Skip to main content

Millions of people’s MRIs, X-rays, and CT scans are easily accessible online

x-ray
rawpixel.com / Pexels

Servers containing sensitive medical data — including X-rays, CT scans, and MRIs — are unprotected in doctors’ offices, imaging centers, and archiving services all over the world. Records for at least 5 million U.S. patients are available online, according to an investigation by ProPublica and German public broadcaster Bayerischer Rundfunk.

Reporters found 187 servers in the U.S. without passwords and other security protocols, leaving them open to access via software or basic web searches. The scans contained not only medical information but birthdates and social security numbers, in some cases. The Health Insurance Portability and Accountability Act (HIPAA) requires medical data be kept private, and failing to keep these images secure may violate that law.  

Recommended Videos

An industry group of radiologists and device makers created the standard Digital Imaging and Communications in Medicine (DICOM) in 1985, which lays out the standard for handling, storing, printing, and transmitting medical imaging. Before its security measures were standardized, devices that didn’t meet them were already showing up in hospitals and clinics. Some hospitals may have never have made changes after DICOM’s security measures were released, and vendors continued to sell devices without built-in security. “Nobody ever tried to connect all these pieces together, and that’s how the whole problem happened,” Dr. Oleg Pianykh, an assistant professor of radiology and the director of medical analytics at Massachusetts General Hospital, told Digital Trends.

Pianykh has been tracking the problem for years. In 2016, he discovered 2,774 unprotected radiology or DICOM servers and published the results in a research paper. “The reason we were able to be able to connect to those DICOM devices was because the fundamental network security was missing,” he said.  

Large hospitals have fully staffed IT departments, but Pianykh aid smaller offices and centers may outsource their IT needs to companies unfamiliar with medical privacy standards. They may assume the devices have built-in protections. “What happens is that they just buy some kind of medical device and keep all the default settings and keep the network wide open,” said Pianykh. “And that’s it. That’s the breach.” 

As a baseline, any provider handling medical data needs to have its own secured network, Pianykh said. Otherwise, he compares securing individual devices to locking up the jewelry in your home while leaving the front door unlocked. The thieves will just steal something else. 

In one case, a Denver-based archival service, Offsite Image, had over 340,000 records that were vulnerable, including some from both human doctors and veterinarians. Its tech consultant, Matthew Nelms, said the company fixed its servers after told ProPublica alerted him of the issue. “We were just never even aware that there was a possibility that could even happen,” he said.

The Medical Imaging & Technology Alliance oversees DICOM but claims the security standards are adequate but seemed to suggest individual offices and centers are responsible for seeing them through. “Proper security, however, requires more than just technical measures,” the alliance said in a statement. “It requires the implementation of institutional plans and policies to address various aspects of security (for example: infrastructure, device configuration, procedures, policies, training, auditing, and oversight).”  

“You cannot just delegate to people, particularly physicians or patients, and tell them ‘Okay, well, go and take care of that,’” said Pianykh. Many will follow through, but some will not. Instead, he sees the need for a proactive approach, an agency that regularly scans for these issues and reaches out to the offices, cloud providers, or other entities who don’t have proper security in place. “The magnitude of this problem is monumental,” he said. “It’s beyond the scope of a single person doing some kind of single scan.” 

Update 9/18: Added additional comments from Dr. Oleg Pianykh.

Correction: An earlier version of this story misspelled Dr. Pianykh’s name.

Jenny McGrath
Former Digital Trends Contributor
Jenny McGrath is a senior writer at Digital Trends covering the intersection of tech and the arts and the environment. Before…
iPhone 17 series could finally end Apple’s stingy era of slow screens
iPhone on charging stand showing photo screen in iOS 17 StandBy mode.

Apple has played a relatively slow innovation game when it comes to display upgrades on its phones. The company took its own sweet time embracing OLED screens, then did the same with getting rid of the ugly notch, and still has a lot of ground to cover at adopting high refresh rate panels.

The status could finally change next year. According to Korea-based ET News, which cites an industry source, Apple will fit an LTPO (low-temperature polycrystalline oxide) screen across the entire iPhone 17 series, including the rumored slim version and the entry-point model.

Read more
Aptera’s 3-wheel solar EV hits milestone on way toward 2025 commercialization
Aptera 2e

EV drivers may relish that charging networks are climbing over each other to provide needed juice alongside roads and highways.

But they may relish even more not having to make many recharging stops along the way as their EV soaks up the bountiful energy coming straight from the sun.

Read more
Ford ships new NACS adapters to EV customers
Ford EVs at a Tesla Supercharger station.

Thanks to a Tesla-provided adapter, owners of Ford electric vehicles were among the first non-Tesla drivers to get access to the SuperCharger network in the U.S.

Yet, amid slowing supply from Tesla, Ford is now turning to Lectron, an EV accessories supplier, to provide these North American Charging Standard (NACS) adapters, according to InsideEVs.

Read more