A new report builds on earlier findings that “hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world,” stated a just-released TechCrunch/Mighty report.
Roughly half of the exposed images are from the U.S.
“It seems to get worse every day,” Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has kept tabs on the exposure issue, told the news sites
The scope of the crisis first hit the news through a September, 2019 ProPublica report that revealed that 24 million patient exams with over 720 million images were unprotected
. In November and December of that year, exposed servers had gone up by half — exposing 35 million exams and 1.19 billion scans, according to the latest reports.
“The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” Schrader told the news groups, and without immediate action new record levels of exposed images will hit “in no time,” he warned.
At issue is a flaw from the DICOM file format, an industry standard that makes it “easy” for medical providers to store and share images in a PACS. One issue is that to make viewing a snap, the files can be examined with many free apps that are easily available.
The other big problem is that in many doctor offices best security practices aren't followed, leaving PACS servers, where the DICOM files are stored, connected to the internet password-free. And along with the images, frequently there is a cover sheet with all manner of medical and personal patient data, as well.
TechCrunch/Mighty looked at the risks to patients that can come from such data exposure and found that they included both insurance fraud and identity theft.
Greenbone reached out to over 100 organizations with exposed servers in December — a move that led some to secure their servers, but not all. From the 10 largest organizations it reached out to, noted Schrader, they got “no response at all.”
Former HHS privacy official Lucia Savage told TechCrunch/Might that more action is needed. “If the data is personal health information, it is required to be secured from unauthorized access, which includes finding it on the internet,” Savage said, adding that, “there is an equal obligation to lock the file room that contains your paper medical records as there is to secure digital health information.”
Since the scale of exposed medical servers was first revealed in September, Sen. Mark Warner (D-VA) called for answers from Health and Human Services.
“To my knowledge, Health and Human Services has done nothing about it,” Warner told TechCrunch/Mighty. “As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” he added.
The HHS Office for Civil Rights defended its enforcement of privacy.
“OCR has taken enforcement action in the past to address violations concerning unprotected storage servers, and continues robust enforcement of the HIPAA rules,” a spokesperson told the publications.