Medical records belonging to millions of patients across the world, including echocardiograms and X-rays, are stored on insecure servers that did not have basic security precautions in place, a new investigation by ProPublica has found.
The report builds on revelations by Greenbone Networks which found over 24 million records that were linked to more than 700 million images, of which 400 million were “actually downloadable” from systems located in 52 countries around the world.
“Data from more than 13.7 million medical tests in the US were available online, including more than 400,000 in which X-rays and other images could be downloaded,” the report said.
The findings — published by the investigative journalism non-profit and German broadcaster Bayerischer Rundfunk — found 187 unprotected servers in the US and five in Germany, which were used to host sensitive data such as patient records, their dates of birth, doctors and the procedures undertaken.
Most of the cases of unprotected data unearthed involved independent radiologists, medical imaging centers or archiving services.
“All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates and, in some cases, Social Security numbers,” ProPublica said in its report.
Although some of the providers tightened their security in response to the disclosure, the exposure of such sensitive data could create long-lasting privacy concerns, including heightened risk of data theft, not to mention a violation of EU GDPR and HIPAA laws in the US that mandates health care providers to keep patient data confidential and secure.
According to the report, Medical Imaging & Technology Alliance, which oversees the standard governing how medical imaging devices talk to each other and share information, acknowledged the problem of unprotected servers, but “suggested the blame lay with the people who were running them.”
The issue that medical data is open for any threat actor to access should come as no surprise. The casual handling of personal health data, coupled with the proliferation of medical trackers and connected devices, have enabled companies to amass medical information on a scale that was previously unimaginable, making it a lucrative target for cybercriminals.
US health insurance provider Anthem last year agreed to a $16 million settlement with federal government after a 2015 breach of its servers resulted in hackers making away with personal information of nearly 79 million individuals.
But given the permanence of medical information and frequency of data theft, the need for proactive monitoring and effective measures to combat security threats cannot be overstated.
Medical data security necessitates the need for data collection and sharing standards, thereby ensuring health data is “properly protected while allowing the flow of health information needed to provide and promote high quality health care.”
Recently Apple, Google, Amazon, and Microsoft joined with some of the biggest health insurers and hospitals in the US for a new standard to share health claims data, which includes tests, doctors’ visits and medical procedures.
The fact that there exists a market for medical data should incentivize healthcare institutions to invest more in data backups and auditing their security practices regularly, so critical systems aren’t open to abuse by threat actors. One can only hope companies handling medical data are taking notice, and will update their policies before it’s too late.