Patients Around The World Have Their Data Accessible On The Internet, Research Found

16/09/2019

Gone are the days where data are stored in their physical state.

With the more data people are generating everyday, many have turned to digitalization to store data inside files and databases. This include those in the medical sector, like hospitals as well as healthcare. And with the internet, they can speed up and improve the quality of their service in a big way.

But things can go wrong, especially because the internet is a public place, and digital data in files can be copied, moved or even deleted very quickly.

Hospitals offer services, like X-rays and other imaging methods, like CT and MRI scans. Hospitals in general use what's called a PACS (Picture Achieving and Communication Systems) servers, to store and access these images.

PACS have a working standard, called DICOM (Digital Imaging and Communications in Medicine), which controls how data inside the servers are networked in order to exchange and archive information about patients and images.

That technology can be dated back to the 1980s. And in the modern days of technology, that is clearly outdated.

PACS

According to the findings by Greenbone Networks, a security firm based in Germany, PACS that communicate with DICOM, use standards server communication methods, meaning that they work with IP protocols.

In other words, data stored on those servers, can be found on the internet.

The report from Greenbone said that:

"Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.".

"As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them."

Most of the unprotected data comes from independent radiologists, medical imaging centers or archiving services.

Patient

The data that can include in PACS include, and not limited to: names, dates of birth, dates and details of examinations, treating physicians, clinics, the scans the patients did, and more. And in countries like the U.S., the data sets also include Social Security Numbers.

While databases on PACS can be secured, the data is accessible because many are careless to configure their systems.

According to Greenbone, many have no protection in place, aren’t password protected or encrypted. As a result, anyone with internet connection can see them with just a simple actions.

Greenbone was able to access the data without having "to write any special code". It didn't even need "any software vulnerability have to be exploited, or a zero-day attack carried out"

Altogether, the company found more than 24 million records which combined, have more than 700 million images (400 million of them are downloadable). Together, these unprotected systems are located in 52 countries around the world.

Given the frequent data theft and hacks, as well as impersonation, the medical sector needs to proactively monitor and continuously find effective measures to combat security threats.