Servers containing sensitive medical data — including X-rays, CT scans, and MRIs — are unprotected in doctors’ offices, imaging centers, and archiving services all over the world. Records for at least 5 million U.S. patients are available online, according to an investigation by ProPublica and German public broadcaster Bayerischer Rundfunk.
Reporters found 187 servers in the U.S. without passwords and other security protocols, leaving them open to access via software or basic web searches. The scans contained not only medical information but birthdates and social security numbers, in some cases. The Health Insurance Portability and Accountability Act (HIPAA) requires medical data be kept private, and failing to keep these images secure may violate that law.
An industry group of radiologists and device makers created the standard Digital Imaging and Communications in Medicine (DICOM) in 1985, which lays out the standard for handling, storing, printing, and transmitting medical imaging. Before its security measures were standardized, devices that didn’t meet them were already showing up in hospitals and clinics. Some hospitals may have never have made changes after DICOM’s security measures were released, and vendors continued to sell devices without built-in security. “Nobody ever tried to connect all these pieces together, and that’s how the whole problem happened,” Dr. Oleg Pianykh, an assistant professor of radiology and the director of medical analytics at Massachusetts General Hospital, told Digital Trends.
Pianykh has been tracking the problem for years. In 2016, he discovered 2,774 unprotected radiology or DICOM servers and published the results in a research paper. “The reason we were able to be able to connect to those DICOM devices was because the fundamental network security was missing,” he said.
Large hospitals have fully staffed IT departments, but Pianykh aid smaller offices and centers may outsource their IT needs to companies unfamiliar with medical privacy standards. They may assume the devices have built-in protections. “What happens is that they just buy some kind of medical device and keep all the default settings and keep the network wide open,” said Pianykh. “And that’s it. That’s the breach.”
As a baseline, any provider handling medical data needs to have its own secured network, Pianykh said. Otherwise, he compares securing individual devices to locking up the jewelry in your home while leaving the front door unlocked. The thieves will just steal something else.
In one case, a Denver-based archival service, Offsite Image, had over 340,000 records that were vulnerable, including some from both human doctors and veterinarians. Its tech consultant, Matthew Nelms, said the company fixed its servers after told ProPublica alerted him of the issue. “We were just never even aware that there was a possibility that could even happen,” he said.
The Medical Imaging & Technology Alliance oversees DICOM but claims the security standards are adequate but seemed to suggest individual offices and centers are responsible for seeing them through. “Proper security, however, requires more than just technical measures,” the alliance said in a statement. “It requires the implementation of institutional plans and policies to address various aspects of security (for example: infrastructure, device configuration, procedures, policies, training, auditing, and oversight).”
“You cannot just delegate to people, particularly physicians or patients, and tell them ‘Okay, well, go and take care of that,’” said Pianykh. Many will follow through, but some will not. Instead, he sees the need for a proactive approach, an agency that regularly scans for these issues and reaches out to the offices, cloud providers, or other entities who don’t have proper security in place. “The magnitude of this problem is monumental,” he said. “It’s beyond the scope of a single person doing some kind of single scan.”
Update 9/18: Added additional comments from Dr. Oleg Pianykh.
Correction: An earlier version of this story misspelled Dr. Pianykh’s name.