More Then 45 Million Medical Records are Floating Unprotected Online

Millions of medical images, including X-rays and CT scans, are floating freely across the globe, according to a six-month investigation.

Across the globe, more than 45 million medical images are sitting, freely accessible, in unprotected servers, said cybersecurity and rise management company CybelAngel. They released a report on Dec. 15 that analyzed more than 4.3 billion IP addresses. Their assessment is worrisome, company official said, because most exposures were linked to the two standards that healthcare facilities use for data-sharing – DICOM files and network-attached storage devices.

Related Content: Cybersecurity and Your Images: Taking Safety Beyond Passwords and Home-Grown Protections

“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals,” said David Sygula, senior analyst and report author, in a statement. “A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

According to their analysis, medical images were found in more than 2,140 unprotected servers throughout 67 countries. Medical centers were connected to 12 servers, and five were linked to independent physicians. Given the widespread locations of these files, the report findings were even more significant and frightening, Sygula said, because the company did not use any hacking tools to get access to private information, including birth dates, addresses, names, and diagnoses, as well as other forms of personal healthcare information.

Related Content: Protecting PACS and Medical Imaging: Steps to Cyber-Safety

Getting a better handle on cybersecurity weaknesses is critical because cyberattacks are on the rise with as many as 83 percent of medical imaging devices running on outdated software, according a Palo Alto Networks report. And, failing to do so can be expensive. According to Becker’s Hospital review, these types of infiltrations cost the healthcare industry roughly $6.2 billion annually with individual organizations losing an average of $3.7 million. The patient impact is also widespread. Black Book Research found that, in 2019 alone, approximately 40 million people were affected by a healthcare data breach.

To help providers and facilities protect themselves and side-step these attacks, CybelAngel recommended taking three actions:

• Make sure any information collected during the COVID-19 outbreak is also protected under security policies and protocols.
• Limit diagnostic imaging equipment and supporting systems exposure to wider networks.
• Use a third-party to audit all security policies and identify weaknesses and individuals who might be following those policies and procedures.

Maximizing cybersecurity efforts are critical, said Todd Carroll, CybelAngel chief information officer, because healthcare facilities are connected to several parties, and image- and data-sharing is largely necessary for patient care.

“The health sector has faced unprecedented challenges this year, however, the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands,” he said.

For more coverage based on industry expert insights and research, subscribe to the Diagnostic Imaging e-Newsletter here.