Every day, millions of medical images containing the health information of individual patients are leaked all over the Internet. Hundreds of hospitals, health facilities and image processing centers are using insecure storage systems, opening a hole that allows anyone with an Internet connection to access it. The database containing billions of photos containing sensitive information is being shrouded in cover.
About half of those images – including X-rays, ultrasound and tomography – belong to patients in the United States. The remaining images belong to patients around the world.
Although security researchers have urged hospitals and health centers to pay more attention to this problem, most of them still ignore, continue to let sensitive information of patients play with the Internet. .
Dirk Schrader of Greenbone Networks in Germany, who led the research on the vulnerability, said: “The situation is getting worse.Over the past year, Shrader and the security research team have been monitoring many photo servers and recording unnecessary holes.
Greenbone Networks has many documents confirming the existence of this painful problem. Specific figures include: 24 million tests and medical documents containing a total of 720 million images leaked in September. Two months after that time, the number of leaked pictures has doubled – About 35 million tests were leaked, revealing a total of 1.19 billion images taken related to the patient.
But the millions and billions do not wake up the insiders. “The amount of data exposed is increasing day by day, which is how we calculated the amount of new data that was disconnected from the Internet because of leaks.“Security researcher Schrader said.
If the doctors refuse to take the necessary security measures, then the numbers just mentioned will soon reach a new high, a record unclaimed by anyone.
The researchers say the source of the problem lies in the weaknesses still found on storage servers, which are used by hospitals, doctors’ offices, and medical imaging data centers. Most medical facilities save patient data in a decades-old (and also industry-standard) file format called DICOM, the purpose is to save medical images in just one file and easily sharing between health facilities.
One person can view archived images in DICOM format with any free application. DICOM images are stored in a backup and communication system, called a PACS server, which makes it easy to save and share. However, most health facilities skip the password setting process for PACS servers, thus connecting it to the Internet.
Servers malfunction in the eyes of anyone, the sensitive information of patients can fall into the hands of anyone with an Internet connection. The photographs also include the name, the date of birth of the patient along with the diagnosis (sometimes sensitive). There are some American hospitals that also use social security numbers to identify patients easily.
Lucas Lundgren, a Swedish security researcher, spends a lot of time in 2019 monitoring hospital data security issues. In November, he showed TechCrunch a reporter how easy it is to access hospital data: In just a few minutes, Lundgren had access to patient data from a few years ago, to malfunction on the server of one of the largest hospitals in Los Angeles. Shortly after this point, hospital management has taken the necessary security steps.
In the US, some of the nation’s largest hospitals and many image processing facilities are where the most loopholes exist. Researcher Schrader is concerned that these unprotected sources of information will turn patients into “Perfect victims for fraudulent appropriations for health insurance.”
But the victim – patients who have been and have been treated – are unaware of his or her confidential information on the Internet. These gaps will erode the trust between the patient and the doctor, causing the patient to retain the vital information necessary for accurate diagnosis.
In an effort to help fix security holes, Greenbone contacted more than a hundred organizations that owned unsafe servers. Many small facilities quickly correct their mistakes, but when this cybersecurity company contacts the 10 largest organizations on the long list – places that account for a fifth of the leaked data, “There was no response.”
Greenbone gives TechCrunch a list of organizations so that TechCrunch can contact you directly to clarify the issue. Of the three hospitals in New York, an X-ray company in Florida and a large hospital in California, only the Northeast Florida Radiological Company takes measures to ensure the safety of its server. .
Based on Greenbone data, the Northeast X-ray Company owns the largest leak in the United States, with more than 61 million images of 1.2 million patients. After receiving a wake-up call from TechCrunch, they realized the problem was serious.
According to Schrader, if the rest of the organizations in the US disconnect the Internet of storage servers, nearly 600 million sensitive images will “disappear” from cyberspace. This responsibility rests on both sides: health facilities in all relevant departments; Health facilities need to be aware of the importance of the sensitive data they have on hand, and at the same time responsible ministries and agencies need to pay more attention to small facilities, where capital is scarce. protect your data.
“We will try our best to improve the overall situation of the world, involving many flawed systems,“Said security expert Schrader. But he added that he could not do more than that, he could only stop as much as possible to warn the parties.
“This is a problem for legal departments.”