Over 45 million medical imaging files are freely accessible on unprotected servers, according to a new investigation by CybelAngel.
The researchers discovered that a huge range of sensitive medical images, including X-rays and CT scans, can be accessed without the requirement for a username and password. Instances were even found of login portals accepting blank usernames and passwords.
The team scanned around 4.3 billion IP addresses, and found that more than 45 million of these images were left exposed on over 2140 unprotected servers across 67 countries including the US, UK and Germany.
CybelAngel also revealed that personal information was among the data left unencrypted and without password protection online. This includes personally identifiable information such as name, birth date, address and personal healthcare information including height, weight and diagnosis.
The easy availability of this kind of imagery and data leaves patients at risk of blackmail and ransomware as well as fraud, according to the study authors, who noted that medical data is in high demand on the dark web.
The investigators added that healthcare providers may be liable to sanctions for these breaches of sensitive patient information under data protection laws such as the GDPR in Europe.
Author of the report, David Sygula, senior cybersecurity analyst at CybelAngel commented: “The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files. This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Todd Carroll, VP cyber operations at CybelAngel added: “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.
"The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”
The researchers discovered that a huge range of sensitive medical images, including X-rays and CT scans, can be accessed without the requirement for a username and password. Instances were even found of login portals accepting blank usernames and passwords.
The team scanned around 4.3 billion IP addresses, and found that more than 45 million of these images were left exposed on over 2140 unprotected servers across 67 countries including the US, UK and Germany.
CybelAngel also revealed that personal information was among the data left unencrypted and without password protection online. This includes personally identifiable information such as name, birth date, address and personal healthcare information including height, weight and diagnosis.
The easy availability of this kind of imagery and data leaves patients at risk of blackmail and ransomware as well as fraud, according to the study authors, who noted that medical data is in high demand on the dark web.
The investigators added that healthcare providers may be liable to sanctions for these breaches of sensitive patient information under data protection laws such as the GDPR in Europe.
Author of the report, David Sygula, senior cybersecurity analyst at CybelAngel commented: “The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files. This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Todd Carroll, VP cyber operations at CybelAngel added: “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.
"The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”
