Skip to main content

Millions of people’s MRIs, X-rays, and CT scans are easily accessible online

x-ray
rawpixel.com / Pexels

Servers containing sensitive medical data — including X-rays, CT scans, and MRIs — are unprotected in doctors’ offices, imaging centers, and archiving services all over the world. Records for at least 5 million U.S. patients are available online, according to an investigation by ProPublica and German public broadcaster Bayerischer Rundfunk.

Reporters found 187 servers in the U.S. without passwords and other security protocols, leaving them open to access via software or basic web searches. The scans contained not only medical information but birthdates and social security numbers, in some cases. The Health Insurance Portability and Accountability Act (HIPAA) requires medical data be kept private, and failing to keep these images secure may violate that law.  

Recommended Videos

An industry group of radiologists and device makers created the standard Digital Imaging and Communications in Medicine (DICOM) in 1985, which lays out the standard for handling, storing, printing, and transmitting medical imaging. Before its security measures were standardized, devices that didn’t meet them were already showing up in hospitals and clinics. Some hospitals may have never have made changes after DICOM’s security measures were released, and vendors continued to sell devices without built-in security. “Nobody ever tried to connect all these pieces together, and that’s how the whole problem happened,” Dr. Oleg Pianykh, an assistant professor of radiology and the director of medical analytics at Massachusetts General Hospital, told Digital Trends.

Pianykh has been tracking the problem for years. In 2016, he discovered 2,774 unprotected radiology or DICOM servers and published the results in a research paper. “The reason we were able to be able to connect to those DICOM devices was because the fundamental network security was missing,” he said.  

Large hospitals have fully staffed IT departments, but Pianykh aid smaller offices and centers may outsource their IT needs to companies unfamiliar with medical privacy standards. They may assume the devices have built-in protections. “What happens is that they just buy some kind of medical device and keep all the default settings and keep the network wide open,” said Pianykh. “And that’s it. That’s the breach.” 

As a baseline, any provider handling medical data needs to have its own secured network, Pianykh said. Otherwise, he compares securing individual devices to locking up the jewelry in your home while leaving the front door unlocked. The thieves will just steal something else. 

In one case, a Denver-based archival service, Offsite Image, had over 340,000 records that were vulnerable, including some from both human doctors and veterinarians. Its tech consultant, Matthew Nelms, said the company fixed its servers after told ProPublica alerted him of the issue. “We were just never even aware that there was a possibility that could even happen,” he said.

The Medical Imaging & Technology Alliance oversees DICOM but claims the security standards are adequate but seemed to suggest individual offices and centers are responsible for seeing them through. “Proper security, however, requires more than just technical measures,” the alliance said in a statement. “It requires the implementation of institutional plans and policies to address various aspects of security (for example: infrastructure, device configuration, procedures, policies, training, auditing, and oversight).”  

“You cannot just delegate to people, particularly physicians or patients, and tell them ‘Okay, well, go and take care of that,’” said Pianykh. Many will follow through, but some will not. Instead, he sees the need for a proactive approach, an agency that regularly scans for these issues and reaches out to the offices, cloud providers, or other entities who don’t have proper security in place. “The magnitude of this problem is monumental,” he said. “It’s beyond the scope of a single person doing some kind of single scan.” 

Update 9/18: Added additional comments from Dr. Oleg Pianykh.

Correction: An earlier version of this story misspelled Dr. Pianykh’s name.

Jenny McGrath
Former Digital Trends Contributor
Jenny McGrath is a senior writer at Digital Trends covering the intersection of tech and the arts and the environment. Before…
Apple’s smart home display already sounds like a convenience victory
Nest Hub Max

Over the past few weeks, rumors of Apple developing a smart display for home control have picked up pace. The company is said to be developing two versions, and one of them might even feature a robotic arm and revive an iconic Mac’s design. 

Now, Bloomberg has shared some juicy details about how the entry-level option will look and work. The device will offer a 6-inch screen with a square-ish format flanked by sensors, including a FaceTime camera in landscape orientation. 

Read more
Trade group says EV tax incentive helps U.S. industry compete versus China
ev group support tax incentive 201 seer credit eligibility

The Zero Emission Transportation Association (ZETA), a trade group with members including the likes of Tesla, Waymo, Rivian, and Uber, is coming out in support of tax incentives for both the production and sale of electric vehicles (EVs).

Domestic manufacturers of EVs and their components, such as batteries, have received tax incentives that have driven job opportunities in states like Ohio, Kentucky, Michigan, and Georgia, the group says.

Read more
The Penguin fans think it hid a classic Batman villain in plain sight
Cristin Milioti stands behind Theo Rossi in The Penguin.

It may be a spinoff of one of the biggest comic book movies of the past few years, but The Penguin is actually pretty light on Easter eggs and deep-cut references. That said, some fans of the DC series believe they've spotted an intriguing pair of items in it that may hint at one Penguin character's real identity. Fans have specifically spotlighted a quick shot from The Penguin's fourth episode in which Sofia Falcone (Cristin Milioti) is shown standing alone in the office of her former Arkham Asylum psychiatrist, Dr. Julian Rush (Theo Rossi).

Behind Sofia, fans have noted a familiar-looking rag mask hanging on Rush's desk, as well as a glove with what looks like syringe-like fingers, two items that are famously worn in the comics by Jonathan Crane, a.k.a. Scarecrow. Like Rush, Scarecrow is a psychology expert in the comics, one who develops a hallucinogenic drug that he uses to terrorize the people of Gotham City with their worst fears. At no point in The Penguin does Rush do anything like that, but the presence of the villain's mask and glove in his office has led many to speculate about whether or not Rossi's character will turn out to be the Scarecrow of Matt Reeves' Batman universe.

Read more