Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Data Storage Medicine The Internet

A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings 70

Insecure storage systems being used by hundreds of hospitals, medical offices and imaging centers are exposing over 1 billion medical images of patients across the world. "Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors' offices to the problem, many have ignored their warnings and continue to expose their patients' private health information," writes Zack Whittaker from TechCrunch. From the report: "It seems to get worse every day," said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year. The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.

A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors' offices disregard security best practices and connect their PACS server directly to the internet without a password. These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient's name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient's Social Security number to identify patients in these systems.
This discussion has been archived. No new comments can be posted.

A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings

Comments Filter:
  • They can much more easily easily do cheaper risk analysis with the help of firms like Cambridge Analytica. If the statistical data is mined and aggregated and made available for scientific research. Health records are used for legitimate scientific analysis of disease trends so there is a need for easy access to this kind of data. If it is first stripped of private data like names and other ways to identify individuals in the data base. Other than that hacking all this info and selling it is a fools enterpr
    • by imidan ( 559239 )

      If the statistical data is mined and aggregated and made available for scientific research.

      The data could never be used for scientific research published in reputable journals. All scientific research involving human subjects (which this would be, even though the researcher never saw the subjects) requires review from an institutional review board before it even begins, and the IRB at any institution would absolutely forbid research done using unethically obtained medical records. Beyond the IRB, the ethics violation of using leaked medical records in research would be completely unacceptable to

      • A researcher doesnâ(TM)t have to publish in a journal. The CRISPR experiment on human embryos in China is well-known even without journal publication. If someone independent wants to take those images and find a medical breakthrough, that person will have no problem communicating findings. They may be a pariah in medical circles going forward, but the paper will be publicized and discovery spread. That is nature of modern world.
        • by ceoyoyo ( 59147 )

          I guess if your goal is to become infamous and go to jail. There are easier ways though.

          • Or if your goal is > That is a rough translation of one commenter about some older medical research I read once. I donâ(TM)t agree with the position, but I can see the argument and see how someone might decide it was worth it.
            • Argh. Stupid formatting issue. It was supposed to say, "I am willing to ignore the ethicists who are too timid and I will use the tools available to save lives." That's the thing that I roughly translated in my previous post. (Why doesn't posting from phone have a preview???)
  • Fuck this world (Score:4, Interesting)

    by AndyKron ( 937105 ) on Saturday January 11, 2020 @06:03AM (#59609396)
    Some motherfuckers need to go to jail now, but they won't. Fuck this world.
    • by Tom ( 822 )

      It anyway wouldn't be the right motherfuckers. It would be some IT guy who fucked up, or his manager who didn't authorize the security systems. But it wouldn't be the CEO or the stakeholders who created the profit margin pressure that caused the whole chain.

      • Let's be clear. This isn't the fault of the "stakeholders", which include customers and employees. This is the fault of the owners of these companies: the shareholders. Unfortunately, in the US, shareholders cannot be prosecuted for crimes of the company they own (unless it's as small company).
        • by Tom ( 822 )

          Customers who prioritize prize over quality do contribute to the problem, as do customers who don't care what asshat company they buy from as long as it's cheap.

          Still, you are right that shareholders are the biggest problem there.

          • by DogDude ( 805747 )
            You're right. I actually care about where I spend my money, but I don't know anybody else who does, so I've pretty much given up on promoting that idea to other people.
            • by Tom ( 822 )

              You're not a lone, it's just not something that fits into the thimble brain of many people and isn't a common conversation topic.

              And sadly, opportunities are disappearing. When I was younger, I had a favorite computer shop. More expensive than the large department store 2 km away, but the owner knew his shit, would help you with problems and advise you on what you need, not what gives him the best margin. I spent a lot of money in that shop and always felt good about it. But those kind of shops are getting

  • They practice medicine (badly) They are not in charge of the IT systems.
    • Acting like gods, sometimes they do...
    • by dfm3 ( 830843 )
      Actually, the law would disagree with you [wikipedia.org]. It is very much the doctor's responsibility. In short, a doctor is a "covered entity" and is responsible for safeguarding the privacy of patient information, or for ensuring that any third parties to which business processes are outsourced (such as an IT contractor) are compliant with HIPAA.
      • by puck01 ( 207782 )

        Doesn't matter if a physician has no control over these issues which is usually the case. Most doctors offices today are run by health care admin MBAs and their IT departments. Also the vendors of these products are usually very slow to respond to these types of problems. The implementations are usually bare minimum. Physicians have very little say in any of this today.

