A German security firm has identified hundreds of unprotected PACS servers around the world that store millions of medical images and related patient information. Although more than half of those exposed data records were on servers in the U.S., a substantial number were also found among European countries.
The analysis, which was performed by Greenbone Networks between mid-July 2019 and early September 2019, showed that 590 of the 2,300 archive systems worldwide were accessible on the internet via web browser or free software programs. These contained 24 million data records from patients around the world -- including 19 European countries -- and more than 737 million images linked to the data records. Of these 737 million images, 400 million could easily be downloaded.
Furthermore, 39 systems -- including one in Switzerland -- were completely unprotected, enabling access to patient data via an unencrypted hypertext transfer protocol (HTTP) web viewer.
"The sum of these data leaks of unprotected patient data available on the internet is one of the largest data glitches worldwide to date," researchers from Greenbone wrote in their report. "52 countries around the world are affected, including all leading economic nations and the most populous countries in the world."
The vast majority of the accessible data records included information protected by the European Union's General Data Protection Regulation: patient name, birth date, examination date, scope of the investigation, type of imaging procedure, attending physician, institute/clinic, and the number of generated images, according to Greenbone.
| Open image servers by European country, ranked by No. of accessible data records for imaging studies | ||||
| European country | Systems allowing unprotected access via DICOM | No. of accessible imaging study data records | No. of images linked to imaging study data records | No. of accessible images |
| Turkey | 36 | 4,924,141 | 179,533,940 | 178,283,858 |
| Slovakia | 1 | 127,636 | 382,908 | 0 |
| Italy | 10 | 102,893 | 5,843,319 | 1,174,600 |
| Czech Republic | 2 | 97,997 | 674,686 | 0 |
| France | 7 | 47,662 | 5,275,222 | 2,668,170 |
| Serbia | 1 | 30,484 | 15,242,000 | 15,242,000 |
| Bulgaria | 2 | 27,058 | 40,977 | 40,977 |
| Spain | 1 | 17,662 | 52,986 | 0 |
| Germany | 6 | 15,310 | 2,859,595 | 1,394.845 |
| Netherlands | 3 | 11,270 | 113,408 | 113,408 |
| Greece | 2 | 10,211 | 2,557,600 | 2,557,600 |
| Russian Federation | 5 | 9,858 | 887,042 | 25,000 |
| Portugal | 3 | 5,766 | 1,581,101 | 1,581,100 |
| Cyprus | 1 | 3,459 | 1,124,175 | 1,124,175 |
| U.K. | 6 | 1,571 | 13,335 | 5,070 |
| Switzerland | 2 | 1,541 | 231,840 | 231,840 |
| Ukraine | 1 | 1,139 | 199,325 | 199,325 |
| Albania | 1 | 200 | 1,000 | 0 |
| Romania | 1 | 67 | 737 | 0 |
On the bright side, only one country -- Switzerland -- had a system that allowed unprotected access to patient data via either a DICOM web viewer, unencrypted file transfer protocol (FTP) service, downloading of complete DICOM archives via HTTP, or a directory listing in the web browser for the DICOM archive files.
Public attention
After performing its initial analysis, Greenbone shared its findings with German public broadcaster Bayerischer Rundfunk, which then teamed up with nonprofit journalism organization ProPublica on a collaborative investigation and report. They scanned the IP addresses of the unprotected servers and attempted to identify which medical provider they belonged to and determined how many patients could be affected.
They also found that some servers were running outdated operating systems with known security vulnerabilities. The organizations reported that most cases of unprotected data involved independent radiologists, medical imaging centers, or archiving services; large hospital chains and academic medical centers had security protections in place. In good news, no evidence was found that patient data had been copied from the open systems and published elsewhere.
The Greenbone report and subsequent investigation by Bayerischer Rundfunk and ProPublica has also triggered investigations by the U.K. National Health Service (NHS) and the Information Commissioner's Office, according to a report published 29 September in the Times.
Recommendations
These vulnerabilities are caused by a faulty configuration of the infrastructure and the server, rather than a PACS software issue. As a result, the Greenbone researchers suggested several possibilities for remedying the problem:
- Access control lists for all Internet Protocol (IP) addresses and/or port filters
- Access control through the implementation of authentication, authorization, and accounting (AAA) systems
- Virtual private network (VPN) access for selected persons/institutions
- Detailed configuration of application entity (AE) titles
"These measures could make accessing the systems more difficult, or prevent access altogether," the authors wrote. "In doing so, however, it is important to consider which authorized authorities require access to the data, such as hospital associations or general practitioners."
The Greenbone team also acknowledged that each individual site may not be able to implement all of the available solutions.
"However, according to our observations, there is no case in which a higher degree of security would not be worthwhile," the authors wrote. "A comprehensive and repeated inventory of IT systems and their vulnerabilities within an organization is the best way to uncover such flawed configurations."
