Confidential data about 24.3 million patients freely available on the internet – unprotected image servers to blame

Vulnerability management specialist Greenbone Networks has today released details of new research in to the security of the servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans.

Of the 2,300 medical image archive systems worldwide that Greenbone analysed between mid-July and early September 2019, 590 of them were freely accessible on the internet, together containing 24.3 million data records from patients located in 52 different countries. Available data included patient names, dates of birth, dates of examination and some medical information about the reason for examination. For US patients (which make up 13.7 million of the compromised records), it also included Social Security numbers.

More than 737 million images were linked to this patient data, with approximately 400 million of these accessible or easily downloadable via the internet. In addition, 39 of these imaging servers allowed access to patient data via an unencrypted HTTP web viewer, without any level of protection.

Greenbone carried out an analysis of all medical image archiving systems connected to the public internet. These Picture Archiving and Communication Systems (PACS) servers are based on a protocol known as DICOM (Digital Imaging and Communications in Medicine), which – based on the IP protocol – makes it possible for medical professionals to access and share scans and other images. The DICOM standard dates back to the 1980s.

Dirk Schrader, cyber resilience architect at Greenbone Networks who lead the research said:

“The data pertaining to millions of patients is there for anyone to access simply because of the careless configuration of these medical archiving servers. A significant number of these servers have no protection at all, they aren’t password protected and have no encryption. Indeed, everyday internet users could gain access to these servers with very little effort – there’s no need to write any code or deploy any specialist hacking tools.

“Health providers need to act now to secure their systems, not just because they could be in breach of regulations such as GPDR in the EU and HIPAA in the US, but because they are putting their patients at risk. This data could be used to commit identity theft, highly-specialised phishing campaigns or even for extortion, where medical information is weaponised to blackmail people in the public eye.”

This research was initiated by German broadcaster Bayerischer Rundfunk and US not-for-profit news site ProPublica. To ensure compliance with data protection regulations, Greenbone did not download or view any of patient data as part of its research and will only be disclosing details of the vulnerable systems to authorised bodies.

A full report into the research – including a breakdown by country – is available