    • by cusco ( 717999 )

      If the records are available over the Internet without a password then even my grandmother would know that's a security issue. Doctors as a group aren't stupid, they **KNOW** this stuff is insecure and it's their responsibility to their patients, their clinics/hospitals, and the insurance companies that they ultimately work for to complain until it's fixed.

      And doctors will complain about the simplest frelling thing that inconveniences them in any way, loudly and long. I know of a hospital that has an exte

    • by HiThere ( 15173 )

      Sometimes it is their responsibility. But they don't know enough to make decisions, so they rely on "the government certified this software". Whoever installed it did the configuration, they didn't do it. And if they had tried to, it might well not have worked at all.

      I suppose you could say that it wasn't their responsibility, as they feel required to use "government certified software", and believe that by doing so they satisfy legal requirements, that other software might not satisfy. Possibly their l

  • by CrimsonAvenger ( 580665 ) on Saturday January 11, 2020 @06:16AM (#59609414)
    I don't think it's the doctors who make decisions about computer systems. Don't know who does, but might want to ask the IT guys about it....
    • Many doctors act like gods on the environment they work (I've seen it many times working in tech support...): I don't disbelieve that THEY took the decision to ignore warnings from IT guys...
      • by imidan ( 559239 ) on Saturday January 11, 2020 @06:55AM (#59609442)
        The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will shit his pants at the HIPAA violation, and the insurance guy will shit his pants at the likely cost of judgment for the inevitable prosecution. Then, the three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it's clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they'd listen. If not, then the IT guy needs to start looking for a new job STAT. And maybe make a phone call to DHS on their way out the door.
        • Legal situation in USA != legal situation in the world...
          • by ceoyoyo ( 59147 )

            Here in Canada hospitals are super paranoid about their PACS. As originally designed, PACS really couldn't transmit images over the Internet at all, and most hospitals still have it configured that way.

        • Now envision this meeting taking place not just at one hospital or medical center, but at NIST. Let the result of that conversation be a nationwide standard for digitizing medical records.

          • by imidan ( 559239 )
            Yes. It's all well and good to complain about medical records being exposed, but if there was a coherent national strategy for protecting them, we might be more successful at it. I haven't worked with medical records (although at a previous job, we seemed always to be in talks about potentially handling them), so I don't know what the law demands, but my sense is that the technology is here, ready to go. We just need to match it up correctly with the needs and develop best practices.
        • by cusco ( 717999 )

          As soon as the IT guy opens his mouth he's fired.

      • Many doctors act like gods on the environment they work (I've seen it many times working in tech support...): I don't disbelieve that THEY took the decision to ignore warnings from IT guys...

        Your thinking is exactly why the transition to EMR systems is a such a clusterfuck. The #1 priority has to be allowing doctors to continue seeing and treating patients. Everything else is secondary.

        That means it isn't the job of the doctors to stop what they're doing, stop seeing patients, and stop treating them,

    • I worked as a developer in the PACS industry for the best part of 20 years and I can tell you that the Drs certainly have their portion of the blame to share, generally enabled by the "business" people. (i.e. dont piss off the talent)

      Above all else Drs want their own convenience, patient privacy concerns are waaaay down the list of priorities.

      On a slight tangent you might like know that DICOM is the worst standard of all time, I know you think you've worked with worse... you haven't. :)

      • by puck01 ( 207782 )

        Okay. Let's ignore the fact that historic numbers of physicians today are burning out and the suicide rate in the profession is the highest its over been. The profession now has one of the highest suicide rates. Much of this is attributed to EMRs.

        The physicians just want to do their job and do it well. This is the biggest predictor or physician satisfaction.

        But let's ignore all that and blame them for all the problems the MBAs and crapola that is health care IT.

      • by ceoyoyo ( 59147 )

        Ha, DICOM is wonderful compared to some of the things people convert it into.

      • On a slight tangent you might like know that DICOM is the worst standard of all time, I know you think you've worked with worse... you haven't. :)

        I've worked with DICOM. It's pretty fucking bad. It's not responsible for this sort of thing though, it's just a file format. Well, more like a meta file format with tons of sub-formats. IIRC, the standard specifies which fields contain PII so you can automatically remove it if you need the image without the identifying info for some reason. Nothing in DICOM

    • Comment removed based on user account deletion
      • by ceoyoyo ( 59147 )

        Rather the opposite. PACS used to be limited so it really couldn't transmit images though a gateway. You don't download images from a PACS, you send a request for the server to copy the images to another server... another server that's on a whitelist.

