More than 16 million medical images and records
can be easily accessed by online users,
a ProPublica report has dug up

Imaging data is unprotected online: Five takeaways from ProPublica report

September 20, 2019
by John R. Fischer, Senior Reporter
An investigation by ProPublica has uncovered more than 16 million medical images and records that can be easily accessed by online users with basic computer skills, due to having little to no protections in place.

Conducted with German broadcaster Bayerischer Rundfunk, the investigation found X-ray, MR and CT scans belonging to more than five million Americans and millions of other patients worldwide can be seen using free software programs or a typical web browser. More than 13.7 million medical tests in the U.S. were accessible online, including over 400,000 that came with the option for downloading X-rays and other images.

The outlets identified 187 servers of medical data in doctor’s offices, medical imaging centers and mobile X-ray services across the U.S., all of which lacked any passwords or basic security protocols. Some even ran on outdated operating systems with proven security vulnerabilities.

“This is so utterly irresponsible,” Cooper Quintin, a security researcher and senior staff technologist for the Electronic Frontier Foundation, a digital-rights group, told ProPublica.

While raising questions around the carelessness of the providers charged with managing this data, the findings should be seen as an opportunity or a wake-up call for all providers to ensure their patients’ data is protected. Here are five takeaways from the ProPublica and Bayerischer Rundfunk investigation to help with just that:

1. Have some form of security

The servers identified in the investigation did not even have passwords, or protocols long ago deemed standard for businesses and government agencies. This lack of protections not only exposes data to the public but puts providers at the mercy of hackers.

One doctor in Los Angeles, for instance, had an imaging system of echocardiograms that could be accessed by anyone with a computer and access to the web.

“It’s not even hacking,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica. “It’s walking into an open door.”

2. Know the value of information

Shortly before publishing the story, ProPublica reached out to the companies it identified in its inquiry to inform them of their security vulnerabilities. One enterprise was MobilexUSA, which provides mobile X-ray and imaging services to nursing homes, rehab hospitals, hospice agencies and prisons. The company’s records contained the names of more than a million patients, as well as their dates of birth, the names of their doctors and procedures conducted on them.

In the wrong hands, such information could be used to commit identity theft, to blackmail a person, or to commit ransom. It could even be sold online to other users, thereby spreading a person’s private information to more parties and potentially increasing the risks or dangers they face in their personal, financial and work lives, and other ways.

“We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation,” MobilexUSA’s parent company said in a statement.

3. Know who is responsible for security

According to U.S. law, healthcare providers and business associates are responsible for ensuring that patient information is kept private. Identifying the specific person or group of individuals responsible for such a task, however, is an often complex and confusing task.

For years, vendors designed medical imaging software under the assumption that patient data would be secured by the provider’s computer security systems, according to ProPublica. As hospital and medical center networks grew in complexity and became connected to the internet, this responsibility fell on network administrators who thought that protections were already in place.

ProPublica recently showed its findings to the Medical Imaging & Technology Alliance, which oversees the enforcement of the industry standard, DICOM, for communicating information through medical equipment software. MITA confirmed that hundreds of servers exist with an open connection to the internet, but asserted that people overseeing them are responsible.

“What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied” to legacy computer systems, said cybersecurity researcher Jackie Singh, adding that it is a “shared responsibility” among manufacturers, standards makers and hospitals to ensure computer servers are secure.

4. The sun has set on analog

Images can be uploaded to servers in seconds today and viewed by physicians on their computers. Many providers, however, have not fully transitioned their mindsets from their days of interpreting scans on analog films. This includes security, for which no protocols existed during this time.

While regulations such as HIPAA have helped to change this by requiring the implementation of precautions to prevent unauthorized access to information, ensuring providers follow them is a slow work-in-progress.

5. Enforce penalties and regulations

More than 40 million people have had their medical information compromised in the last two years, according to records from the U.S. Department of Health and Human Services.

Despite this, government penalties for violating patient privacy are not harsh enough, with HHS recently lowering the maximum annual fine from $1.5 million to $250,000 for “corrected willful neglect,” which is when a company knowingly commits failures or shows indifference for problems it tries to fix, according to ProPublica, which reported that large enterprises even go as far as negotiating the costs of fines with the government.

“It’s 2019,” said Joy Pritts, a former HHS privacy official. “There’s no reason for this.”

The investigation builds on the findings of Greenbone Networks, a German-based security firm that has uncovered similar issues in at least 52 countries on every inhabited continent. The findings by both stress the need for healthcare institutes to be more rigid in their adherence to security and install proper protocols, leadership assignments and plans that ensure their patient data is secure, private and protected.