A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings

Insecure storage systems being used by hundreds of hospitals, medical offices and imaging centers are exposing over 1 billion medical images of patients across the world. "Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors' offices to the problem, many have ignored their warnings and continue to expose their patients' private health information," writes Zack Whittaker from TechCrunch. From the report: "It seems to get worse every day," said Dirk Schrader, who led the research at Germany-based security firm Greenbone Networks, which has been monitoring the number of exposed servers for the past year. The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.

A decades-old file format and industry standard known as DICOM was designed to make it easier for medical practitioners to store medical images in a single file and share them with other medical practices. DICOM images can be viewed using any of the free-to-use apps, as would any radiologist. DICOM images are typically stored in a picture archiving and communications system, known as a PACS server, allowing for easy storage and sharing. But many doctors' offices disregard security best practices and connect their PACS server directly to the internet without a password. These unprotected servers not only expose medical imaging but also patient personal health information. Many patient scans include cover sheets baked into the DICOM file, including the patient's name, date of birth and sensitive information about their diagnoses. In some cases, hospitals use a patient's Social Security number to identify patients in these systems.

Re: people are dying unnecessarily because

[bigpat]

People are dying unnecessarily because medical records are so hard to share and patients don't have real access to their medical records... patients who, despite the managed care propaganda, are the ones who need to manage their own medical care.

Re:

[markdavis]

>"because medical records are so hard to share "

The main reason for this is that there is no open, realistic, accepted "standard" for transmitting records electronically, except via fax. Doesn't even have to be a "clearinghouse", just getting from point A to point B, ad-hoc. This is why the medical field still relies on faxing tons of paper constantly. It is the only thing considered "secure" that is standard and universal (and yet slow and frustrating). Otherwise, there are just zillions proprietary

Re:

[That Ordinary Guy]

All of this because people involved in the matter still can't transmit information in a secure manner. So, it isn't such a bad idea after all, they fall back on old methods. The fact is that fax communications are very easy to snoop upon but very few people are interested into doing it. It is security by obsolescence.

Re:

[puck01]

You realize most doctors have very little to zero say in their information systems today? Today, most doctors offices are owned by large health care systems with IT departments that manage these things for them? I am a physician and work in health IT / informatics. The docs are usually at the mercy of the hospital MBAs. The vendors that create the systems are often really slow to respond to problems, too. Very rarely in my experience does the physician the cause of these problems.

Re:

[cusco]

I will agree with one part of your statement, but the problem also extends to the small and specialty clinics which **are** doctor-run. The only excuse for their office PCs to still be running Windows XP (and they do, I've seen it fairly recently) is because they're unwilling to spend the money to upgrade.

For the most part you are absolutely correct, though. The medical profession is the only group I've seen that are close to bankers in "penny-wise, pound-foolish" spending. When a law passed in Washingto

Re:

[puck01]

Sure there are examples where physicians have more control of these issues but that is not typical when viewed holistically. Even in the small, independent clinic situation it isn't that simple.

It is common for vendors to take advantage of legacy issues like software running on legacy operating systems like Windows XP such that the clinic is forced to buy in to all sort of other stuff too. As someone who works for a vendor and works with other vendors, the business people fall over themselves to find wa

Re:

[jellomizer]

Not as much as you think.
Most doctors I know want to focus on their specialty and doing their work. While they want to be compensated well for their work. Most doctors are just horrible at managing a business.
Hence why they are often bought out by bigger Hospital chains.
Practice Management isn’t covered in med school.
IT security isn’t covered as well.

They just want to focus on doctoring.

That means if they can just click a an icon and get there data anywhere they want. They would be happy. Le

doctors are dumb with IT and don't want to deal wi

[Joe_Dragon]

doctors are dumb with IT and don't want to deal with 2-5 different passwords

Insurance companies are delighted though.

[Old Flatulent 1]

They can much more easily easily do cheaper risk analysis with the help of firms like Cambridge Analytica. If the statistical data is mined and aggregated and made available for scientific research. Health records are used for legitimate scientific analysis of disease trends so there is a need for easy access to this kind of data. If it is first stripped of private data like names and other ways to identify individuals in the data base. Other than that hacking all this info and selling it is a fools enterpr

Re:

[imidan]

If the statistical data is mined and aggregated and made available for scientific research.

The data could never be used for scientific research published in reputable journals. All scientific research involving human subjects (which this would be, even though the researcher never saw the subjects) requires review from an institutional review board before it even begins, and the IRB at any institution would absolutely forbid research done using unethically obtained medical records. Beyond the IRB, the ethics violation of using leaked medical records in research would be completely unacceptable to

Re: Insurance companies are delighted though.

