Forum
Notifications
Clear all
IECT Group Discussion Forum
10
Posts
6
Users
0
Likes
490
Views
Topic starter
January 12, 2020 5:45 pm
Every day, millions of new medical images containing the personal health information of patients are spilling out onto the internet.
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.
About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.
Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.
“It seems to get worse every day,” said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year.
The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.
But the problem shows little sign of abating. “The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” said Schrader.
If doctors fail to take action, he said the number of exposed medical images will hit a new high “in no time.”
Over a billion medical images remain exposed. Experts say the number is getting worse, not better. (Image: supplied)
Researchers say the problem is caused by a common weakness found on the servers used by hospitals, doctors’ offices and radiology centers to store patient medical images.
A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password.
These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient’s name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient’s Social Security number to identify patients in these systems.
Lucas Lundgren, a Sweden-based security researcher, spent part of last year looking at the extent of exposed medical image data. In November, he demonstrated to TechCrunch how easy it was for anyone to view medical data from exposed servers. In just a few minutes, he found one of the largest hospitals in Los Angeles exposing tens of thousands of patients’ scans dating back several years. The server was later secured.
Some of the largest hospitals and imaging centers in the United States are the biggest culprits of exposing medical data. Schrader said the exposed data puts patients at risk of becoming “perfect victims for medical insurance fraud.”
Yet, patients are unaware that their data could be exposed on the internet for anyone to find.
The Mighty, which examined the effect on patients, found exposed medical information puts patients at a greater risk of insurance fraud and identity theft. Exposed data can also erode the relationship between patients and their doctors, leading to patients becoming less willing to share potentially pertinent information.
As part of our investigation, we found a number of U.S. imaging centers storing decades of patient scans.
One patient, whose information was exposed following a visit to an emergency room in Florida last year, described her exposed medical data as “scary” and “uncomfortable.” Another with a chronic illness had regular scans at a hospital in California over a period of 30 years. And one unprotected server at one of the largest military hospitals in the United States exposed the names of military personnel and medical images.
But even in cases of patients with only one or a handful of medical images, the exposed data can be used to infer a picture of a person’s health, including illnesses and injuries.
Topic starter
January 19, 2020 5:00 pm
Better training on internet use could help with this massive issue. I read an article that stated patient ex-rays and other tests are readily available and not secured that almost anyone can access with basic skills. Some servers were unprotected by passwords. This is a very troublesome issue that I did not know was so huge
January 22, 2020 12:36 pm
Me neither. This reminds me of the steamers/maglamps at work where the front desk will order the cheapest possible one because they don't really know anything about steamers and maglamps and think just any one will do. I feel like maybe its the same way.
January 27, 2020 11:16 am
You would think how much they charge people they could get proper security for their files online lol
January 28, 2020 4:56 pm
This is totally unacceptable. If they are aware of this security issue, this needs to be changed immediately with penalties. At first I was thinking why would anyone want to have your pictures of x-rays, etc. but soon after I read, they also get access to very personal information that can be quite damaging to a person. If they get personal things like social security numbers, names, addresses, this all can be used to steal an identity, and many more fraud schemes.
February 3, 2020 11:13 am
I think this for sure needs to be dealt with and fixed this is unacceptable. Americans pay so much money towards doctor offices and visits just have their personal and health information leaked for millions of others to see? There should be no reason what so ever why these doctor offices cant for an appropriate high quality security system because like I said Americans pay hundreds and hundreds of dollars to health insure and doctors offices, this is just them being cheap and not wanting to pay for something potentially expensive. Better to have a lawsuit on their hands for violating HIPAA which I think would cost way more than purchasing a better security system but that's just me.
February 3, 2020 11:16 am
I agree, people can have their social security stolen and their credit card information its not even just x-rays and MRI's etc its the personal information that can cause serious issues for a person.
September 20, 2023 1:49 pm
Doctors offices, hospitals, and much more need to better protect personal health information. People spend hundreds, and thousands of dollars to be seen by a provider the last thing patients should have to worry about is their private health information being leaked. Huge HIPAA violation, disappointing.
September 20, 2023 1:50 pm
@gabriellemrasiectskin-com I couldn't agree more, there's no excuse as to why doctors shouldn't have an appropriate high quality security system for private patient information documents, images, and more.
September 20, 2023 1:52 pm
@angierodrigueziectskin-com this also opened my eyes to how patients social security information could be stolen leading to identity theft, shame on the american health system for this.
