More than 45 million medical imaging files -- such as x-rays and CT scans -- are freely accessible on unprotected servers, according to a report from digital risk protection company CybelAngel.
CybelAngel's analyst team spent six months digging into network-attached storage (NAS) and DICOM systems, scanning approximately 4.3 billion internet protocol (IP) addresses. The group discovered more than 45 million unique medical images were available without encryption or password protection on over 2,140 servers across 67 countries including the U.S., the U.K., and Germany.
Furthermore, CybelAngel's analysts found that up to 200 lines of metadata -- name, birth date, address, height, weight, etc. -- could be accessed without the need for a username or password. In some cases, login portals accepted blank usernames and passwords.
"The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files," said David Sygula, senior cybersecurity analyst at CybelAngel and author of the report. "This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach."
The security risks associated with publicly accessible images include ransomware, blackmail, and fraud. And medical images fetch a premium on the dark web, according to CybelAngel. In addition, healthcare providers are liable to sanctions under regulations such as the General Data Protection Regulation (GDPR) in Europe, and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.
CybelAngel said there are simple steps healthcare facilities can take to safeguard sensitive information, such as the following:
- Determine if responding to the COVID-19 pandemic is exceeding your security policies. Ad hoc network-attached storage (NAS) devices, file-sharing apps, and contractors may be taking data beyond your ability to enforce access controls.
- Ensure proper network segmentation of connected medical imaging equipment.
- Conduct a real-world audit of third-party partners and determine which parties may be unmanaged or not in compliance with required policies and protocols.
CybelAngel's full report may be accessed here.