[Aristos Mazer]

A researcher doesnâ(TM)t have to publish in a journal. The CRISPR experiment on human embryos in China is well-known even without journal publication. If someone independent wants to take those images and find a medical breakthrough, that person will have no problem communicating findings. They may be a pariah in medical circles going forward, but the paper will be publicized and discovery spread. That is nature of modern world.

Re:

[ceoyoyo]

I guess if your goal is to become infamous and go to jail. There are easier ways though.

Re: Insurance companies are delighted though.

[Aristos Mazer]

Or if your goal is > That is a rough translation of one commenter about some older medical research I read once. I donâ(TM)t agree with the position, but I can see the argument and see how someone might decide it was worth it.

Re:

[Aristos Mazer]

Argh. Stupid formatting issue. It was supposed to say, "I am willing to ignore the ethicists who are too timid and I will use the tools available to save lives." That's the thing that I roughly translated in my previous post. (Why doesn't posting from phone have a preview???)

Fuck this world

[AndyKron]

Some motherfuckers need to go to jail now, but they won't. Fuck this world.

Re:

[Anachronous Coward]

You really go for the angry types, huh? In that case, no more mister nice guy!

Re:

[Tom]

It anyway wouldn't be the right motherfuckers. It would be some IT guy who fucked up, or his manager who didn't authorize the security systems. But it wouldn't be the CEO or the stakeholders who created the profit margin pressure that caused the whole chain.

Not quite

[DogDude]

Let's be clear. This isn't the fault of the "stakeholders", which include customers and employees. This is the fault of the owners of these companies: the shareholders. Unfortunately, in the US, shareholders cannot be prosecuted for crimes of the company they own (unless it's as small company).

Re:

[Tom]

Customers who prioritize prize over quality do contribute to the problem, as do customers who don't care what asshat company they buy from as long as it's cheap.

Still, you are right that shareholders are the biggest problem there.

Re:

[DogDude]

You're right. I actually care about where I spend my money, but I don't know anybody else who does, so I've pretty much given up on promoting that idea to other people.

Re:

[Tom]

You're not a lone, it's just not something that fits into the thimble brain of many people and isn't a common conversation topic.

And sadly, opportunities are disappearing. When I was younger, I had a favorite computer shop. More expensive than the large department store 2 km away, but the owner knew his shit, would help you with problems and advise you on what you need, not what gives him the best margin. I spent a lot of money in that shop and always felt good about it. But those kind of shops are getting

It is not the doctors responsibility.

[ClueHammer]

They practice medicine (badly) They are not in charge of the IT systems.

Re: It is not the doctors responsibility.

[fbobraga]

Acting like gods, sometimes they do...

Re:

[dfm3]

Actually, the law would disagree with you [wikipedia.org]. It is very much the doctor's responsibility. In short, a doctor is a "covered entity" and is responsible for safeguarding the privacy of patient information, or for ensuring that any third parties to which business processes are outsourced (such as an IT contractor) are compliant with HIPAA.

Re:

[puck01]

Doesn't matter if a physician has no control over these issues which is usually the case. Most doctors offices today are run by health care admin MBAs and their IT departments. Also the vendors of these products are usually very slow to respond to these types of problems. The implementations are usually bare minimum. Physicians have very little say in any of this today.

Re:

[cusco]

If the records are available over the Internet without a password then even my grandmother would know that's a security issue. Doctors as a group aren't stupid, they **KNOW** this stuff is insecure and it's their responsibility to their patients, their clinics/hospitals, and the insurance companies that they ultimately work for to complain until it's fixed.

And doctors will complain about the simplest frelling thing that inconveniences them in any way, loudly and long. I know of a hospital that has an exte

Re:

[HiThere]

Sometimes it is their responsibility. But they don't know enough to make decisions, so they rely on "the government certified this software". Whoever installed it did the configuration, they didn't do it. And if they had tried to, it might well not have worked at all.

I suppose you could say that it wasn't their responsibility, as they feel required to use "government certified software", and believe that by doing so they satisfy legal requirements, that other software might not satisfy. Possibly their l

Doctors ignore warnings?

[CrimsonAvenger]

I don't think it's the doctors who make decisions about computer systems. Don't know who does, but might want to ask the IT guys about it....

Re: Doctors ignore warnings?

