Billions of images left vulnerable online due to unsecured PACS

More than 1 billion medical images remain exposed online via vulnerabilities in picture archiving and communication systems across the globe, according to a new Germany security firm-led investigation.

That problem has only grown since the firm, Greenbone Networks, released its initial report last September, which found data from more than 24.5 million patient studies and 737 million images accessible over the internet. That investigation was published with help from ProPublica and German public broadcaster Bayerischer Rundfunk.

Sixty days after that original research, the firm found data from more than 35 million exams and 1.19 billion images available for public eyes to view. 

Greenbone said in a blogpost that the 40% uptick in easily accessible patient data is “simply put—frightening.”

The United States, which was placed into the “ugly” group—reserved for the most egregious violators—produced some “alarming” datasets stored in unprotected PACS.

One specific U.S. archive allowed for full access to all images related to more than 1 million exams, including protected health information. And about 75% of those individuals had their social security numbers exposed as well.

“The potential risk for medical identity theft for the affected individuals sums up to about $3.3 billion,” Greenbone said in its blog post. “That amount is almost two-thirds of the overall financial risk calculated for this type of exploitation and the PACS identified.”

A Jan. 10 report from TechCrunch, which worked with Greenbone to confirm its findings, pointed to a combination of unprotected PACS servers, the “decades-old” file format called DICOM and institution's disregard for sound security practices as contributors to this cybersecurity problem.

The format was developed to help ease the transition to digitally store medical images in a single file and share them across institutions. But a number of offices bypass security protocols and connect their PACS server directly to the internet, unprotected by passwords, TechCrunch reported.

The situation doesn’t appear close to any sort of resolution. Rather, “it seems to get worse every day,” Dirk Schrader, who led the research at Greenbone, told TechCrunch.

Read the full report from Greenbone here.