TechCrunch broke news of research last Friday that A billion medical images are exposed online, as doctors ignore warnings. Discovered by German cybersecurity firm Greenbone Networks, the exposure follows a similar report from the company in September that detailed 24 million medical records on 590 online medical image archive systems. Two months later, the firm detailed the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy. Researchers pointed to a decades-old Picture Archiving and Communication System (PACS) and DICOM, a file format industry standard.
It\’s unfortunate that in today\’s environment with HIPAA, that researchers are discovering these medical images are openly available on internet-connected servers. Having these images exposed on a server directly connected to the internet without any authentication is just like organizations leaving the images in a filing cabinet outside the front door of their practice readily available for anyone to view, steal or download.
From a technology standpoint, it is not difficult to secure the images and still make them available for other practices that need them. If an organization is audited and discovered to have large security vulnerabilities with their equipment, the cost of implementing technology to secure the systems will be significantly lower than the potential millions of dollars in fines from HIPAA. It\’s not a matter of if they are audited, but when they are audited. Organizations need to embrace and embed a security culture mindset, including security awareness training for their employees to reduce the risk of data breaches and damage to the organization.
For the people who have their images stored by these organizations, they will want to make sure to monitor their credit accounts for possible identity theft that can stem from the information stored on the medical images. In today\’s society, active monitoring of your bank accounts, credit accounts and consideration of freezing your Social Security number is needed to prevent unauthorized access to your credit and possible loss of money.
What we are seeing here is a breakdown between the desire for privacy and the ease of access to the data. On one hand, there is a push to make medical information more easily available between providers, on the other is a failure to secure this information.
While we can expect doctors and nurses to be excellent caregivers, we cannot always expect them to be experts in securing customer information such as this. The platforms being used must do a better job of preventing this sort of disclosure by building security into the design and architecture in ways that are more difficult to be misconfigured or to be bypassed, even inadvertently.
This exposure is full of very sensitive information that, given the possible fines related to unauthorized disclosures, carries a great deal of risk for the healthcare providers and organizations. The sheer volume of records exposed is a testament to the enormity of the problem being faced, but perhaps equally as concerning is the fact that many of these records remain exposed even after the offending organization has been contacted about the issue. If you are in an industry that handles potentially sensitive information, especially at a large scale such as this, it is imperative that there is a process to report and deal with potentially exposed data quickly and concisely.
This astonishing disclosure shows how toothless the United States HIPAA regulations are, and how lax healthcare providers have become when storing patient data. This should serve as a wake-up call for providers to take a fresh look at how they process, maintain, and safeguard patient-identifiable photos.
Generally speaking, in this kind of situation, it’s the configuration of the network which is at fault before anything else. No system handling sensitive data should be accessible from the internet without the need for a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity.
It is often the case when legacy applications are moved from fortified data centers into cloud environments that data leaks occur. Those applications and databases may not have the adequate security considerations to guarantee confidentiality of data. Therefore, it is necessary to resort to technologies like Secure Software Defined Networks to provide deployment security.
The massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organizations in all verticals. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there might be fines coming up for this.