Unprotected servers have left more than 45 million medical images with sensitive patient information from 67 countries accessible online

Unprotected servers leave more than 45 million medical images accessible online

December 16, 2020
by John R. Fischer, Senior Reporter
Unprotected servers in 67 countries have made over 45 million medical images accessible online.

The discovery was made by an analyst team at CybelAngel, a data risk protection firm, during a six-month investigation. Compiling their findings in a report called “Full Body Exposure”, the group says the images include X-rays and CT scans that contain both personal health information and personally identifiable information for patients worldwide, including in the U.S., U.K., France and Germany.

"No hacking tools were used; millions of images were freely accessible and not encrypted. These could be accessed without password protection. Unprotected document storage servers are one potential source of data leaks, so it is important to remember that digital risk protection is about making sure all assets are secured whether these are on a connected storage device or a cloud application," David Sygula, senior cybersecurity analyst at CybelAngel and author of the report, told HCB News.

The images were found on more than 2,140 servers, with millions unencrypted and without password protection. The analysts made the discovery while investigating Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data.

Scanning approximately 4.3 billion IP addresses, the team found the openly available images could be accessed without inputting a user name or password. This included up to 200 lines of metadata per record that contained PII such as names, birth dates, and addresses; as well as PHI, such as height, weight and diagnosis. Login portals for some even accepted blank usernames and passwords.

Vulnerabilities such as this leave healthcare organizations at the mercy of ransomware attackers and blackmailers, according to CybelAngel. Fraud is also a big risk, due to medical images fetching good prices on the dark web. In addition, healthcare providers can be held liable under sanctions regulated by the GDPR in Europe and by HIPAA in the U.S.

Sygula says he and his team were "surprised" by the extent to which sensitive images were left open for exposure, considering the regulations in place for governing health data.

"Because of COVID-19 safety measures to socially distance, there has been increased remote access to medical images. If remote access is not properly secured with strong password protection protocols and encryption, the chance of a data leak and ultimately breached data increases exponentially," he said.

The report lists a number of steps that can be taken to share and store data more securely: