It turns out that anyone with basic computing skills and an internet connection can access millions of private medical images and data—such as MRIs, X-rays, and CT scans—as well as a buffet of valuable private info, according to a disturbing report from ProPublica.
The gist is that as the medical community moved from analog to digital methods of sharing test results, security practices lagged behind. Unlike data breaches in other industries, where hackers make use of flaws in a company’s security practices, many digital medical records systems don’t even require passwords. What that means is you don’t even need fancy hacker software to peep at millions of medical test results. All you need is to know where to look, and an internet browser.
In its investigation, ProPublica worked with German security firm Greenbone Networks, and journalists from German broadcaster Bayerischer Rundfunk. It ultimately identified 187 servers in the U.S. that lacked passwords or basic security precautions. In total, the data from more than 16 million medical scans worldwide are available online. What’s worse is that on top of private medical images, the scans include sensitive information such as names, birthdates, and in some cases, Social Security numbers.
One issue is it’s unclear who exactly is at fault, and many of the parties involved seem to think securing data is someone else’s responsibility. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care.” Among its provisions is a requirement that standards be publicized for the “electronic exchange, privacy and security of health information.”
That would appear to put the onus on health care providers and the services they use. However, the report found companies creating medical imaging software and medical device makers assumed their customers—health providers—would be in charge of securing data. At the same time, while large hospital chains and academic medical centers did, in fact, implement security standards, ProPublica discovered this was not the case for many independent radiologists, medical imaging centers, or archiving services. It contacted the Medical Imaging & Technology Alliance, a group which oversees the DICOM communication standard used by medical imaging devices, but the group pointed the finger at those in charge of maintaining servers where data is stored. Likewise, the report found the government doesn’t do a great job in punishing companies for patient privacy breaches, citing that in April, the U.S. Department of Health and Human Services lowered the maximum fine from $1.5 million to $250,000 for “corrected willful neglect.”
Some of the health care providers ProPublica reached out to have since beefed up their security. Thankfully, the report found no instances of malicious actors accessing these vulnerable medical images and publishing them elsewhere. That said, the potential for abuse is terrifying. Usually, data breaches deal with identifying information such as emails, passwords, and phone numbers. That’s terrible, but leaked medical data also has the potential of publicizing the private details of a person’s health. Such information could be easily used to embarrass, blackmail, or encourage discrimination. Unfortunately, this isn’t even the first reported instance of widespread carelessness with regard to medical records. In April, the medical files of 145,000 rehab patients were leaked online, unnecessarily putting people who sought help at risk of social stigma. Likewise, in 2017, tens of thousands of medical records belonging to patients at Bronx-Lebanon Hospital Center in New York were stored on insecure servers run by a third-party IT service.
At the moment there’s not much an individual can do, as fixing the problem requires a concerted effort from medical manufacturers, providers, the government, and standards makers. If you’re concerned, you can, as ProPublica recommends, ask your health care provider if accessing your results requires a login and password. You can also ask your doctor if their office or their medical imaging provider regularly conducts HIPAA security assessments—though the chances of a doctor or receptionist knowing that off the top of their head seems slim at best. In any case, it can’t hurt to ask about your provider’s privacy practices the next time you go in for a test.