Around 24 million medical patients' data is floating around on the internet, freely available for all to pore over – thanks to that good old common factor, terribly insecure servers.
German vuln-hunting firm Greenbone Networks found 590 "medical image archive systems online" containing a startling 737 million images, of which it said around 400 million were downloadable.
The so-called Picture Archiving and Communication System (PACS) servers run on a 1980s-vintage protocol, Digital Imaging and Communications in Medicine, or DICOM. One of the uses for DICOM is storing and transmitting medical scan images, such as X-rays.
Dirk Schrader, a cyber-resilience architect at Greenbone Networks who led the research, said today: "A significant number of these servers have no protection at all, they aren't password protected and have no encryption. Indeed, everyday internet users could gain access to these servers with very little effort – there's no need to write any code or deploy any specialist hacking tools."
All Schrader's researchers did was toddle off to stuff-that-shouldn't-be-public search engines Shodan and Censys, armed with suitable search parameters, to see what they could find. In all they found records from 22 separate countries including the UK, the US, Canada, Germany, France, Japan, Russia, Switzerland and more.
In the US alone they uncovered some 13.7 million people's records, comprising 303 million images. At the opposite end of the scale, the UK had 1,500 people's records exposed, comprising 13,000 pictures of medical scans. On top of that, the records tended to contain personally identifiable information (PII) such as names, date of birth, type of scan and medical procedure, the examining medical professional's name, and similar categories of information.
Web doc iCliniq plugs leaky S3 bucket stuffed full of medical recordsREAD MORE
Naturally, the leaking of personal data exposes the subjects themselves to all kinds of criminal activity from blackmail to identity theft and more. It also makes the companies holding these images vulnerable to various levels of civil and criminal legal liability.
Medical information is very valuable to any kind of enterprise, lawful or otherwise, that relies on processing data for a living. Facebook tried to get its hands on American medical data last year, while Google infamously bought British machine-learning upstart Deepmind and combined its health-scanning tech and databases of health data with Google.
As for data security, it can get tiresome repeating the same simple messages. But until the world gets the message, we've got to keep on hammering it home. ®