‘Medical scans of millions of people were freely accessible’
The images of medical scans, such as X-rays, and associated data of millions of patients worldwide are poorly secured and therefore easy to view, claims a German research company.
The German security company Greenbone Networks found five servers in Germany and 187 systems in the United States with poor security. As a result, they gave access to patient data without the need for a password or other authentication. The company found a total of problems with systems in more than 50 countries. This involved more than 16 million scans, mostly with names, dates of birth and in some cases social security numbers. Greenbone Networks reported its findings to Pro Publica and Bayerische Rundfunk.
Pro Publica found, among other things, a database of the American company MobilexUSA containing the names, dates of birth, doctors and treatments of more than one million patients. This data could be retrieved via the internet with simple queries. MobilexUSA has now improved systems security. In Germany, Greenbone sounded the alarm at the Bundesamt für Informationsschutz, after which vulnerable servers were taken offline.
The images include X-ray, CT and MRI images of scans. The problem lies with the security of pacs, or picture archiving and communication systems. Scanners send the images to these pacs for archiving, so that medical authorities can retrieve them afterwards. The connection between these servers is based on the Dicom standard, which originated in the 1980s. When implementing the pacs and Dicom, the correct security regulations are regularly not observed, as a result of which the systems are connected directly to the internet, without measures such as firewalls and VPNs.
The Medical Imaging & Technology Alliance, the organization overseeing the development of the standard, recognizes that there are hundreds of servers connected to the Internet unprotected, but points the responsibility to the administrators of the systems. Answers to questions about responsibility indicate that a Dicom development working group has not been very active over the past twenty years and security has not been a high priority.