More than 45M medical images accessible online via unprotected servers, new report finds

More than 45 million unique medical imaging files, including x-rays and CT scans, are freely accessible on unprotected servers across the globe, according to a new six-month investigation.

Cybersecurity and risk management company CybelAngel analyzed nearly 4.3 billion IP addresses for their report, published Tuesday. A majority of the exposures were tied to vulnerable network-attached storage devices and DICOM files, both standards hospitals use to share medical data.

David Sygula, senior analyst at the company and author of the report, noted that no hacking tools were needed to access the personal information—birth dates, addresses, names, diagnosis, and more— contained within these files. 

“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals,” Sygula added in a statement. “A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

The search identified more than 2,140 unprotected servers across 67 countries. Twelve servers were associated with medical centers or hospitals and another five were connected to independent doctors.

Cyberattacks targeting hospitals have dramatically increased in recent years. One report put out in March found that 83% of imaging devices are running on outdated platforms leaving them susceptible to attack.

Informatics experts in October, meanwhile, published five tips for safeguarding PACS and imaging devices against such attacks.

CybelAngel analysts also offered their own recommendations, which include:

  • Ensuring the added data gathered during your institution’s pandemic response can be protected using current security policies.
  • Minimizing the exposure key diagnostic imaging equipment and supporting systems have to wider networks.
  • Completing an audit of third-party partners to pinpoint those not complying with institutional policies and protocols.

“Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data,” Todd Carroll, CybelAngel’s chief information security officer, added. “The health sector has faced unprecedented challenges this year, however, the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”

Download the entire report for free here.