The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop can use free programs – or just a typical browser – to view photos and private data, a survey by ProPublica and the German broadcaster Bayerischer Broadcast found.
We identified 187 servers – computers used to store and retrieve medical data – in the United States that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in medical offices, medical imaging centers and mobile X-ray services.
The insecure servers we uncovered add to a growing list of journal systems that have been compromised in recent years. Unlike some of the more notorious recent security breaches, where hackers bypassed a company's cyber defense, these records were often stored on servers that lacked security precautions that long ago became the standard for businesses and government agencies.
"It's not even hacking. It's going to be an open door," said Jackie Singh, a cyber security researcher and CEO of the consulting firm Spyglass Security. Some medical providers started locking their systems after we told them what we had
Our review found that the extent of exposure varies depending on the health care provider and the software they use, for example, the server of the US company MobilexUSA showed the names of more than one million patients ̵
MobilexUSA was notified by ProPublica and tightened security last week. identified by ProPublica, and immediately started an ongoing, thorough one search, "MobilexUSA's parent company said in a statement.
Another imaging system, linked to a doctor in Los Angeles, allowed everyone on the Internet to view patients' echocardiograms. (The doctor did not respond to inquiries from ProPublica.)
Medical data from more than 16 million scans worldwide were available online, including name, date of birth and in some cases social security numbers.  Experts say it is difficult to find out who is to blame for the failure to protect the privacy of medical images. Under US law, health care professionals and their business associates are legally responsible for ensuring the privacy of patient data. Several experts said that such exposure to patient data could violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care professionals to keep Americans' health data confidential and secure.
Although ProPublica found no evidence that patient data was copied from these systems and published elsewhere, the consequences of unauthorized access to such information can be devastating. "Medical records are one of the most important areas of privacy because they are so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people," said Cooper Quintin, a security researcher and senior technology technologist at Electronic Frontier Foundation, a group of rights.
"This is so totally indefensible," he said.
The problem should not be a surprise to medical providers. For several years, an expert has been trying to warn about accidental handling of personal health information. Oleg Pianykh, director of medical analysis at Massachusetts General Hospital's radiology department, said medical imaging software has traditionally been written with the assumption that patients' data would be secured by the client's computer security systems.
However, as the networks of hospitals and medical centers became more complex and connected to the Internet, the responsibility for security shifted to network administrators who assumed that guarantees were in place. "Suddenly, medical safety has become a do-it-yourself project," Pianykh wrote in a 2016 research paper he published in a medical journal.
ProPublica's survey was based on findings from Greenbone Networks, a security company based in Germany that identified problems in at least 52 countries in each inhabited continent. Greenbone's Dirk Schrader first shared his research with Bayerischer Rundfunk after discovering that some patients had health records. The German journalists then approached ProPublica to explore the extent of exposure in the United States
Schrader found five servers in Germany and 187 in the United States that made patients' records available without a password. ProPublica and Bayerischer Broadcast also scanned Internet protocol addresses and, if possible, identified which medical provider they belonged to.
ProPublica independently determined how many patients could be affected in America, and found that some servers were running outdated operating systems with known vulnerabilities. Schrader said data from more than 13.7 million medical tests in the United States were available online, including more than 400,000 x-rays and other downloadable images.
The privacy issue traces back to the medical profession's shift from analogue to digital technology. Long gone are the days when radiographs from films were shown on fluorescent tubes. Today, imaging exams can be instantly uploaded to servers and viewed over the internet by doctors in their offices.
In the early days of this technology, as with much of the Internet, no particular emphasis was placed on security. The transition to HIPAA required that patient information be protected from unauthorized access. Three years later, the medical imaging industry published its first safety standards.
Our reporting indicated that major hospital chains and academic medical centers put security protections in place. Most cases of unprotected data were found by independent radiologists, medical imaging centers or filing services.
