Updated report on unsecured PACS servers shows problem has escalated in the last 60 days
Vulnerability management specialist Greenbone Networks has released updated details of its research in to the security of Picture Archiving and Communication Systems (PACS) servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans. Since Greenbone announced its initial findings 60 days ago, in which over 24 million patient data sets were found unsecured on the internet, the number has since risen to 35 million.
1.19 billion medical images have been identified linked to this patient data, a 60% increase from Greenbone’s finding between July and September 2019, and includes details of patient names, reason for examination, date of birth, and ID cards in some cases. Amongst the 786 million medical images identified in the US, which had the largest increase in new data sets discovered, Social Security Numbers were included on some of the images, as well as some sets which listed details pertaining to military personnel IDs from the Department of Defense.
Overall, Greenbone discovered 129 new easily accessible archiving systems, data from nine additional countries, and that the number of images freely available on the internet had increased most significantly in the US, India, South Africa, Brazil and Ecuador. It also found that proper controls, such as HIPAA in the US, were largely missing. In total, the number of data records which are accessible online without any level of protection has doubled, from 4.4 million to 9 million, and the number of images now accessible or easily downloadable via the internet is 370 million.
Conversely, Greenbone also found that 172 PACS servers, including all systems from 11 countries including the UK, Germany, Thailand and Venezuala, had in fact been taken completely offline and the patient data was no longer accessible via the internet.
Dirk Schrader, cyber resilience architect at Greenbone Networks said: “Whilst some countries have taken swift action to address the situation and have removed all accessible data from the internet, the problem of unprotected PACS systems across the globe only seems to be getting worse. In the US especially, sensitive patient information appears to be freeflowing and is a data privacy disaster waiting to happen.
“When we carried out this second review, we didn’t expect to see more data than before and certainly not to have continued access to the ones we had already identified. There certainly is some hope in the fact that a number of countries have managed to get their systems off the internet so quickly, but there is much more work to be done.”
To ensure compliance with data protection regulations, Greenbone did not download or view any of patient data as part of its research and will only be disclosing details of the vulnerable systems to authorised bodies.