Radiologist checking x-ray images showing the data breach of one billion medical records due to common security oversight
One Billion Medical Records, All Containing Images, Exposed Due to Common Security Oversight by Scott Ikeda

One Billion Medical Records, All Containing Images, Exposed Due to Common Security Oversight

Developed in the mid-1980s, the Digital Imaging and Communications in Medicine (DICOM) standard has been the way many medical professionals have stored and transferred images for three decades now. This commonly used medical records system is also responsible for leaking at least one billion sensitive images through the internet: x-rays, MRI and CT scans, ultrasounds, nuclear medicine images and even dental records.

What’s worse, some of these images have patient diagnosis and social security numbers attached to them. This sort of information is a gold mine for criminals looking to perpetrate insurance fraud and confidence schemes that target elderly patients.

How is this happening? Medical offices and facilities store these images on internet-connected servers which are often simply not secured. Anyone with freely available DICOM software and internet access can connect to these unprotected servers and start downloading this sensitive information with no real hacking prowess required.

The problem with DICOM medical records

As different medical facilities use many different types of medical equipment made by many different manufacturers, an image standard like DICOM is necessary for patient care professionals to transfer these images to each other.

Most facilities do this by way of a picture archiving and communications system (PACS). Since this standard is so widely used, the Internet Assigned Numbers Authority (IANA) has reserved ports 104, 2761, 2762 and 11112 for its use.

The trouble is that medical facilities have a tendency to “plug and play” their PACS systems without taking the extra steps necessary to secure them. Prior to the internet, this wasn’t really a security issue as one needed access to a PACS workstation to communicate with others.

However, in the present day, one only needs to scan for these IP addresses and known ports to download the files. Free DICOM image viewing software is now widely available for Windows and Macintosh computers; it is also possible to open these files with web browser extensions.

The problem is not just one of privacy invasion, but also potential identity theft. DICOM images are “layered” and allow you to add informational tags and metadata to them, similar to file formats such as .TIFF and .JPG. Medical professionals sometimes add personal information to identify the patient: names, addresses, and even social security numbers. They may also add detailed notes on the patient’s condition and personal health that go well beyond the information available from the image.

Containing the problem

Security researchers have been sounding the alarm about this widespread breach in recent months. However, it falls to each individual facility to properly secure their systems against data breaches. Many seem to be opting not to bother.

The estimate of over a billion available records through unsecured DICOM PACS systems is a worldwide count, but the problem is most acute in the United States. A full half of the available medical records are thought to be hosted at US medical facilities.

Security researchers have been busy warning hospitals since September 2019, when an investigation by ProPublica first revealed the amount of data that was available. The initial investigation uncovered 187 servers in the United States exposing the records of about 13.7 million patients. A sister study conducted by German security firm Greenbone Networks found similar vulnerabilities in 52 other countries, with a total of 24 million exposed medical records.

Facilities can secure their PACS systems by implementing a password system to access medical records, or by making use of a VPN or firewall. It appears that many are neglecting to put even these inexpensive and relatively simple solutions in place.

Erich Kron, Security Awareness Advocate for KnowBe4, pointed out that the hardware and software manufacturers should also acknowledge realities of the medical industry and do more from their end:

“What we are seeing here is a breakdown between the desire for privacy and the ease of access to the data. On one hand, there is a push to make medical information more easily available between providers, on the other is a failure to secure this information.

“While we can expect doctors and nurses to be excellent caregivers, we cannot always expect them to be experts in securing customer information such as this. The platforms being used must do a better job of preventing this sort of disclosure by building security into the design and architecture in ways that are more difficult to be misconfigured or to be bypassed, even inadvertently.

“This exposure is full of very sensitive information that, given the possible fines related to unauthorized disclosures, carries a great deal of risk for the healthcare providers and organizations. The sheer volume of records exposed is a testament to the enormity of the problem being faced, but perhaps equally as concerning is the fact that many of these records remain exposed even after the offending organization has been contacted about the issue. If you are in an industry that handles potentially sensitive information, especially at a large scale such as this, it is imperative that there is a process to report and deal with potentially exposed data quickly and concisely.”

Dirk Schrader, one of the researchers at Greenbone Networks, said that some facilities have responded to the warning but that overall the problem is “rising” as new unsecured systems and medical records are exposed online.

Schrader also warned that this problem is not limited to the sort of small practitioners that one would assume would take shortcuts when securing their medical records. It appears that large hospitals in major cities are among the most problematic offenders. Naturally, these were not named to protect patient security, but Schrader did say that one of the larger hospitals in Los Angeles was among those that secured their servers after being notified of the exposed medical images.

Are Hospitals Violating HIPAA?

As Anurag Kahol, CTO of Bitglass, observed:

“Leaving a database publicly accessible filled with confidential files, images, and personally identifiable information (PII) is inexcusable in today’s advanced threat landscape. Companies handling medical records are heavily targeted by cybercriminals, therefore, they must take every precaution necessary to protect patient data. Hundreds of hospitals, medical offices, and imaging centers have contributed to over a billion exposed records. Consequently, they will likely face penalties for violating HIPPA compliance regulations which may include hefty fines. Healthcare organizations must take the proper cloud security steps in 2020, including leveraging single sign-on (SSO), data loss prevention (DLP), along with visibility and control over sharing permissions, in order to secure their databases, maintain compliance with regulations, and protect the sensitive data that they have been entrusted with.”

The Health Insurance Portability and Accountability Act (HIPAA) has a security provision (the Security Rule) to protect sensitive data of this nature. It seems pretty clear that the exposed information here meets the definition of protected health information (PHI) that is individually identifiable. Federal law also preempts all state privacy law as regards medical records. So why is nothing being done about this exposed medical data at so many facilities?

DICOM medical records systems are leaking over one billion sensitive images like x-rays, MRI and CT scan over the internet. #databreach #respectdataClick to Tweet

As ProPublica reports, some facilities appear to consider HIPAA violations an acceptable cost of doing business. While these fines are theoretically steep, the ProPublica investigation discovered that medical facilities are warned often but fined rarely even if they are repeat offenders.