[ad_1]
The registrations cover more than 5 million patients in the United States and millions more in the world. In some cases, a spy could use free software – or just a typical web browser – to display images and personal data, as revealed by the ProPublica survey and the German broadcaster Bayerischer Rundfunk.
We identified 187 servers – computers used to store and retrieve medical data – in the United States that were not protected by passwords or basic security measures. Computer systems, from Florida to California, are used in doctors' offices, medical imaging centers and mobile X-ray services.
The insecure servers we discovered add to the growing list of medical records systems that have been compromised in recent years. Unlike some of the most infamous recent security breaches, in which hackers bypassed a company's cyber defenses, these records were often stored on servers lacking the security precautions that had long been in place for businesses and organizations government.
"It's not even computer hacking. It's an open door, "said Jackie Singh, cybersecurity researcher and general manager of the Spyglass Security consulting firm. Some health care providers started locking their systems after explaining what we found.
Our review revealed that the magnitude of the exposure varied depending on the health care provider and the software used. For example, the server of the American company MobilexUSA has posted the names of over a million patients, all while typing a simple data query. Their birth dates, doctors and procedures were also included.
Posted by ProPublica, MobilexUSA strengthened its security last week. The company conducts X-rays and provides imaging services to retirement homes, rehabilitation hospitals, hospice palliative care agencies and prisons. "We quickly limited the vulnerabilities identified by ProPublica and immediately opened an in-depth investigation in progress," MobilexUSA's parent company said in a statement.
Another imaging system, linked to a doctor in Los Angeles, allowed all Internet users to see the echocardiograms of his patients. (The doctor did not respond to ProPublica's inquiries.)
In total, medical data from more than 16 million analyzes worldwide were available online, including names, birth dates and, in some cases, social security numbers.
Experts say it is difficult to determine who is responsible for the lack of privacy protection for medical images. Under US law, health care providers and their associates are legally responsible for protecting the confidentiality of patient data. Several experts have stated that such exposure of patient data could constitute a violation of the 1996 HIPAA, which requires health care providers to protect the privacy and security of US health data.
Although ProPublica has found no evidence that patient data has been copied from these systems and published elsewhere, the consequences of unauthorized access to such information could be devastating. "Medical records are one of the most important areas for confidentiality because they are very sensitive. Medical knowledge can be used against you in a malicious way: to shame people, to blackmail them, "said Cooper Quintin, a security researcher and senior technologist at the Electronic Frontier Foundation, a digital rights group.
"It's so irresponsible," he said.
The question should not come as a surprise to medical providers. For years, an expert has tried to warn against the occasional treatment of personal health data. Oleg Pianykh, director of medical analysis at the Department of Radiology at Massachusetts General Hospital, said medical imaging software was traditionally designed with the assumption that patient data would be secured by the client's computer security systems.
But as the networks of hospitals and medical centers became increasingly complex and connected to the Internet, responsibility for security was transferred to network administrators who assumed that safeguards were in place. "Medical safety has suddenly become a do-it-yourself project," Pianykh wrote in a research article published in a medical journal in 2016.
The ProPublica survey is based on the findings of Greenbone Networks, a German-based security company that has identified problems in at least 52 countries in every inhabited continent. Dirk Schrader of Greenbone first shared his research with Bayerischer Rundfunk after discovering that medical records of some patients were at risk. German journalists then approached ProPublica to explore the extent of exposure in the United States.
Schrader found five servers in Germany and 187 in the US, making patient records available without a password. ProPublica and Bayerischer Rundfunk have also analyzed the Internet protocol addresses and identified, as far as possible, their health care provider.
ProPublica has independently determined the number of patients that can be affected in America and found that some servers were using outdated operating systems with known security vulnerabilities. Schrader said data from more than 13.7 million medical tests in the US were available online, including more than 400,000 in which x-rays and other images could be downloaded.
The problem of privacy stems from the medical profession's shift from analog to digital technology. The time when X-rays of the film were displayed on fluorescent light panels is over. Today, imaging studies can be instantly uploaded to servers and viewed on the Internet by doctors in their offices.
As in the early days of this technology, as in most cases on the Internet, security was hardly considered. The HIPAA switch required that patient information be protected from unauthorized access. Three years later, the medical imaging industry has released its first safety standards.