A German patient, Katharina Gaspari, received an MRI examination three years ago and said she normally trusts her doctors. But after Bayerischer Broadcast showed Gaspari their photos available online, she said: "Now I'm not sure if I still can." The German system that stored her records was shut down last week.
We found that some systems used to archive medical images also lacked security measures. Denver-based Offsite Image released the names and other details of more than 340,000 people and veterinary records, including those from a large cat named "Marshmellow," ProPublica found. An on-site CEO told ProPublica that the company charges clients $ 50 to access the site and then $ 1 per study. "Your data is safe and secure with us," the website tells Offsite Image.
The company referred ProPublica to its technology consultant, who first defended Offsite Bild's security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged that Offsite Image's servers had been available but were now fixed.
"We just never even realized there was an opportunity that could even happen," Nelms said.
In 1985, an industry group including radiologists and imaging equipment manufacturers established a standard for medical imaging software. The standard, now called DICOM, wrote how medical imaging devices talk to each other and share information.
We shared our findings with officials from the Medical Imaging & Technology Alliance, the group that oversees the standard. They acknowledged that there were hundreds of servers with an open connection on the Internet, but suggested that the blame lay with the people who ran them.
"Although there is a relatively small number," the organization said in a statement, "It may be possible that some of these systems may contain patient records. They probably represent poor configuration choices from those operating these systems. ”
Meeting minutes from 2017 show that a security working group learned about Pianykh's findings and suggested meeting him to discuss them further. This "place of action" was listed for several months, but Pianykh said he was never contacted. The medical imaging alliance told ProPublica last week that the group did not meet Pianykh because the concerns they had were adequately addressed in his article. They said that the committee concluded that the safety standards were not wrong.
Pianykh said that misses the point. It is not a lack of standards; manufacturers of medical devices do not follow them. "Medical data security has never been properly embedded in clinical data or devices, and is still largely theoretical and does not exist in practice," Pianykh wrote in 2016.
ProPublica's recent findings follow several other major violations. In 2015, U.S. health insurance company Anthem Inc. revealed that private data belonging to more than 78 million people was hacked. Over the past two years, U.S. officials have reported that more than 40 million people have had their medical data compromised, according to an analysis of records from the US Department of Health and Human Services.
Joy Pritts, a former HHS staff member, said the government is not tough enough to politicize privacy violations. She cited an announcement from HHS in April that lowered the maximum annual fine, from $ 1.5 million to $ 250,000, for what is known as "corrected willful neglect" – the result of deliberate error or reckless indifference that a company is trying to arrange. She said that big companies would not only consider these fines as just the cost of doing business, but that they could also negotiate with the government to reduce them. A ProPublica survey in 2015 found few consequences for repeat offenders of HIPAA.
A spokeswoman for the HHS & # 39; Office for Civil Rights, which enforces HIPAA violations, said it would not comment on open or prospective investigations.
"What we typically see in the health care system is that Band-Aid upon Band-Aid is used" for old computer systems, said Singh, the cybersecurity expert. She said there is a "shared responsibility" among manufacturers, standard manufacturers and hospitals to ensure data servers are secured.
"It's 2019," she said. "There is no reason for this."
How do I know if my medical image data is secure? If you are a patient:
If you have had a medical imaging scan (e.g. X-ray, CT scan, MRI, ultrasound, etc.), ask the healthcare professional who did the scan – or your doctor – to access your images requires login and password. Ask your doctor about the office or medical imaging facility to which they refer patients, perform a regular safety assessment required by HIPAA.
If you are a medical imaging or medical office:
Researchers have found that image archiving and communication systems (PACS) servers that implement the DICOM standard can be compromised if connected directly to the Internet without a VPN or firewall, or if access to them does not require a secure password. You or your IT staff should ensure that the PACS server cannot be accessed via the Internet without a VPN connection and password. If you know the IP address of your PACS server but are not sure if it is (or has been) available through the Internet, please contact us at email@example.com.
Related video: Hospital Hit by & # 39; Cyber Incident & # 39; (Provided by WWL-TV New Orleans)