45 million medical imaging photos exposed online
Recently, according to CybelAngel’s “More Than 45 Million Medical Images Openly Accessible Online” report, due to security issues in the technology for storing, sending, and receiving medical data, more than 45 million medical images and related personally identifiable information (PII) and Personal health care information (PHI) is exposed online.
The massive exposure data discovered by CybelAngel’s analysis team includes sensitive medical records and images, such as X-ray CT scans and MRI images. Anyone can access the exposed data in this network-attached storage (NAS) and Digital Imaging and Communications in Medicine (DICOM) online.
According to the report, the CybelAngel analysis team used tools to scan approximately 4.3 billion IP addresses and discovered more than 45 million medical images and related privacy data exposures in networked storage devices in hospitals and medical centers around the world. These images are stored in 67 countries (including the United States, the United Kingdom, France, and Germany) on 2140 unprotected (NAS) servers.
NAS is an inexpensive storage solution, mainly used by small companies or individuals to store data, instead of more expensive dedicated servers or virtual cloud servers, and DICOM is a global standard for medical insurance personnel to transmit medical images.
Researchers say that criminals can infringe on people’s privacy by selling these data on the dark web. They can also use images and data to blackmail patients or use patient data to build “ghost clinics” and “ghost patients” to defraud the medical system.
The privacy protection of patient data is particularly important because the world is currently in the midst of a pandemic, PII and PHI may have a significant impact on the lives of patients and the lives of people who come into contact with them. Researchers pointed out that attackers can also access data to tamper with patient medical records.
Each exposed medical image usually contains up to 200 lines of metadata, including the patient’s name, date and address of birth, and his or her height, weight, diagnosis, and other PHI. Anyone can access images and data without a username or password. The researchers pointed out that, in fact, in some places, the patient information storage system can even login with a blank user name and password.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” Sygula said in a press statement. “This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals.”