated with these data sets and can be downloaded from the Internet.
"The data pertaining to millions of patients is there for anyone to access simply because of the careless configuration of these medical archiving servers. A significant number of these servers have no protection at all, they aren’t password-protected and have no encryption," said Dirk Schrader, cyber resilience architect at Greenbone Networks.
"Indeed, everyday internet users could gain access to these servers with very little effort – there’s no need to write any code or deploy any specialist hacking tools. Health providers need to act now to secure their systems, not just because they could be in breach of regulations such as GDPR in the EU and HIPAA in the US, but because they are putting their patients at risk.
"This data could be used to commit identity theft, highly-specialized phishing campaigns or even for extortion, where medical information is weaponized to blackmail people in the public eye," he added.
Healthcare organisations must implement monitoring controls
Commenting on the exposure of millions of medical data records due to over-reliance by healthcare organisations across the globe on a legacy protocol, Javvad Malik, security awareness advocate at KnowBe4, said that while it's important to have medical information of patients readily available to healthcare providers and hospitals, particularly in times of an emergency, this shouldn't translate to having all information available at all times.
"Monitoring controls should be in place to ensure that any medical records viewed, even by medical staff should only be done so if there is a valid clinical or administrative reason. It's worrying that not only were these medical records publicly available, but it appears as if there is no internal audit process in place to validate if access is warranted," he said.
According to Sam Curry, chief security officer at Cybereason, while it is still premature to claim that all the medical records may have already been accessed by hackers, everyone should assume their personal information has already been stolen many times over as nation-state hackers are persistent and are very successful in breaching systems.
"The healthcare industry as a whole needs to rethink its strategy around network detection and start taking the fight to the hacker by going on the offensive with more advanced technologies and services that will stop threats before they ever materialize," he added.