A ProPublica report has revealed that hundreds of computer servers worldwide are so insecure that anyone with a web browser and knowledge of computer code could patient data, including images.
The nonprofit newsroom revealed that patient records including X-rays, MRIs, and CT scans were all easily accessible to anyone with basic computer knowledge.
The vulnerable records cover more than 5 million American patients and millions more around the world, some of which could be seen using just a typical web browser or free downloadable program.
ProPublica and the German broadcaster Bayerischer Rundfunk identified 187 servers that were not even covered by basic passwords or security, adding to the growing number of patient records left compromised in recent years.
The two companies also scanned Internet Protocol (IP) addresses TO identify as many of the culprit medical providers as possible.
Cybersecurity researcher and chief executive of the consulting firm Spyglass Security Jackie Singh told ProPublica: “It’s not even hacking. It’s walking into an open door.”
Many medical providers were not even aware of how easy it was for anyone to access their records and began locking down their systems once knowledge of the report became apparent.
The report found that the level of data exposure varied depending on the healthcare provider and the software used to store patient records.
MobilexUSA’s server reportedly displayed the names, dates of birth, doctors, and procedures of more than a million patients following a simple search query. The company tightened its security procedures after the investigation team broke the news.
The parent company of MobilexUSA released a statement shortly after, which read: “We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation.”
The system of a Los Angeles physician even allowed anyone with an internet connection to view the echocardiograms of his patients.
Altogether, data from more than 16 million medical scans across the world were easily accessible online at the time of the investigation, which, in some cases, included the Social Security numbers of patients.
13.7 million medical tests were available online for public viewing, and more than 400,000 X-Rays and medical images could be downloaded by the average computer user.
While the report found that large hospital chains and academic medical centers did have security protections in place, independent radiologists, medical imaging centers or archiving services were the most under-fire.
Healthcare providers and their business associates are legally responsible for protecting patient data. Experts have told ProPublica that the exposure of this data could even violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure.
Security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group, Cooper Quintin said: “Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people.
“This is so utterly irresponsible.”
The report does note, however, that there was no sign that any of the patient data found was copied from systems and published elsewhere.
Director of medical analytics at Massachusetts General Hospital’s radiology department, Oleg Pianykh, has been trying to warn healthcare providers about how they handle patient data for years.
He even published a research report in 2016 on mapping digital radiology adoption and security worldwide.
He said medical imaging had been shared in such a way where providers believe data is secured by the customer’s computer security systems.
However, when records began to be uploaded onto the internet and systems became more complex, the responsibility for those records shifted into the hands of network administrators – who assumed safety precautions were already in place.
While is it now easier for doctors across the world to view patient data on a computer screen, it is also easier than ever for the data to get into the wrong hands.
Denver-based Offsite Image, a system used to archive medical images, was found to display the names and other details of more than 340,000 human and veterinary records to Pro Publica without much effort from the investigations team.
An executive from the company told ProPublica the company charges clients $50 for site access and a further $1 per study. Offsite Image’s website reads ‘Your data is safe and secure with us’.
The company’s tech consultant Matthew Nelms told Pro Publica: “We were just never even aware that there was a possibility that could even happen.”
From there on in, Pianykh described medical data security as being a ‘do-it-yourself project’.
A security firm in Germany had also picked up on faults in the system ahead of ProPublica’s report.
Greenbone Networks found problems in at least 52 countries on every inhabited continent, discovering that patient records were at risk. The findings were passed onto Pro Publica to investigate the extent of the problem in the US.
The report was shared with officials from the Medical Imaging & Technology Alliance, the group that oversees the standard of keeping patient data. They laid the blame on those who were running the servers.
In a statement, the organization said: “Even though it is a comparatively small number, it may be possible that some of those systems may contain patient records.
“Those likely represent bad configuration choices on the part of those operating those systems.”
It isn’t the first time private data breaches have been in the headlines, either. In 2015, U.S. health insurer Anthem Inc. revealed that a hacker had accessed private data belonging to more than 78 million people.
Analysis of records from the U.S. Department of Health and Human Services has found that more than 40 million people have had their medical data compromised in the last two years alone.
A spokeswoman for HHS’ Office for Civil Rights, which enforces HIPAA violations, said it would refuse to comment on any open or potential investigations.
Jackie Singh had the final comment on the report. She pointed out it is a ‘shared responsibility’ for manufacturers, standards makers and hospitals to ensure computer servers holding patient data are secured.
“It’s 2019,” she said. “There’s no reason for this.”