4.4M medical imaging files exposed online, new report finds

Researchers estimate nearly 4.4 million medical imaging files were exposed through online file repositories—nearly double the number revealed last year, according to a May 30 report published by digital risk prevention company Digital Shadows.

About 4.7 million exposed medical-related files were uncovered, the majority of which were DICOM. The remaining 300,000 were Health-Level 7 and HIPPA health care transaction format X12.

Overall, the firm’s Photon Research team uncovered 2.3 billion exposed files, nearly 750 million more than last year’s report.

“Healthcare data collected by hospitals—like patient diagnoses, medical images, and operational data—should be some of the most secured information, end of story,” the report read. “Stolen finances can be reclaimed and passwords to accounts can be changed, but profoundly personal information about your health care can’t be rehabilitated with a few keystrokes.”

Where are a majority of leaks coming from? The U.S. leads the pack with 326 million records, followed by 98 million in the United Kingdom and 121 million from Germany.

The culprit of data exposure is a misconfiguration of commonly used file storage technologies, according to the report.

Almost half of the files were revealed due to the server message block protocol. File transfer protocol services, rsync servers, Amazon S3 ‘buckets’ and network attached storage devices were the most common cause of exposures.

The Photon team provided a number of precautions for organizations, including the following:

“Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.”

“Use SSH File Transfer Protocol (SFTP) as an update to FTP which adds SSH encryption to the protocol.”

“As with FTP servers, network attached storage (NAS) drives should be placed internally behind a firewall and access control lists should be used to prevent unwanted access.”

“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. We urge all organizations to regularly audit the configuration of their public facing services,” said Harrison Van Riper, a Photon Research analyst, in a prepared statement.