        Hooking two hospitals together was a years long exercise in politics and creative networking. Modern requirements led to the development of DICOMweb, which is basically a REST interface for a PACS. As you can imagine, as soon as you've got a nice web API, secur

    • >"I don't think it's the doctors who make decisions about computer systems. Don't know who does, but might want to ask the IT guys about it...."

      While this is true, you would probably not be surprised at how easily the end users will violate policies, work-around limitations, and do whatever they want. No matter how many inservices you put users through, how much training, how much you audit, how much you try to scrub data or restrict access, when people are involved, they are the ultimate, uncontrollabl

      • by puck01 ( 207782 )

        That's often because the system makes it hard for them to do their job well. Good systems tend to make these problems go away. Non-clinical people are often clueless when it comes to what it takes to properly do our job. Yet they ultimately make most of the decisions.

        • by cusco ( 717999 )

          A good system will use single sign on or some other frictionless method to access the records, and would be the recommendation of pretty much any IT staff. The problem then becomes that you need to be on the hospital network or use a VPN, and far too many (self) important people refuse to bother themselves. This is the exact same reasoning that has tens of thousands of security cameras outside the company firewall, because having to key their login into their phone is just too much work for the people who

          • by puck01 ( 207782 )

            If things like VPN access are made easy to install and use, the vast majority will do it. Those that don't are the exception, relatively rare and usually older. Been there and done that.

            This is one reason I hated working for a large health care system informatics related stuff. A few docs would be a problem but the admins and IT staff act like all physicians are a pain.

            They're busy people with a lot of responsibility that they take seriously. When viewed that way, its easier to work with them.

  • Must be Chinese doctors!!!11!!!!!11!!
  • Face sheet (Score:4, Interesting)

    by markdavis ( 642305 ) on Saturday January 11, 2020 @07:56AM (#59609510)

    Translation for those not in the medical field: DICOM images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information. They do this to communicate with the radiology technicians and radiologists. Normally much of this is stored outside the images in a PACS or RIS, but can also be in the DICOM images, themselves (depending on the system and the way it is used by people).

    Indications are the REASON for the image and would be something like "suspected pneumonia." Diagnoses are official labels of sickness/illness/disease, like "AIDS" or "diabetic." Sometimes represented in English text, other times via ICD codes. Treatments are what is already being done to treat a diagnosis, like "on Lasix." Additionally, events might be included (if there was a fall, or accident, or other such information. These are far worse than just demographics because they can reveal what health problems an individual might or actually have.

    That is what is on a "face sheet" the summary mentions- it is usually a one-page summary packed with sensitive information. It also typically includes all your contacts, if they have medical access (and all their info like address, phone numbers, relationship), your insurances and all those ID numbers, when you were seen or admitted, your allergies, YOUR address, phone numbers, date of birth, sex, medical record number, account number. Where you were admitted from, sometimes your stated religion, etc. Even if they don't include the entire face sheet, it could be any or all of this information.

    I can't overstate how bad disclosing such information is, when it comes to protecting privacy.

  • Comment removed based on user account deletion
  • This will be a good test for both GDPR and the new California privacy law, not to mention HIPPA. If there is any power to challenge a doctor's ego let me get them to prioritize, those are it.

  • The more a line of business depends on fax for communications, the farther behind it is in benefitting from IT.

    In the absence of a universal standard for digital medical records, regional health alliances are implementing proprietary digitization systems of their own. Not only do these islands of automation not connect with each other, but each islet has budget to implement only one user interface to its database, rather than separate ones suited to different specialties. Because the one interface is genera

    • by DogDude ( 805747 )
      When was the last time you read about a hacked fax machine?
      • When was the last time you read about a hacked fax machine?

        And when was the last time you walked into a new practitioner's office and had to fill out one of those medical histories, hoping that you remembered the dates of your vaccinations and surgeries correctly? Oh yes, ever goddamned f*ing time, because the records are all on paper. If the office needs to know details about that hospital admission twenty years ago, those records have to be sent over on paper, provided there wasn't a bankruptcy or a fire somewhere in between.

        A "hacked" medical record generally me

        • by DogDude ( 805747 )
          It sounds like you have some very serious First World Problems. That sounds difficult for you. I'd rather the whole world not have my genetic information.
  • An X-ray of my foot may leak! What ever shall I do?

  • Find embarrassing records of hospital CEO types and highlight them somewhere.

    This will generate a fuss and hopefully action.

  • Is there anywhere to look up this info online? Will patients be informed by their care providers?
  • Comment removed based on user account deletion

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...