Security researchers have observed the presence of unprotected servers worldwide that store more than 45 million medical imaging files, including X-rays, CT scans, and the personal healthcare information of millions.
Researchers at digital risk protection firm CybelAngel have discovered over 2,140 unprotected servers, that lack password protection, that stored more than 45 million medical imaging files, thereby leaking very sensitive healthcare data of millions of people to unintended recipients.
The discovery took place after the researchers decided to take a look into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM) that is the de facto standard used by healthcare professionals to send and receive medical data.
The researchers found that the unprotected servers also contained up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and personal healthcare information, such as height, weight, diagnosis, etc. of millions of people in 67 countries.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” said David Sygula, Senior Cybersecurity Analyst at CybelAngel.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
According to CybelAngel, healthcare organisations must enforce strong security policies to ensure that access controls are maintained over ad hoc NAS devices and file-sharing applications at all times. Organisations must also ensure proper network segmentation of connected medical imaging equipment to minimise the exposure of critical diagnostic equipment and supporting systems to wider business or public networks.
“Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data,” says Todd Carroll, CybelAngel CISO.
“The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”
This is not the first time that sensitive healthcare records of people have been exposed due to the storage of sensitive data in unprotected servers or due to uncontrolled sharing of such data by healthcare personnel. According to the HIPAA Journal, by October last year, over 400 healthcare data breaches took place in the United States, resulting in the exposure, theft, or loss of over 38 million healthcare records, more than the number of records compromised in the previous three years combined.
In September, COVID-19 test results and personal data of 10,000 Delaware residents were leaked after an employee at the Delaware Division of Public Health emailed their test results to an unauthorised third party who then reported the breach to authorities.
Last year, American real estate insurance giant First American exposed approximately 885 million data records on its website that could be accessed by anyone without clearing authentication checks.
First reported by security researcher Brian Krebs, the massive data dump included digitised records dating back to 2003 and contained vast amounts of personal data including social security numbers, bank account numbers and statements, mortgage and tax records, wire transaction receipts, and drivers license images.
These digital records were stored on the website of First American and could be accessed by anyone with a link to individual data records. Each document was stored under a web link with a nine-digit reference number and by changing a single digit on such links, visitors could access multiple digitised documents.
The earliest document available on the First American website dated back to 2003 and in all, Krebs observed the presence of approximately 85 million documents such as Social Security numbers, driver licenses, account statements, and other documents that customers provided to First American in order to avail title insurance.