Just one day after a report revealed that medical images and health data for millions of patients in the U.S. and abroad sit unprotected on the internet, another probe found accessible medical data online for 24.3 million patients in 52 countries.
Among the information linked to the medical records, uncovered by Greenbone Networks, are 737 million images – with 400 million accessible or downloadable from the internet. “All identified systems disclosed the patient’s name, date of birth, date of examination and some medical information about the reason for examination,” the Greenbone report said of 590 medical image archiving systems out of the 2,300 systems it analyzed. “In addition, there are 39 systems that allow access to patient data via an unencrypted HTTP Web Viewer, without any protection.”
Researchers spotted myriad vulnerabilities, many of them several years old, on audited systems. “These CVSS 10.0 vulnerabilities most often include vulnerable web applications and databases, which are also common targets for hackers,” the report said, noting that individual systems also showed indicators of compromise.
“The back-to-back reports should push medical organizations to take more care with sensitive information and evaluate just what should be put online. “Just because something can be connected to the internet, it doesn't necessarily mean it should be connected to the internet - especially where there is personal sensitive information involved - and even more so when there is apparently little to no investment in security controls to validate that the data is secured properly,”said Javvad Malik, Security Awareness Advocate at KnowBe4. “While it's important to have medical information of patients readily available to healthcare providers and hospitals, particularly in times of an emergency, this shouldn't translate to having all information available at all times.”
Monitoring controls, he said, “should be in place to ensure that
any medical records viewed, even by medical staff should
only be done so if there is a valid clinical or administrative reason.”
While the records being publicly available in and of itself is cause for concern, Malik said it was “worrying” that “it appears as if there is no internal audit process in place to validate if access is warranted.”