[fbobraga]

Many doctors act like gods on the environment they work (I've seen it many times working in tech support...): I don't disbelieve that THEY took the decision to ignore warnings from IT guys...

Re: Doctors ignore warnings?

[imidan]

The IT guy needs to talk to the lawyer and the insurance guy. The lawyer will shit his pants at the HIPAA violation, and the insurance guy will shit his pants at the likely cost of judgment for the inevitable prosecution. Then, the three of them can go to the person in charge and explain the problem in terms of the technical, legal, and financial. When it's clear that the fallout of prosecution includes fines so big they make the practice uninsurable, jail time for personnel who wantonly violated, and the loss of license for doctors, I would hope they'd listen. If not, then the IT guy needs to start looking for a new job STAT. And maybe make a phone call to DHS on their way out the door.

Re: Doctors ignore warnings?

[fbobraga]

Legal situation in USA != legal situation in the world...

Re:

[ceoyoyo]

Here in Canada hospitals are super paranoid about their PACS. As originally designed, PACS really couldn't transmit images over the Internet at all, and most hospitals still have it configured that way.

Re:

[Applehu Akbar]

Now envision this meeting taking place not just at one hospital or medical center, but at NIST. Let the result of that conversation be a nationwide standard for digitizing medical records.

Re:

[imidan]

Yes. It's all well and good to complain about medical records being exposed, but if there was a coherent national strategy for protecting them, we might be more successful at it. I haven't worked with medical records (although at a previous job, we seemed always to be in talks about potentially handling them), so I don't know what the law demands, but my sense is that the technology is here, ready to go. We just need to match it up correctly with the needs and develop best practices.

Re:

[cusco]

As soon as the IT guy opens his mouth he's fired.

Re:

[Solandri]

Many doctors act like gods on the environment they work (I've seen it many times working in tech support...): I don't disbelieve that THEY took the decision to ignore warnings from IT guys...

Your thinking is exactly why the transition to EMR systems is a such a clusterfuck. The #1 priority has to be allowing doctors to continue seeing and treating patients. Everything else is secondary.

That means it isn't the job of the doctors to stop what they're doing, stop seeing patients, and stop treating them,

Re:

[LukeRazor]

I worked as a developer in the PACS industry for the best part of 20 years and I can tell you that the Drs certainly have their portion of the blame to share, generally enabled by the "business" people. (i.e. dont piss off the talent)

Above all else Drs want their own convenience, patient privacy concerns are waaaay down the list of priorities.

On a slight tangent you might like know that DICOM is the worst standard of all time, I know you think you've worked with worse... you haven't. :)

Re:

[puck01]

Okay. Let's ignore the fact that historic numbers of physicians today are burning out and the suicide rate in the profession is the highest its over been. The profession now has one of the highest suicide rates. Much of this is attributed to EMRs.

The physicians just want to do their job and do it well. This is the biggest predictor or physician satisfaction.

But let's ignore all that and blame them for all the problems the MBAs and crapola that is health care IT.

Re:

[ceoyoyo]

Ha, DICOM is wonderful compared to some of the things people convert it into.

Re:

[russotto]

On a slight tangent you might like know that DICOM is the worst standard of all time, I know you think you've worked with worse... you haven't. :)

I've worked with DICOM. It's pretty fucking bad. It's not responsible for this sort of thing though, it's just a file format. Well, more like a meta file format with tons of sub-formats. IIRC, the standard specifies which fields contain PII so you can automatically remove it if you need the image without the identifying info for some reason. Nothing in DICOM

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ceoyoyo]

Rather the opposite. PACS used to be limited so it really couldn't transmit images though a gateway. You don't download images from a PACS, you send a request for the server to copy the images to another server... another server that's on a whitelist.

Hooking two hospitals together was a years long exercise in politics and creative networking. Modern requirements led to the development of DICOMweb, which is basically a REST interface for a PACS. As you can imagine, as soon as you've got a nice web API, secur

Re:

[markdavis]

>"I don't think it's the doctors who make decisions about computer systems. Don't know who does, but might want to ask the IT guys about it...."

While this is true, you would probably not be surprised at how easily the end users will violate policies, work-around limitations, and do whatever they want. No matter how many inservices you put users through, how much training, how much you audit, how much you try to scrub data or restrict access, when people are involved, they are the ultimate, uncontrollabl

Re:

[puck01]

That's often because the system makes it hard for them to do their job well. Good systems tend to make these problems go away. Non-clinical people are often clueless when it comes to what it takes to properly do our job. Yet they ultimately make most of the decisions.

