According to a report by ProPublica, millions of American’s private medical information and images are available on the Internet with a minimum of computer expertise.
Using legal and commonly used radiologic communication software, ProPublica, a nonprofit newsroom that investigates abuses of power, and co-reporter German public broadcaster Bayerischer Rundfunk found that more than 5 million patients in the U.S. and millions more around the world had their medical information available to almost anyone online. They identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. All told, medical data from more than 16 million scans worldwide were available online, including names, birthdates and, in some cases, Social Security numbers.
“Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people,” said Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group.
Most of the cases of unprotected data found involved independent radiologists, medical imaging centers or archiving services, with a majority of large hospital chains and academic medical centers having put security protections in place.
There are many issues of concern: outdated operating systems with known security vulnerabilities; systems used to archive medical images lacking security precautions; but also non-conforming to standards within the medical device manufacturers.
Oleg Pianykh, the director of medical analytics at Massachusetts General Hospital’s radiology department wrote that medical imaging software has traditionally been written with the assumption that patients’ data would be secured by the customer’s computer security systems.
It’s not a lack of standards; it’s that medical device makers don’t follow them. “Medical-data security has never been soundly built into the clinical data or devices, and is still largely theoretical and does not exist in practice,” Pianykh wrote in 2016.
Call to Action: If you have had a medical imaging scan (e.g., X-ray, CT scan, MRI, ultrasound, etc.) ask the health care provider that did the scan — or your doctor — if access to your images requires a login and password. If you are a medical imaging provider or doctor’s office, you or your IT staff should make sure that your PACS server cannot be accessed via the internet without a VPN connection and password.