Expert Comments

Over 1 Billion Medical Records Exposed Online – Experts Comments

Expert(s): Security Experts
Expert(s): Security Experts

TechCrunch broke news of research last Friday that A billion medical images are exposed online, as doctors ignore warnings.  Discovered by German cybersecurity firm Greenbone Networks, the exposure follows a similar report from the company in September that detailed 24 million medical records on 590 online medical image archive systems. Two months later, the firm detailed the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy. Researchers pointed to a decades-old Picture Archiving and Communication System (PACS) and DICOM, a file format industry standard.

Experts Comments

Dot Your Expert Comments
James McQuiggan
January 14, 2020
Security Awareness Advocate
KnowBe4

Organizations need to embrace and embed a security culture mindset.
It's unfortunate that in today's environment with HIPAA, that researchers are discovering these medical images are openly available on internet-connected servers. Having these images exposed on a server directly connected to the internet without any authentication is just like organizations leaving the images in a filing cabinet outside the front door of their practice readily available for anyone to view, steal or download. From a technology standpoint, it is not difficult to secure the.....Read More
It's unfortunate that in today's environment with HIPAA, that researchers are discovering these medical images are openly available on internet-connected servers. Having these images exposed on a server directly connected to the internet without any authentication is just like organizations leaving the images in a filing cabinet outside the front door of their practice readily available for anyone to view, steal or download. From a technology standpoint, it is not difficult to secure the images and still make them available for other practices that need them. If an organization is audited and discovered to have large security vulnerabilities with their equipment, the cost of implementing technology to secure the systems will be significantly lower than the potential millions of dollars in fines from HIPAA. It's not a matter of if they are audited, but when they are audited. Organizations need to embrace and embed a security culture mindset, including security awareness training for their employees to reduce the risk of data breaches and damage to the organization. For the people who have their images stored by these organizations, they will want to make sure to monitor their credit accounts for possible identity theft that can stem from the information stored on the medical images. In today's society, active monitoring of your bank accounts, credit accounts and consideration of freezing your Social Security number is needed to prevent unauthorized access to your credit and possible loss of money.  Read Less
Erich Kron
January 14, 2020
Security Awareness Advocate
KnowBe4

This exposure is full of very sensitive information.
What we are seeing here is a breakdown between the desire for privacy and the ease of access to the data. On one hand, there is a push to make medical information more easily available between providers, on the other is a failure to secure this information. While we can expect doctors and nurses to be excellent caregivers, we cannot always expect them to be experts in securing customer information such as this. The platforms being used must do a better job of preventing this sort of disclosure .....Read More
What we are seeing here is a breakdown between the desire for privacy and the ease of access to the data. On one hand, there is a push to make medical information more easily available between providers, on the other is a failure to secure this information. While we can expect doctors and nurses to be excellent caregivers, we cannot always expect them to be experts in securing customer information such as this. The platforms being used must do a better job of preventing this sort of disclosure by building security into the design and architecture in ways that are more difficult to be misconfigured or to be bypassed, even inadvertently. This exposure is full of very sensitive information that, given the possible fines related to unauthorized disclosures, carries a great deal of risk for the healthcare providers and organizations. The sheer volume of records exposed is a testament to the enormity of the problem being faced, but perhaps equally as concerning is the fact that many of these records remain exposed even after the offending organization has been contacted about the issue. If you are in an industry that handles potentially sensitive information, especially at a large scale such as this, it is imperative that there is a process to report and deal with potentially exposed data quickly and concisely.  Read Less
Colin Bastable
January 14, 2020
CEO
Lucy Security

It’s no wonder healthcare tops the charts every year as the number one at-risk sector for cyber-criminals.
Unfortunately most of the medical world thinks it exists in isolation, in its own private cloud, which is clearly unrealistic. It often appears that most medical professionals don’t understand that so much information is globally accessible. Often, security compliance is managed as a subset of medical compliance, and therefore cybersecurity take a back seat. Insecurity is compounded by the highly fragmented and outsourced nature of the US healthcare landscape. The need for multiple.....Read More
Unfortunately most of the medical world thinks it exists in isolation, in its own private cloud, which is clearly unrealistic. It often appears that most medical professionals don’t understand that so much information is globally accessible. Often, security compliance is managed as a subset of medical compliance, and therefore cybersecurity take a back seat. Insecurity is compounded by the highly fragmented and outsourced nature of the US healthcare landscape. The need for multiple parties to have prompt access to all medical data ensures that convenient access takes precedence over basic authentication and authorization security. It’s no wonder healthcare tops the charts every year as the number one at-risk sector for cyber-criminals.  Read Less
Josh Bohls
January 14, 2020
Founder
Inkscreen

This should serve as a wake-up call for providers.
This astonishing disclosure shows how toothless the United States HIPAA regulations are, and how lax healthcare providers have become when storing patient data. This should serve as a wake-up call for providers to take a fresh look at how they process, maintain, and safeguard patient-identifiable photos.
Mounir Hahad
January 14, 2020
Head
Juniper Threat Labs, Juniper Networks

Those applications and databases may not have the adequate security considerations to guarantee confidentiality of data.
Generally speaking, in this kind of situation, it’s the configuration of the network which is at fault before anything else. No system handling sensitive data should be accessible from the internet without the need for a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity. It is often the case when legacy applications are moved from fortified data centers into cloud.....Read More
Generally speaking, in this kind of situation, it’s the configuration of the network which is at fault before anything else. No system handling sensitive data should be accessible from the internet without the need for a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity. It is often the case when legacy applications are moved from fortified data centers into cloud environments that data leaks occur. Those applications and databases may not have the adequate security considerations to guarantee confidentiality of data. Therefore, it is necessary to resort to technologies like Secure Software Defined Networks to provide deployment security.  Read Less
Felix Rosbach
January 14, 2020
Product Manager
comforte AG

The massive amount of data sets combined with the number of freely accessible PACS systems.
The massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organizations in all verticals. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there.....Read More
The massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organizations in all verticals. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there might be fines coming up for this.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

$2bn Startup Glovo Falls Victim To Cyberattack

Vulnerabilities Found In Wifi-routers

Experts Reaction On REvil/Sodin Behind UnitingCare Breach

Experts On IOS 0-Days Vulnerabilities Discovered

Uni Research Finds That Fertility Apps Collecting And Sharing Sensitive...

44% of Orgs. Report Breaches Due to 3rd Parties, 74%...

92% Of Organisations Who Pay Ransoms Don’t Get All Their...

Experts Comments on World Password Day

Expert Insights On Ransomware Task Force Report

Expert Commentary – Ofcom Warn People Not to Trust Caller...