Our reports indicated that major hospital chains and academic medical centers had effectively implemented security protections. Most of the unprotected data cases we found involved independent radiologists, medical imaging centers, or archival services.
A German patient, Katharina Gaspari, underwent an MRI three years ago and said she normally trusted her doctors. But after Bayerischer Rundfunk showed Gaspari her images available online, she said, "Now I'm not sure I can do it again." The German system that stored its recordings was locked last week.
We found that some systems used to archive medical images also lacked security measures. Offsite Image, based in Denver, has left open the names and other details of more than 340,000 human and veterinary records, including those of a large cat named "Marshmellow," discovered ProPublica. An off-site Image Manager told ProPublica that the company charged customers $ 50 for site access and $ 1 per study. "Your data is safe with us," says the Offsite Image website.
The company then referred ProPublica to its technology consultant, who first defended Offsite Image's security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged that Offsite Image's servers were accessible but were now being repaired.
"We just were never aware that it was possible to happen," Nelms said.
In 1985, an industry group of radiologists and imaging manufacturers created a standard for medical imaging software. The standard, now called DICOM, explains how medical imaging devices talk to each other and share information.
We shared our findings with representatives of the Medical Imaging & Technology Alliance, the group that oversees the standard. They acknowledged that there were hundreds of servers with an open internet connection, but suggested that the managers were responsible.
"Even though it's a relatively small number," the organization said in a statement, "it's possible that some of these systems contain patient records. These probably represent poor configuration choices on the part of those who operate these systems. "
The minutes of the 2017 meeting show that a security working group has learned about Pianykh's findings and suggested meeting with him for further discussion. This "action item" was listed for several months, but Pianykh said that he had never been contacted. The alliance of medical imaging told ProPublica last week that the group had not met with Pianykh because his concerns had been sufficiently addressed in his article. They stated that the committee had concluded that its safety standards were not flawed.
Pianykh said that misses the point. It's not a lack of standards; it is that manufacturers of medical equipment do not follow them. "The security of medical data has never been properly integrated into clinical data or devices, it is still largely theoretical and does not exist in practice," wrote Pianykh in 2016.
ProPublica's latest findings follow several other major violations. In 2015, Anthem, a US health insurance company, revealed that private data belonging to more than 78 million people was exposed in a hacked manner. In the last two years, US officials have announced that more than 40 million people have seen their medical data compromised, according to a US Department of Health and Human Services file review.
Joy Pritts, a former privacy officer at HHS, said the government was not tough enough to control the privacy breaches of patients. She cited an HHS announcement in April that lowered the maximum annual fine from $ 1.5 million to $ 250,000 for what is known as "corrected willful neglect" – a result of conscious failures. or reckless indifference that a company is trying to repair. She added that large companies would not only consider these fines a mere cost of doing business, but could also negotiate with the government to reduce them. A ProPublica review in 2015 revealed only a few consequences for HIPAA recidivists.
A spokeswoman for the HHS Civil Rights Bureau, which enforces violations of the HIPAA law, said it would not comment on open or potential investigations.
"What we generally see in the healthcare sector is that there is a solution on every system," said Singh, a cybersecurity expert. She said it was a "shared responsibility" between manufacturers, standardizers and hospitals to ensure server security.
"It's 2019," she said. "There is no reason for that."
How do I know if my medical imaging data is secure? If you are a patient:
If you have passed a medical imaging examination (x-ray, CT scan, MRI, ultrasound, etc.), ask the health provider who performed it (or your doctor) if access to your images requires an ID and a password. Ask your doctor if their office or the medical imaging provider to which they refer patients is conducting a regular safety assessment in accordance with HIPAA requirements.
If you are a medical imaging provider or medical office:
Researchers have discovered that DICOM's integrated image archiving and communication system (PACS) servers can be exposed if they are connected directly to the Internet without VPNs or firewalls, or if their access did not require a secure password. You or your IT team must ensure that your PACS server can not be accessed over the Internet without a VPN connection and password. If you know the IP address of your PACS server but do not know if it is (or has been) accessible via the Internet, contact us at [email protected].
Related Video: A cyber-incident hit by a hospital (Provided by WWL-TV New Orleans)
[ad_2]
Source link