Greenbone Networks Gives An Updated Report on Unsecured PACS and the 1.19 Billion Exposed Medical Images

Greenbone Networks, a German vulnerability analysis and management platform provider, discovered 60 days ago the magnitude of the exposure online of medical images stored in Picture Archiving and Communication Systems (PACS) servers. In a current report, the company revealed the worsening problem.

Healthcare providers use Picture Archiving and Communication Systems (PACS) servers for storing and sharing medical images with doctors for their review. However, a lot of healthcare providers do not use PACS servers that are secured enough. Therefore, medical images (MRI, CT Scans, X-Ray), together with personally identifiable patient data, are exposed online. Anybody who knows where and how to search for the files could find them, access them and, oftentimes, download the medical images without authorization. The images aren’t accessible because of software vulnerabilities. Access to data is possible due to the wrong configuration of the system and PACS servers.

From July to September 2019, Greenbone Networks worked to identify unsecured PACS servers worldwide. The study revealed the enormity of the problem. In the U.S., there were 13.7 million data sets on unsecured PACS servers and 45.8 million of 303.1 million medical images were accessible.

On November 18, Greenbone Networks’ updated report showed that 1.19 billion medical images were already identified globally. The previous total of 737 million increased by 60%. The findings of 35 million medical exams are exposed online, it was 24 million previously.

In the U.S., the researchers identified 21.8 million medical exam results and 786 million medical photos. There were 114.5 million photos accessible from 15 systems that permit unsecured Web/FTP access and directory website listing. In just one PACS, the researchers discovered 1.2 million exam results and 61 million medical photos. The researchers were able to fully access the data, including the images and related personally identifiable information.

In early November, Sen. Mark. R. Warner expressed his concern over the obvious lack of action by OCR regarding the exposed files. It seems that not much is being done to protect the PACS servers and prevent more data exposure.

The types of data exposed in the images include Protected Health Information (PHI) such as names, birth dates, examination dates, the extent of the investigations, imaging techniques done, attending doctors’ names, scanning location, number of images and Social Security numbers for 75% of the exposed images.

Data exposure puts patients vulnerable to identity theft and fraud, though there are actually other risks. In the past, security researchers showed that the DICOM image format is flawed allowing the inclusion of malicious code. Hence, images can be downloaded, contain malicious code, and be uploaded to the PACS without the data owner’s knowledge. In the Greenbone Networks study, only reading access was investigated and not image manipulation or upload.

Access and viewing of images can be done using the RadiAnt DICOM Viewer. There is free information online on setting up the RadiAnt DICOM Viewer to view images, including the viewer and the listing of IPs of the stored images.

It is estimated by Greenbone Networks that the value of exposed medical images and PHI is over $1 billion dollars. The data might be utilized for different nefarious purposes such as social engineering and phishing, identity theft, and blackmail.

Data exposure violates the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) of the EU, and other data privacy and security regulations. The data exposure impacts people in over 52 countries.