Medical data consists of highly sensitive personal and health details. If it is openly available to anyone, medical data can be abused in many ways. Unfortunately, we have seen plenty of medical breaches, and the trend continues.
The Report: 45 Million Medical Images and Records Accessible without Password
Security researchers from CybelAngel recently discovered that more than 45 million medical images, including X-rays and CT scans, can be accessed freely on unprotected servers. The research team performed a 6-month investigation of Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), or the standard for the healthcare industry to send and receive medical data. The DICOM protocol and PACS server vulnerabilities are at fault for this incident.
The data has been gathered from online storage devices associated with medical centers all over the world. 23,000 images of UK patients were also exposed on 90 separate servers. The X-ray and CT scans could be accessed openly due to unsecured NAS storage devices in combination with the obsolete DICOM medical data transmission protocol.
The vulnerable, sensitive information also includes personal healthcare information, shortly known as PHI. This information was discovered unencrypted and without password protection in place. More specifically, the medical images came together with up to 200 lines of metadata per record with both PII and PHI included.
PII, or personally identifiable information, refers to names, birth dates, physical addresses, etc., whereas PHI or personal healthcare information covers height, weight, medical diagnosis. All this abundance of PII and PHI can be accessed without using login credentials. The researchers even discovered instances where login portals accepted blank usernames and passwords.
The research team didn’t need to use any hacking tools during the research. The ease with which they succeeded in accessing the medical data is uncanny.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach,” explained David Sygula, senior cybersecurity analyst at CybelAngel and author of the report.
The Outcome of Medical Data Breaches
The highly sensitive nature of medical data and images can lead to various malicious outcomes, especially when it reaches the Dark Web. It can be exploited for extortion and fraud, among other scenarios. The fact that healthcare providers left these medical records openly accessible with no protection shouldn’t be underestimated. Sanctions based on GDPR in Europe and HIPAA in the United States may follow due to the breach of sensitive patient data.
Further details are available in the report.
Last year, security researchers discovered two vulnerabilities in medical devices, one of which was critical and could allow full control of the device. The flaws resided in Alaris Gateway Workstations by Becton Dickinson, utilized to deliver fluid medication.