A study conducted by the cybersecurity firm CyberAngel has revealed more than 45 million medical images are stored on unprotected servers, which can be easily accessed by unauthorized individuals. Those medical images, which include X-Rays, MRI scans, and CT scans, include patient’s personal and protected health information and are neither encrypted nor protected with a password.
The healthcare industry uses Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM) as the standard for storing, transmitting, and receiving medical images; but there is a lack of appropriate protection to ensure that those images – and the PHI they contain – remain private and confidential, as is the case with other stored or transmitted healthcare data.
CyberAngel scanned more than 4.3 billion IP addresses for the study across and identified over 45 million unprotected medical images on more than 2,140 servers in 67 countries, including the United States, United Kingdom, and Germany.
The images were found to contain up to 200 lines of metadata, which is where the protected health information was found. The metadata included a range of personal information, such as names, dates of birth, and addresses, along with health data such as height, weight, diagnoses, and other information.
The images and metadata could be accessed without any hacking tools, often requiring no username or password. In many cases, when a username or password was required, the login portal accepted black usernames and passwords and provided access.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals,” said David Sygula, Senior Cybersecurity Analyst at CybelAngel. “A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Patient privacy is being put at risk, but that is not the only issue with the exposure of the images. The data and the images themselves could be used for fraudulent purposes, such as in spear phishing schemes to obtain highly sensitive information such as Social Security numbers for identity theft, or for blackmail or ransomware attacks.