Unsecured Online PACS Makes 400 Million Medical Images Freely Accessible

Following a recently completed investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis company, Greenbone Networks has stated that 24.3 million medical images included in image storage systems are freely accessible on the Internet and require no authentication to view or install the images.

Those images, which include X-rays, MRI, and CT scans, are held in picture archiving and communications systems (PACS) linked to the Internet.

Greenbone Networks examined 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images saved on open PACS servers.

Those servers were found to contain around 733 million medical images of which 399.5 million could be see and downloaded. The researchers found 590 servers required no authentication whatsoever to access medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to see, process, store, and share the images. In most cases, a DICOM viewer would be necessary to access the images, but in some cases, all that is required is a web browser or a few lines of code. Any individual with rudimentary computer expertise would be able to view and obtain the images.

The exposed PACS were located in 52 countries and the highest concentration of unsecured PACS were found in the United States. 187 unsecured servers were discovered in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of approximately 5 million U.S. patients.

The experts found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and were assigned a CVSS v3 score of 10 out of 10.

The images included personal and medical information including patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the amount of generated images. Some of the images also included Social Security numbers.

The range of patient information included on the images could be deployed during identity theft, medical identity theft, and insurance fraud. The data could also be used to steal money from patients or create highly realistic spear phishing emails.

While the investigation found no proof to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be ruled out.

PACS are designed to allow images to be obtained easily by healthcare workers, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure security measures are implemented to secure their PACS, but HDOs can face major hurdles addressing vulnerabilities and securing their systems without negatively affecting workflows.

To help address the issue, the National Cybersecurity Center of Excellence (NCCoE) recently released new counsel for HDOs to help them enhance security measure on PACS and mitigate risks without negatively impacting user productivity and system performance.

Author: Maria Perez