The problem of unfettered access to medical images and data on unprotected servers appears to be getting worse.
An estimated 1.19 billion images associated with unprotected medical studies were found to be available on medical archives connected to the Internet, according to ongoing research on healthcare organization servers that contain unprotected images and other personal health information.
The latest estimate was revealed in a blog on Monday by Greenbone Networks, a German company that offers an open-source solution for vulnerability analysis and management.
In an updated report, Greenbone found that the number of images associated with unprotected medical studies is up 60 percent from the 737 million images it found last fall. The 1.19 billion images were related to 35 million studies, up 40 percent from 24.5 million studies of patients from around the world last fall.
Greenboneās earlier research was detailed in September in ProPublica, and it had hoped to see progress in protecting medical images.
āTo find even more studies, with more images related to them, isnāt what we expected to see,ā Greenbone noted in the blog. āFor most of the systems we scrutinized we hadāand still haveācontinued access to the personal health informationā associated with the images.
Greenboneās research has found that hundreds of hospitals, medical office and imaging centers are using insecure storage systemsāthe lack of security enables anyone with an Internet connection and easily downloadable software to access medical images of patients. About half of the exposed imagesāincluding X-rays, ultrasound and CT scansāare from patients in the U.S.
The images are in DICOM standards, typically stored on a server linked to a picture archiving and communications system (PACS) to permit easy storage and sharing. Many providers leave these servers connected to the Internet, without a password, to facilitate sharing. Greenbone contends that unprotected servers also expose patientsā personal health information thatās associated with the images, available on digital ācover sheetsā connected to the DICOM files.
In the U.S., ānot only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems,ā the Greenbone blog noted. āOne very large archive allows full access to PHI, including all images related to the 1.2 million examinations, in additionāfor about 75 percent of the individual names storedāit also discloses the Social Security numbers.ā
Another archive appears to hold data from military personnel, including their DoD ID, when the names of the institutions are used as an indicator.
Greenboneās report can be accessed here.
Healthcare organizations need to step up efforts to protect images, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.
āGenerally speaking, in this kind of situation, itās the configuration of the network which is at fault before anything else,ā Hahad says. āNo system handling sensitive data should be accessible from the internet without ā¦ a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity.
“It is often the case when legacy applications are moved from fortified data centers into cloud environments that data leaks occur,ā he adds. āThose applications and databases may not have the adequate security considerations to guarantee confidentiality of data.ā
To both successfully protect images and data, and yet provide access to those digital assets as needed, requires granular protection for information systems that is difficult for most organizations to manage, according to Appsian CEO Piyush Pandey.
āHealth data has increased 878 percent since 2016 with no signs of slowing down and no easy answers,ā he says. āA critical component to ensuring data integrity is implementing features that place granular security challenges on specific data elements (inside systems and applications) along with features that enhance the organizationās ability to see who is accessing sensitive dataāfrom where and on what device.ā
Security measures should enable users to access only the information that they need, Pandey adds.
āHealthcare organizations can establish strong business policies that are ādata-centricā and can adapt accordingly to various contexts of access,ā he adds. āUsers only (can) gain access to the data they are authorized to view and modify. Thus, providing maximum security and compliance; all without limiting user productivity.ā
