45M medical images found exposed online on unsecured servers
Cybersecurity researchers have discovered more than 45 million medical images exposed online that include personally identifiable information.
Detailed today by researchers at CybelAngel, the images were found as part of a six-month investigation of data storage systems used by healthcare organizations including scanning 4.3 billion IP addresses for insecure services. The investigation specifically targeted network-attached storage and Digital Imaging and Communications in Medicine, the latter a de facto standard used by healthcare professionals to send and receive medical data.
The more than 45 million medical images were found on 2,140 unprotected servers across 67 countries including the U.S., the U.K. and Germany. The images typically included 200 lines of metadata per record, and involved personally identifiable information such as name, address and birthdate along with protected health information such as height, weight and diagnosis — all exposed online without the need for a username or password.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” said David Sygula, senior cybersecurity analyst at CybelAngel and an author of the report. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Trevor Morgan, product manager with data security specialists comforte AG, told SiliconANGLE that the leak points up a key issue: Sensitive information doesn’t just encompass financial data but also other, more personal types of personally identifiable information.
“Some of the most sensitive data people and enterprises own is information about their medical health and well-being,” Morgan said. “This PHI is clearly addressed in many privacy regulations, so organizations that handle, process and store this data need to find the most effective ways to prevent leaks from compromising the subjects of this sensitive information.”
Josh Bohls, chief executive officer of secure content capture firm Inkscreen LLC, noted that the leak also shows how “toothless” the U.S. health regulations are and how lax healthcare providers have become when storing patient data. “This should serve as a wakeup call for providers to take a fresh look at how they process, maintain and safeguard patient-identifiable photos,” he said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.