by John R. Fischer
, Senior Reporter | September 20, 2019
An investigation by ProPublica has uncovered more than 16 million medical images and records that can be easily accessed by online users with basic computer skills, due to having little to no protections in place.
Conducted with German broadcaster Bayerischer Rundfunk, the investigation
found X-ray, MR and CT scans belonging to more than five million Americans and millions of other patients worldwide can be seen using free software programs or a typical web browser. More than 13.7 million medical tests in the U.S. were accessible online, including over 400,000 that came with the option for downloading X-rays and other images.
The outlets identified 187 servers of medical data in doctor’s offices, medical imaging centers and mobile X-ray services across the U.S., all of which lacked any passwords or basic security protocols. Some even ran on outdated operating systems with proven security vulnerabilities.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
“This is so utterly irresponsible,” Cooper Quintin, a security researcher and senior staff technologist for the Electronic Frontier Foundation, a digital-rights group, told ProPublica.
While raising questions around the carelessness of the providers charged with managing this data, the findings should be seen as an opportunity or a wake-up call for all providers to ensure their patients’ data is protected. Here are five takeaways from the ProPublica and Bayerischer Rundfunk investigation to help with just that:
1. Have some form of security
The servers identified in the investigation did not even have passwords, or protocols long ago deemed standard for businesses and government agencies. This lack of protections not only exposes data to the public but puts providers at the mercy of hackers.
One doctor in Los Angeles, for instance, had an imaging system of echocardiograms that could be accessed by anyone with a computer and access to the web.
“It’s not even hacking,” Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security, told ProPublica. “It’s walking into an open door.”
2. Know the value of information
Shortly before publishing the story, ProPublica reached out to the companies it identified in its inquiry to inform them of their security vulnerabilities. One enterprise was MobilexUSA, which provides mobile X-ray and imaging services to nursing homes, rehab hospitals, hospice agencies and prisons. The company’s records contained the names of more than a million patients, as well as their dates of birth, the names of their doctors and procedures conducted on them.