Millions of Americans' Medical Images and Data Are Available On the Internet (arstechnica.com) 22
An anonymous reader quotes a report from ProPublica: Medical images and health data belonging to millions of Americans, including X-rays, MRIs, and CT scans, are sitting unprotected on the Internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop could use free software programs -- or just a typical Web browser -- to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.
We identified 187 servers -- computers that are used to store and retrieve medical data -- in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors' offices, medical-imaging centers, and mobile X-ray services. The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company's cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies. The exposed data varied depending on the health provider and the software they use. "For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients -- all by typing in a simple data query," reports ProPublica. "Their dates of birth, doctors, and procedures were also included."
"Another imaging system, tied to a physician in Los Angeles, allowed anyone on the Internet to see his patients' echocardiograms," the report adds. "All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers."
The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.
We identified 187 servers -- computers that are used to store and retrieve medical data -- in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors' offices, medical-imaging centers, and mobile X-ray services. The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company's cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies. The exposed data varied depending on the health provider and the software they use. "For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients -- all by typing in a simple data query," reports ProPublica. "Their dates of birth, doctors, and procedures were also included."
"Another imaging system, tied to a physician in Los Angeles, allowed anyone on the Internet to see his patients' echocardiograms," the report adds. "All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers."
The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.
Well, the old maxim certainly is proving true (Score:3)
As the old saying goes "information wants to be free", and in recent years the millions and millions of records going out over the internet certainly is proving this to be the case!
As much as you want to protect a large valuable database at some point someone is going to slip up and then wham. Anything you collect, just assume it will be out in the public eventually.
Re: (Score:3, Insightful)
Re: (Score:2)
Hey, look, I remember when we watched that movie, whatsit, that documentary, Christine....
You never really know what your car might be thinking.
Opposite (Score:2)
That's like saying your car wants to be free, because sooner or later you'll misplace your keys.
The car doesn't got anywhere without the key, so misplacing your keys means exactly the opposite of this.
You could claim it meant because your car key could be stolen one day. But that is nothing like the situation with data, because your car key cannot be stolen by some guy in Uzbekistan because you left a window cracked open.
Furthermore, it also is unlike the data case because if the window is left cracked ope
Re: (Score:1)
Thinking about the car ... it is exactly the same. Just that in a different time scale.
In around 100 years, if your car is not a collectible item, it will be out of your control no matter if you are alive or not. Eventually, all the cars will be "freed of us" and their rusty steel will return as a different item or to become part of the Earth.
The problem with information is also a time one. When the pharaoh was buried inside their splendid pyramids and so on, it was supposed to be a wonderful and se
Re: (Score:2)
It is entirely like data, because your car isn't going anywhere unless someone picks up that key and drives off with it. Your data, likewise, isn't going anywhere until someone "leaks" ie. Criminally dispenses it to unauthorized persons, or a hacker or just a curious person comes around see's it's available and takes it for a joy ride because as far as they care it's not hurting them. Some people even think they're doing you a favor! Imagine coming home and there's some scruffy neckbeard on your couch e
Re: (Score:2)
HIPAA (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
I won't say "incompetent IT" ... I prefer to think about "lack of IT".
Many are outdated systems from a time where security was not so troublesome and data protection practices were not taken into consideration.
The right IT methods will find these fragile systems and to put them in a secure sandbox where their fragility is not as vulnerable as it is now.
Re: (Score:2)
Not the cloud, just incompetent IT. Dr wants to access images remotely. You could spend the money to do it the right way (if you even know how) or you could just throw the server on the internet with a public IP (or port-forward from the most-likely-consumer-grade-firewall) and give the doctor the IP to pull the images from. This kind of crap is all to common at small practices. A lot of doctors who wouldn't blink an eye spending $1.5M on the latest gadget for their practice will fight tooth and nail spending $10,000 on their IT systems.
In that case, the doctor can cough up a bunch of cash paying for the HIPAA violation. The Feds don't take that lightly.
Completely agree. They should be held accountable and hopefully in the future they will think twice about where they choose to skimp on spending.
More self-serve "customer productivity" ... (Score:1)
The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.
Re:More self-serve "customer productivity" ... (Score:4, Insightful)
Yeah, because the reception / nurse you're asking is of course going to give you a truthful / informed answer to that question, and not simply say whatever they think you want to hear.
Re: (Score:2)
And because we, the lay, have to oversee HIPAA because, apparently, the goddam doctor's office doesn't.
let me guess (Score:4, Insightful)
Medical offices are the worst (Score:5, Interesting)
The dirtiest, most infected networks I ever worked on were in medical offices. Weak passwords, sometimes no passwords, ancient desktops that hadn't run updates in months. Pointing out the vulnerabilities was a waste of time. They didn't care and didn't want to be bothered.
Until companies start seeing big fines for being sloppy with data security, it's going to keep happening.
Doctors = Users (Score:4, Insightful)
Doctors are sometimes very smart people. They very well educated. That being acknowledged doesn't change the fact that in this case:
Doctors are Users.
Followed shortly by the obvious fact that:
Users are morons.
Asking my doctor if access to my medical data requires a username and password is just plain stupid. That idiot isn't going to know. Everybody on his staff uses a username/password to access the data so he is clearly going to answer yes. Unfortunately there is always a back end to the system, and the doctor doesn't know a goddamn thing about a front end, back end, or basic data storage and access that may not require either front or back end web interface. Asking the doctor about a security requirement is just like asking netadmin what he thinks of my xray or CAT scan.
I don't WANT him to know. Doctors, especially in a small practice, don't even know what to ask for. They fill their heads with medical data, and a hobby or two.
I want some security minded professionals and network admins to know that answer. The service provider gives them a standardized service contract, and the doctor signs and sends them money. One would hope that the service contract contained standardized verbiage and basic HIPAA and other rules...but who knows.
Even so, if access isn't 2 factor, what does it even matter? How many of these dillweeds use 'jjohnson' and 'crappypassword' as their authentication? One could put in some logic rules per chance - data on patients limited to 9000 different IP ranges that the company does business with, or dedicated VPN ranges, etc. At least that might limit this mind numbingly stupid no-knowledge-required access to at least people that have physical access to a doctor's office.
I wish I could bill people for millions of dollars and give them zero authentication, no access controls, no IDS/IPS, no control reviews, no pen testing, no responsibilities.
Fuck HIPPA (Score:2)