Security Experts:

Connect with us

Hi, what are you looking for?



Unprotected Medical Systems Expose Data on Millions of Patients

Hundreds of Internet-accessible, unprotected medical imaging systems expose data on millions of patients worldwide, German security firm Greenbone reveals.

Hundreds of Internet-accessible, unprotected medical imaging systems expose data on millions of patients worldwide, German security firm Greenbone reveals.

The analysis conducted by Greenbone, a vulnerability analysis and management solutions provider, focused on Picture Archiving and Communication Systems (PACS), which are used by healthcare organizations to capture, store and distribute medical images.

The company’s study aimed to shed some light into how well patient data is protected within healthcare organizations, and the results were not encouraging: nearly a quarter of the analyzed PACS servers exposed data to the Internet.

Specifically, out of 2,300 systems analyzed between July and September 2019, 590 were accessible from the Internet and had no protection for the personal or medical data stored on them. Such data included patient name and date of birth, date of examination, some details on the reason for examination, and even image data for those patients.

Overall, the 590 exposed systems contained more than 24.5 million data records from patients across 52 countries, including 737 million images (from X-ray, CT, MRI devices), with 400 million of these images easily downloadable over the Internet.

In November 2019, the security firm revisited the study, only to discover that the amount of exposed data had increased. Although 129 new archiving systems were found and 172 went offline, a total of 35 million data records were publicly accessible. Furthermore, the number of exposed images had increased from 737 million to 1.19 billion (1,193,404,000).

In an updated report (PDF), Greenbone revealed that the number of patient records for which it was possible to access images had doubled from 4.4 million to 9 million between September and November. The number of images that could easily be downloaded over the Internet had declined from 400 million to 370 million.

A re-run of the analysis performed at the beginning of January has showed a slight decrease in the number of exposed PACS, though tens of millions of medical studies remain exposed to the Internet.

At the beginning of 2020, more than 460 of the previously exposed systems were still connected to the Internet, “allowing uncontrolled, unprotected access to patient information,” Dirk Schrader, cyber resilience strategist at Greenbone, told SecurityWeek in an email conversation.

“More than half of them allow even access to the images contained (not only to study data like name, DOB, date of exam, method of exam, physician name, etc),” he continued.

Globally, between November and early January, 5.9 million patient records were taken offline and 100 million images went down with them.

However, around 1 million studies were added to the systems that were still connected to the Internet. These, Schrader says, also included 30 million images.

Given that there was only a small change in the amount of exposed data within an 8-week timeframe and considering the off-peak due to Christmas, Schrader paints a rather bleak picture of the foreseeable future.

“This means that in about 3-4 months, the situation will be back and above the level of November 2019, if the number of unprotected systems isn’t reduced drastically,” he said.

Should the top 10% PACS in terms of number of studies stored on them be taken offline, the number of patient records exposed to the Internet would be reduced by more than 15 million, he explains.

“In addition it would substantially decrease the number of studies added over time as they are the largest ‘contributors’,” Schrader continues.

In terms of the most affected countries, the United States takes the leading position. Greenbone has informed over 140 U.S. organizations that they expose patient data, but their November 2019 report says there are over 800 impacted institutions, including clinics, hospitals, and radiology service providers.

Turkey, South Africa, Ecuador, India, and Brazil are also highly impacted.

The issue, Greenbone says, can be mitigated through security awareness: organizations should increase visibility into their assets and check whether they are exposed to the Internet; physicians should verify that medical information transmitted in electronic form is encrypted and inquire why if not; and patients should ask doctors about their data protection regime.

Related: Indiana Hospital System Notifying Patients After Data Breach

Related: Google Healthcare Project Targeted by Congress Committee

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...