Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

It has been 60 days since Greenbone Networks reported on the mass exposure of medical images on unsecured Picture Archiving and Communication Systems (PACS). In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better.

Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers.

Between July and September 2019, Greenbone Networks conducted an analysis to identify unsecured PACS servers around the globe. The study shed light on the scale of the problem. In the United States, 13.7 million data sets were found on unsecured PACS servers, which included 303.1 million medical images of which 45.8 million were accessible. The discovery was widely reported in the media at the time, and now further information on the scale of the problem has been released.

On Monday, November 18, Greenbone Networks issued an updated report that shows globally, 1.19 billion medical images have now been identified, increasing the previous total of 737 million by 60%. The results of 35 million medical examinations are online, up from 24 million.

In the United States, the researchers found 21.8 million medical examinations and 786 million medical images. 114.5 of those images were accessible and there are 15 systems that allow unprotected Web/FTP access and directory listing. In one PACS alone, the researchers found 1.2 million examinations and 61 million medical images. The researchers had full access to the data, which included the images and associated personally identifiable information. Greenbone Networks has confirmed that in the 24 hours prior to publication of its latest report, data access was still possible. “For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” explained Greenbone Networks CMS, Dirk Schrader.

Exposed Medical Images on PACS Servers. Source: Greenbone Networks

Earlier in November, Sen. Mark. R. Warner wrote to HHS’ Office for Civil Rights Director, Roger Severino, expressing concern over the apparent lack of action from OCR over the exposed files. Far from the situation improving following the announcement about the exposed data, it appears that very little is being done to secure the PACS servers and stop further data exposure.

The types of information in the images, which is classed as Protected Health Information (PHI) under HIPAA, includes names, dates of birth, examination dates, scope of the investigations, imaging procedures performed, attending physicians’ names, location of scan, number of images and, for 75% of the images, Social Security numbers.

The exposure of this data places patients at risk of identity theft and fraud, although there are other risks. Previously, security researchers have shown that flaws in the DICOM image format allows the insertion of malicious code. Images could therefore be downloaded, have malicious code inserted, and be uploaded back to the PACS. This could all be down without the knowledge of the data owner. For the purpose of the study, Greenbone Networks only investigated reading access, not image manipulation and upload.

Images were accessed and viewed using the RadiAnt DICOM Viewer. Instructions on configuration to view images using the RadiAnt DICOM Viewer are freely available online, as is the viewer and the list of IPs where the images are stored.

Greenbone Networks estimates that the exposed medical images and PHI has a value in excess of $1 billion dollars. The data could be used for a variety of nefarious purposes including identity theft, social engineering and phishing, and blackmail.

The exposure of the data is in violation of the Health Insurance Portability and Accountability Act (HIPAA), the EU’ s General Data Protection Regulation (GDPR), and many other data privacy and security laws. The data relates to more individuals in more than 52 countries.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.