Re:

[cusco]

A good system will use single sign on or some other frictionless method to access the records, and would be the recommendation of pretty much any IT staff. The problem then becomes that you need to be on the hospital network or use a VPN, and far too many (self) important people refuse to bother themselves. This is the exact same reasoning that has tens of thousands of security cameras outside the company firewall, because having to key their login into their phone is just too much work for the people who

Re:

[puck01]

If things like VPN access are made easy to install and use, the vast majority will do it. Those that don't are the exception, relatively rare and usually older. Been there and done that.

This is one reason I hated working for a large health care system informatics related stuff. A few docs would be a problem but the admins and IT staff act like all physicians are a pain.

They're busy people with a lot of responsibility that they take seriously. When viewed that way, its easier to work with them.

Damn commies!

[fbobraga]

Must be Chinese doctors!!!11!!!!!11!!

Re:

[cusco]

Possible? Certainly, although it might take a while. Ethical? Absolutely not.

Re:

[Jarik C-Bol]

The very idea that the Federal Government is more competent than *anyone* is truly frightening.

Re:

[HiThere]

If you think the federal government is incompetent, then you don't understand the system. Remember, "You get what you reward.", so the rewards are adjusted to achieve the goals desired. What you should be concerned with is not the competence of those running the system, but rather with what their goals are. To believe that the goals are what they claim they are is a mistake unless there is evidence supporting that decision.

Face sheet

[markdavis]

Translation for those not in the medical field: DICOM images, as actually used, usually do contain demographics. But they also often contain indications and sometimes diagnosis and treatments. Those are the absolute most sensitive of all information. They do this to communicate with the radiology technicians and radiologists. Normally much of this is stored outside the images in a PACS or RIS, but can also be in the DICOM images, themselves (depending on the system and the way it is used by people).

Indications are the REASON for the image and would be something like "suspected pneumonia." Diagnoses are official labels of sickness/illness/disease, like "AIDS" or "diabetic." Sometimes represented in English text, other times via ICD codes. Treatments are what is already being done to treat a diagnosis, like "on Lasix." Additionally, events might be included (if there was a fall, or accident, or other such information. These are far worse than just demographics because they can reveal what health problems an individual might or actually have.

That is what is on a "face sheet" the summary mentions- it is usually a one-page summary packed with sensitive information. It also typically includes all your contacts, if they have medical access (and all their info like address, phone numbers, relationship), your insurances and all those ID numbers, when you were seen or admitted, your allergies, YOUR address, phone numbers, date of birth, sex, medical record number, account number. Where you were admitted from, sometimes your stated religion, etc. Even if they don't include the entire face sheet, it could be any or all of this information.

I can't overstate how bad disclosing such information is, when it comes to protecting privacy.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cusco]

New? These standards are over 20 years old.

A good test for GDPR and California Privacy Law

[chill]

This will be a good test for both GDPR and the new California privacy law, not to mention HIPPA. If there is any power to challenge a doctor's ego let me get them to prioritize, those are it.

I use the Fax Index

[Applehu Akbar]

The more a line of business depends on fax for communications, the farther behind it is in benefitting from IT.

In the absence of a universal standard for digital medical records, regional health alliances are implementing proprietary digitization systems of their own. Not only do these islands of automation not connect with each other, but each islet has budget to implement only one user interface to its database, rather than separate ones suited to different specialties. Because the one interface is genera

Re:

[DogDude]

When was the last time you read about a hacked fax machine?

Re:

[Applehu Akbar]

When was the last time you read about a hacked fax machine?

And when was the last time you walked into a new practitioner's office and had to fill out one of those medical histories, hoping that you remembered the dates of your vaccinations and surgeries correctly? Oh yes, ever goddamned f*ing time, because the records are all on paper. If the office needs to know details about that hospital admission twenty years ago, those records have to be sent over on paper, provided there wasn't a bankruptcy or a fire somewhere in between.

A "hacked" medical record generally me

Re:

[DogDude]

It sounds like you have some very serious First World Problems. That sounds difficult for you. I'd rather the whole world not have my genetic information.

Oh no!

[djp2204]

An X-ray of my foot may leak! What ever shall I do?

Simple fix

[Alain Williams]

Find embarrassing records of hospital CEO types and highlight them somewhere.

This will generate a fuss and hopefully action.

How to find out if own medical images are exposed?

[rapjr]

Is there anywhere to look up this info online? Will patients be informed by their care providers?

Re:

[account_deleted]

Comment removed based on user account deletion