A billion medical images exposed, but doctors ignore warnings – TechCrunch
Despite warnings from security researchers, the number of exposed images has risen.
TechCrunch broke news of research late Friday that A billion medical images are exposed online, as doctors ignore warnings. Discovered by German cybersecurity firm Greenbone Networks, the exposure follows a similar report from the company in September that detailed 24 million medical records on 590 online medical image archive systems. Two months later, the firm detailed the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy. Researchers pointed to a decades-old Picture Archiving and Communication System (PACS) and DICOM, a file format industry standard.
Colin Bastable, CEO of security awareness and training company Lucy Security, had strong words:
“Unfortunately most of the medical world thinks it exists in isolation, in its own private cloud, which is clearly unrealistic. It often appears that most medical professionals don’t understand that so much information is globally accessible. Often, security compliance is managed as a subset of medical compliance, and therefore cybersecurity take a back seat. Insecurity is compounded by the highly fragmented and outsourced nature of the US healthcare landscape. The need for multiple parties to have prompt access to all medical data ensures that convenient access takes precedence over basic authentication and authorization security. It’s no wonder healthcare tops the charts every year as the number one at-risk sector for cyber-criminals.”
And Felix Rosbach, product manager at data security company comforte AG, said:
“The massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organizations in all verticals. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there might be fines coming up for this.”