More than 45 million medical imaging files, including X-rays and CT scans, are available online on unprotected servers all over the world. The finding is the result of a six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), conducted by researchers at CyberAngel.
DICOM is a standard used by healthcare professionals to send and receive medical data.
During their investigation the CyberAngel’s analyst team scanned approximately 4.3 billion IP addresses and discovered millions of images, which were left exposed on more than 2,140 unprotected servers across 67 countries, including the US, UK, France and Germany.
Twelve of the servers contained more than a million DICOM files each, with a total of 9.8 million files found in the United States, 9.6 million files found in South Korea, and 8.8 million files found in Russia.
The report said that images typically included up to 200 lines of metadata per record, which contained PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.) and could be accessed without the need for login credentials. In some instances login portals accepted blank usernames and passwords, according to CyberAngel.
“Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data. The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands,” the researchers warned.