45M medical images found exposed online on unsecured servers
Cybersecurity researchers have discovered more than 45 million medical images exposed online that include personally identifiable information.
Detailed today by researchers at CybelAngel, the images were found as part of a six-month investigation of data storage systems used by healthcare organizations including scanning 4.3 billion IP addresses for insecure services. The investigation specifically targeted network-attached storage and Digital Imaging and Communications in Medicine, the latter a de facto standard used by healthcare professionals to send and receive medical data.
The more than 45 million medical images were found on 2,140 unprotected servers across 67 countries including the U.S., the U.K. and Germany. The images typically included 200 lines of metadata per record, and involved personally identifiable information such as name, address and birthdate along with protected health information such as height, weight and diagnosis — all exposed online without the need for a username or password.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” said David Sygula, senior cybersecurity analyst at CybelAngel and an author of the report. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Trevor Morgan, product manager with data security specialists comforte AG, told SiliconANGLE that the leak points up a key issue: Sensitive information doesn’t just encompass financial data but also other, more personal types of personally identifiable information.
“Some of the most sensitive data people and enterprises own is information about their medical health and well-being,” Morgan said. “This PHI is clearly addressed in many privacy regulations, so organizations that handle, process and store this data need to find the most effective ways to prevent leaks from compromising the subjects of this sensitive information.”
Josh Bohls, chief executive officer of secure content capture firm Inkscreen LLC, noted that the leak also shows how “toothless” the U.S. health regulations are and how lax healthcare providers have become when storing patient data. “This should serve as a wakeup call for providers to take a fresh look at how they process, maintain and safeguard patient-identifiable photos,” he said.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.