Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Medicine Privacy The Internet United States

Millions of Americans' Medical Images and Data Are Available On the Internet (arstechnica.com) 22

An anonymous reader quotes a report from ProPublica: Medical images and health data belonging to millions of Americans, including X-rays, MRIs, and CT scans, are sitting unprotected on the Internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop could use free software programs -- or just a typical Web browser -- to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

We identified 187 servers -- computers that are used to store and retrieve medical data -- in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors' offices, medical-imaging centers, and mobile X-ray services. The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company's cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies.
The exposed data varied depending on the health provider and the software they use. "For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients -- all by typing in a simple data query," reports ProPublica. "Their dates of birth, doctors, and procedures were also included."

"Another imaging system, tied to a physician in Los Angeles, allowed anyone on the Internet to see his patients' echocardiograms," the report adds. "All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers."

The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.
This discussion has been archived. No new comments can be posted.

Millions of Americans' Medical Images and Data Are Available On the Internet

Comments Filter:
  • by SuperKendall ( 25149 ) on Tuesday September 17, 2019 @06:43PM (#59206102)

    As the old saying goes "information wants to be free", and in recent years the millions and millions of records going out over the internet certainly is proving this to be the case!

    As much as you want to protect a large valuable database at some point someone is going to slip up and then wham. Anything you collect, just assume it will be out in the public eventually.

    • Re: (Score:3, Insightful)

      by Daemonik ( 171801 )
      That's like saying your car wants to be free, because sooner or later you'll misplace your keys. It's laughable. It's just an excuse to passively forgive hacking or incompetence.
      • Hey, look, I remember when we watched that movie, whatsit, that documentary, Christine....

        You never really know what your car might be thinking.

      • That's like saying your car wants to be free, because sooner or later you'll misplace your keys.

        The car doesn't got anywhere without the key, so misplacing your keys means exactly the opposite of this.

        You could claim it meant because your car key could be stolen one day. But that is nothing like the situation with data, because your car key cannot be stolen by some guy in Uzbekistan because you left a window cracked open.

        Furthermore, it also is unlike the data case because if the window is left cracked ope

        • by malvcr ( 2932649 )

          Thinking about the car ... it is exactly the same. Just that in a different time scale.

          In around 100 years, if your car is not a collectible item, it will be out of your control no matter if you are alive or not. Eventually, all the cars will be "freed of us" and their rusty steel will return as a different item or to become part of the Earth.

          The problem with information is also a time one. When the pharaoh was buried inside their splendid pyramids and so on, it was supposed to be a wonderful and se

        • It is entirely like data, because your car isn't going anywhere unless someone picks up that key and drives off with it. Your data, likewise, isn't going anywhere until someone "leaks" ie. Criminally dispenses it to unauthorized persons, or a hacker or just a curious person comes around see's it's available and takes it for a joy ride because as far as they care it's not hurting them. Some people even think they're doing you a favor! Imagine coming home and there's some scruffy neckbeard on your couch e

        • The issue is, try buying a car that doesn't have a cellular connection these days. I know GM and Chrysler do it and have to assume Ford does it too. I had to do some probing on my car and find the damned thing and burn it out.
  • Someone's gonna get a major fine for this.. this is what happens when people with no clue let marketers with no scruples sell them on "the cloud".
    • Re: (Score:3, Interesting)

      by EvilSS ( 557649 )
      Not the cloud, just incompetent IT. Dr wants to access images remotely. You could spend the money to do it the right way (if you even know how) or you could just throw the server on the internet with a public IP (or port-forward from the most-likely-consumer-grade-firewall) and give the doctor the IP to pull the images from. This kind of crap is all to common at small practices. A lot of doctors who wouldn't blink an eye spending $1.5M on the latest gadget for their practice will fight tooth and nail spendi
      • by malvcr ( 2932649 )

        I won't say "incompetent IT" ... I prefer to think about "lack of IT".

        Many are outdated systems from a time where security was not so troublesome and data protection practices were not taken into consideration.

        The right IT methods will find these fragile systems and to put them in a secure sandbox where their fragility is not as vulnerable as it is now.

  • The authors of the report recommend you ask your health care provider or doctor if access to your images requires a login and password, and to ask if they conduct a regular security assessment as required by HIPAA.

  • let me guess (Score:4, Insightful)

    by sit1963nz ( 934837 ) on Tuesday September 17, 2019 @08:23PM (#59206382)
    The cost of fines are less than the cost of doing the job right.
  • by HangingChad ( 677530 ) on Tuesday September 17, 2019 @09:07PM (#59206452) Homepage

    The dirtiest, most infected networks I ever worked on were in medical offices. Weak passwords, sometimes no passwords, ancient desktops that hadn't run updates in months. Pointing out the vulnerabilities was a waste of time. They didn't care and didn't want to be bothered.

    Until companies start seeing big fines for being sloppy with data security, it's going to keep happening.

  • Doctors = Users (Score:4, Insightful)

    by skogs ( 628589 ) on Tuesday September 17, 2019 @10:06PM (#59206588) Journal

    Doctors are sometimes very smart people. They very well educated. That being acknowledged doesn't change the fact that in this case:
    Doctors are Users.
    Followed shortly by the obvious fact that:
    Users are morons.

    Asking my doctor if access to my medical data requires a username and password is just plain stupid. That idiot isn't going to know. Everybody on his staff uses a username/password to access the data so he is clearly going to answer yes. Unfortunately there is always a back end to the system, and the doctor doesn't know a goddamn thing about a front end, back end, or basic data storage and access that may not require either front or back end web interface. Asking the doctor about a security requirement is just like asking netadmin what he thinks of my xray or CAT scan.

    I don't WANT him to know. Doctors, especially in a small practice, don't even know what to ask for. They fill their heads with medical data, and a hobby or two.

    I want some security minded professionals and network admins to know that answer. The service provider gives them a standardized service contract, and the doctor signs and sends them money. One would hope that the service contract contained standardized verbiage and basic HIPAA and other rules...but who knows.

    Even so, if access isn't 2 factor, what does it even matter? How many of these dillweeds use 'jjohnson' and 'crappypassword' as their authentication? One could put in some logic rules per chance - data on patients limited to 9000 different IP ranges that the company does business with, or dedicated VPN ranges, etc. At least that might limit this mind numbingly stupid no-knowledge-required access to at least people that have physical access to a doctor's office.

    I wish I could bill people for millions of dollars and give them zero authentication, no access controls, no IDS/IPS, no control reviews, no pen testing, no responsibilities.

  • People absolutely need to go to prison for this. This is completely unacceptable.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...