It turns out that anyone with basic computing skills and an internet connection can access millions of private medical images and data from Americans — such as MRIs, X-rays and CT scans — as well as a buffet of valuable private info, according to a disturbing report from ProPublica.
The gist is that as the medical community moved from analogue to digital methods of sharing test results, security practices lagged behind. Unlike data breaches in other industries, where hackers make use of flaws in a company’s security practices, many digital medical records systems don’t even require passwords. What that means is you don’t even need fancy hacker software to peep at millions of medical test results. All you need is to know where to look, and an internet browser.
In its investigation, ProPublica worked with German security firm Greenbone Networks, and journalists from German broadcaster Bayerischer Rundfunk. It ultimately identified 187 servers in the U.S. that lacked passwords or basic security precautions.
In total, the data from more than 16 million medical scans worldwide are available online. What’s worse is that on top of private medical images, the scans include sensitive information such as names, birthdates and in some cases, Social Security numbers.
One issue is it’s unclear who exactly is at fault, and many of the parties involved seem to think securing data is someone else’s responsibility. The U.S. Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care.” Among its provisions is a requirement that standards be publicised for the “electronic exchange, privacy and security of health information.”
That would appear to put the onus on health care providers and the services they use. However, the report found companies creating medical imaging software and medical device makers assumed their customers — health providers — would be in charge of securing data.
At the same time, while large hospital chains and academic medical centres did, in fact, implement security standards, ProPublica discovered this was not the case for many independent radiologists, medical imaging centres, or archiving services. It contacted the Medical Imaging & Technology Alliance, a group which oversees the DICOM communication standard used by medical imaging devices, but the group pointed the finger at those in charge of maintaining servers where data is stored.
Likewise, the report found the government doesn’t do a great job in punishing companies for patient privacy breaches, citing that in April, the U.S. Department of Health and Human Services lowered the maximum fine from $US1.5 ($2) million to $US250,000 ($364,093) for “corrected wilful neglect.”
Some of the health care providers ProPublica reached out to have since beefed up their security. Thankfully, the report found no instances of malicious actors accessing these vulnerable medical images and publishing them elsewhere. That said, the potential for abuse is terrifying. Usually, data breaches deal with identifying information such as emails, passwords and phone numbers.
That’s terrible, but leaked medical data also has the potential of publicising the private details of a person’s health. Such information could be easily used to embarrass, blackmail, or encourage discrimination. Unfortunately, this isn’t even the first reported instance of widespread carelessness with regard to medical records.
In April, the medical files of 145,000 rehab patients were leaked online, unnecessarily putting people who sought help at risk of social stigma. Likewise, in 2017, tens of thousands of medical records belonging to patients at Bronx-Lebanon Hospital Centre in New York were stored on insecure servers run by a third-party IT service.
At the moment there’s not much an individual can do, as fixing the problem requires a concerted effort from American medical manufacturers, providers, the U.S. government, and standards makers.