Billions of Medical Images Leaked in Huge Privacy Puzzle

Security researchers say healthcare providers are failing to secure highly sensitive patient medical data. Mind-boggling amounts of health info are just sitting on internet-connected servers, with only a well-known default password—or no password at all.

And it’s despite frequent warnings. The scale of the problem has only grown in recent months.

DevOps Connect:DevSecOps @ RSAC 2022

Imagine that. In today’s SB Blogwatch, we prescribe radical surgery.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nice pipes (giggity).


What’s the craic, Zack? Mister Whittaker reports—“A billion medical images are exposed online, as doctors ignore warnings”:

 Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone … to access over 1 billion medical images of patients. … About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.

The problem is well-documented. Greenbone found … more than 720 million medical images in September. … Two months later, [it doubled]. The problem shows little sign of abating.

Medical images … are typically stored in … a PACS server. … But many doctors’ offices disregard security best practices and connect their PACS server directly to the internet without a password. … Some of the largest hospitals and imaging centers in the United States are the biggest culprits.

Many patient scans include … the patient’s name, date of birth and sensitive information about their diagnoses. … Yet, patients are unaware that their data could be exposed on the internet for anyone to find.

HIPAA created the “security rule” … designed to protect electronic personal health information. … The law also holds healthcare providers accountable for any security lapses [which] can lead to severe penalties. … Experts who have warned about exposed servers for years say medical practices have few excuses.

And Renée Fabian adds—“Unsecured Medical Images Are an Underrated Threat”:

 Compromised medical data is life-altering — worse than having your financial information stolen — and in some cases, even life-threatening. … But the general public still has their eyes on financial identity theft as the bigger threat.

However, when your health-related information is used by someone else … it can have a much bigger impact than stolen financial data. … Here’s how:

Errors in your medical record constitutes one of the biggest dangers. … A diagnosis you don’t have, medication you’re allergic to, the wrong blood type or treatments you never actually get [can] make it into your permanent health care file. [So] you may end up in a situation where you’re treated with something that’s harmful.

You could also fail a physical job exam because a medical condition you don’t have ends up in your medical record. … It puts you at greater risk of discrimination, especially at work.

Your legitimate [insurance] claims may be denied. The company may flag or cancel your policy because of a suspicious number of claims or another person’s information on your record. [Or] you may be denied health or life insurance in the future.

Medical data includes more personal information than your financial data, which is why it sells for an estimated 10 times as much on the dark web. … Criminals get more bang for their buck out of your health data.

Are you sure we’re not hyping this up a bit? Mark Davis is horrified:

 Images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information.

Indications are the reason for the image and would be something like “suspected pneumonia.” Diagnoses are official labels of sickness/illness/disease, like “AIDS.”

I can’t overstate how bad disclosing such information is, when it comes to protecting privacy.

Specifically, what are the legalities? Here’s Oliver Jones:

 It’s possible to see so-called “protected health information” (PHI) in these images. … HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI.

Natural persons can be tried and convicted, even if they were acting on behalf of corporations. … The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached.

It wouldn’t surprise me if the people involved in securing these sloppily configured … servers are in a state of panic. … I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah … it stinks to be them.

So doctors are to blame? prostheticvamp thinks that’s too simplistic:

 I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party—usually the vendor—to install, configure, and walk them through it.

Healthcare-related technologically was largely pushed on the industry via legislation. … When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of **** that no one wants to invest more time and money into than absolutely needed.

When it comes to healthcare, everything is always the doctor’s fault. It’s convenient to have a single target to blame. … Never mind that most physicians are just employees … in massive organizations, with extremely heavy regulatory oversight.

If an organization that runs three hospitals can’t … secure their PACS system with a decent password, that’s the fault of the physician about as much as it’s the fault of the nurse, the janitor, the cafeteria chef, etc. … We’re just line workers. We try to do our best by patients, but we ain’t in charge of anything.

OK, but what can IT do about it? imidan’s suggestion is clouded by their gender presumption:

 The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will **** his pants at the HIPAA violation, and the insurance guy will **** his pants at the likely cost of judgment for the inevitable prosecution.

The three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it’s clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they’d listen.

It gets worse. wswope has this head-meets desk moment:

 Fun experiment: use Google Maps API to search a major US metro area for medical practices. Pick out any websites that don’t use TLS. Crawl them for HTML forms that include common PHI keywords. You’ll find a lot.

Meanwhile, what of our neighbors to the north? Here’s ceoyoyo:

 Here in Canada, hospitals are super paranoid about their PACS. As originally designed, PACS really couldn’t transmit images over the Internet at all, and most hospitals still have it configured that way.

And Finally:

Riccardo Bonci is going straight to Heck

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stephen Hampshire (cc:by)

Richi Jennings

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi