Imaging data is unprotected online: Five takeaways from ProPublica report

por John R. Fischer, Senior Reporter | September 20, 2019
Cyber Security Health IT
More than 16 million medical images and records
can be easily accessed by online users,
a ProPublica report has dug up
An investigation by ProPublica has uncovered more than 16 million medical images and records that can be easily accessed by online users with basic computer skills, due to having little to no protections in place.

Conducted with German broadcaster Bayerischer Rundfunk, the investigation found X-ray, MR and CT scans belonging to more than five million Americans and millions of other patients worldwide can be seen using free software programs or a typical web browser. More than 13.7 million medical tests in the U.S. were accessible online, including over 400,000 that came with the option for downloading X-rays and other images.

The outlets identified 187 servers of medical data in doctor’s offices, medical imaging centers and mobile X-ray services across the U.S., all of which lacked any passwords or basic security protocols. Some even ran on outdated operating systems with proven security vulnerabilities.
DOTmed text ad

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

“This is so utterly irresponsible,” Cooper Quintin, a security researcher and senior staff technologist for the Electronic Frontier Foundation, a digital-rights group, told ProPublica.

While raising questions around the carelessness of the providers charged with managing this data, the findings should be seen as an opportunity or a wake-up call for all providers to ensure their patients’ data is protected. Here are five takeaways from the ProPublica and Bayerischer Rundfunk investigation to help with just that:

1. Have some form of security

The servers identified in the investigation did not even have passwords, or protocols long ago deemed standard for businesses and government agencies. This lack of protections not only exposes data to the public but puts providers at the mercy of hackers.

One doctor in Los Angeles, for instance, had an imaging system of echocardiograms that could be accessed by anyone with a computer and access to the web.

“It’s not even hacking,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica. “It’s walking into an open door.”

2. Know the value of information

Shortly before publishing the story, ProPublica reached out to the companies it identified in its inquiry to inform them of their security vulnerabilities. One enterprise was MobilexUSA, which provides mobile X-ray and imaging services to nursing homes, rehab hospitals, hospice agencies and prisons. The company’s records contained the names of more than a million patients, as well as their dates of birth, the names of their doctors and procedures conducted on them.

You Must Be Logged In To Post A Comment