Hospitals across Europe are continuing to leak tens of thousands of medical images into the public domain every week, and Bulgaria, France, Hungary, Italy, Spain, and Switzerland are among the countries that still have unprotected PACS servers, new analysis from Germany has found.
The situation is getting worse daily due to the addition of new datasets to storage by systems that remain open, along with the growth in new systems that use unsecured servers, Dirk Schrader of network security firm Greenbone Networks told AuntMinnieEurope.com. In spite of alerts sent to governments, some nations have failed to respond and data can still be accessed.
The company undertook the global safety review of PACS in September 2019 and discovered that in the European Union alone, there were 47 systems allowing access on the web to personal data such as patient names, date of birth, date of exam, physician name, and institution. These 47 PACS stored a total of 511,000 studies and 35 million linked images. Of those images, 25 million were fully accessible.
"After the initial report, authorities from the U.K., Germany, Switzerland, and France reached out to us for more details, in addition to us sharing the full dataset with the German Federal Office for Information Security as a trusted third party to exchange with other information security authorities across the globe," noted Schrader, adding that the U.S. media outlet ProPublica and Germany's Bayerischer Rundfunk also reported the leaks.
By November 2019, the number of European systems still online had fallen to 22 (see table). The total number of accessible studies fell to 329,000, and accessible images dropped to 16.6 million, of which 4.4 million were fully accessible.
A billion images and rising
Greenbone calculated that there were more than 1 billion medical images of patients accessible online across the world, with about half of all the exposed images, including x-ray, ultrasound, and CT scans, belonging to patients in the U.S. In another new analysis, Schrader found that medical data as far back as January 1980 could be accessed from one U.S. system, which would allow third parties to build up a comprehensive medical history of the patients concerned. The potential for identity theft and fraud based on intercepted data is another concern, according to the firm.
In the latest review carried out this month, seven more unprotected systems have been removed since November, but there are still 15 systems online that allow public access to data and images, noted Schrader. He also pointed to how the rate of systems being taken off the public grid has slowed sharply between November and January, with 25 systems removed between September and November, compared with just seven between November and January.
"The net difference between the total number of studies and images accessible online in November and January is more or less zero: With the latest seven systems gone, 28,000 studies and 1.57 million linked images have been removed, but the remaining systems have added 34,000 studies and 1.48 million images," he said. "The rate at which studies and images are added by the remaining systems suggests that if no more PACS are taken offline, the initial September status of studies and images will be reached again in approximately six months, around July 2020."
The big 3: France, Italy, and Turkey
France has about 120,000 accessible studies and Italy has about 110,000 studies, he noted.
In September, Turkey had 36 unprotected PACS, holding about 4.9 million studies with 179 million images, of which almost all were fully viewable. By November, while the number of accessible systems dipped slightly to 35, with the removal of two PACS but the appearance of a new system, the number of studies and images decreased drastically because one of the two archives removed from public access was very large. Accessible studies remained relatively stable at 5.1 million, while linked images dropped significantly to 75 million images with 70.6 million fully viewable.
By January 2020, the number of unprotected systems in Turkey went down by 10, resulting in 25 accessible PACS, which reduced the amount of studies by 2.5 million and images by 16.7 million. However, 72,000 datasets and 2.8 million images were added by the remaining systems.
"For Turkey, it might take a bit longer to return to the September level, but this will happen, if nothing else changes," Schrader warned.
To find out whether your system is connected to the internet without protection, he suggests doing the following:
- Scan your perimeter (all of it) for open ports used by DICOM, i.e., 104, 4242, and 11112 (all TCP).
- If you use a third-party service provider for radiology and it offers a web portal, check the server's IP for these ports (using a DICOM viewer).
- Ask your service provider for a scan report for the range of public IP addresses it uses. That scan report should include the ports stated. Make sure it confirms that the scan includes DICOM protocol detection.
- Check your firewall for open ports. If 104, 4242, and 11112 are open, check the logs.