1. Extra Categories
  2. Editor's Pick
December 15, 2020updated 17 Dec 2020 10:37am

Over 45 million medical images exposed by healthcare organisations

By Robert Scammell

Cybersecurity researchers have discovered more than 45 million medical images, including X-rays and CT scans, exposed online without encryption or password protection.

Each freely accessible medical image file is linked to up to 200 lines of metadata, which include personally identifiable information such as name, address and birth date.

Images were also tied to sensitive personal healthcare information including diagnosis, height and weight. The researchers warn that this “highly personal” data could end up in the hands of cybercriminals via the dark web, possibly leading to fraud, extortion or ransomware.

During a six-month investigation into the data storage systems used by healthcare organisations, digital risk firm CybelAngel scanned approximately 4.3 billion IP addresses for insecure servers.

The company discovered more than 2,140 unprotected healthcare servers spread across 67 countries, including the US, UK and Germany.

In some cases, healthcare portals could be accessed without entering a username or password.

“The fact that we did not use any hacking tools throughout our research, highlights the ease with which we were able to discover and access these files,” said David Sygula, senior cybersecurity analyst at CybelAngel and one of the researchers who discovered the medical images.

Medical images exposed: A long-running problem

CybelAngel focused their investigation on network-attached storage servers and Digital Imaging and Communications in Medicine, the standard used by healthcare professionals for managing medical imaging data.

The medical images exposure was not caused by a singular organisation or IT system, but rather by widespread security “gaps” and poor data practices. As such, it was not possible for CybelAngel to contact every organisation that was leaking medical images.

Todd Carroll, CybelAngel CISO, said: “Medical centres work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.

“The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”

It is not the first time researchers have uncovered hordes of unprotected medical images. In January this year, Germany-based security firm Greenbone Networks discovered more than a billion medical images available on an insecure storage system for anyone to access.

Healthcare organisations exposing medical images are liable for sanctions under data protection laws. Under GDPR, health data is deemed a ‘special category’, which means organisations storing it must carry out a data protection impact assessment.

“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals,” added Sygula.

“A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

Read more: Vaccine documents hacked in European Medicines Agency cyberattack


Verdict deals analysis methodology

This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,