733 Million Medical Records Freely Available Through Unsecured PACs

Cybersecurity researchers have revealed that approximately 733 million medical images stored on picture archiving and communication systems (PACs) are freely accessible on the Internet. 

The investigation, a joint venture by ProPublica, German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, found images including X-rays, MRI, and CT scans stored in these PACs. 

Greenbone analyzed 2,300 PACs and found that 590 were accessible from the Internet without requiring any user authentication. These 590 servers stored 24 million medical records from 52 countries. 

Greenbone Networks audited the servers between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers. They found they could download 400 million of the 733 million files accessible on the servers. 

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. 

Usually, a DICOM viewer would be required to access the images. However, in some instances, the images can be viewed using a web browser and HTTP. The researchers concluded that even individuals who have fundamental technical skills could view and download the images. 

The United States was found to house more unsecured PACs than any other country, with 187 of the 590 unsecured servers. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, the scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. 

Some of the images also contained Social Security numbers, placing these patients at an increased risk of becoming victims of identity theft or medical or insurance fraud.  

Considering how valuable this information is on the black market, it is alarming that so many millions of patients were put at risk due to insecure file storage. 

Researchers could not find any evidence to suggest that threat actors had accessed the information and placed it online; the possibility of unauthorized data access could not be ruled out definitively.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. Healthcare delivery organizations (HDOs) must ensure appropriate safeguards are in place secure their PACS. 

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

It is unsure whether any organizations will be prosecuted with violations of the Health Insurance Portability and Accountability Act as a result of this information being freely available online.