Millions of medical images openly available online

The analyst team at digital risk protection firm CybelAngel has discovered that more than 45 million medical imaging files, including X-rays and CT scans, are freely accessible on unprotected servers.

The findings are the result of a six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data.

Analysts have discovered millions of sensitive images, including personal healthcare information (PHI), available unencrypted and without password protection. Openly available medical images, with up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances login portals accepted blank usernames and passwords.

"The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files," says David Sygula, senior cybersecurity analyst at CybelAngel and author of the report. "This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach."

This type of information fetches a premium on the dark web, making fraud a particular risk. In addition healthcare providers are also liable to sanctions under regulations such as GDPR in Europe, and HIPAA in the US, for breaches of sensitive patient information.

You can get the full report on the CybelAngel site.

Image Credit: Rob Hyron / Shutterstock