searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • (IN)SECURE Magazine

Featured news

  • Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning
  • OpenWrt discloses forum data breach
  • Product showcase: Pentest Robots
  • Visibility, control and governance holding back cloud transformation
  • Worldwide SD-WAN market to reach valuation of $53 billion by end of 2030
Help Net Security
Help Net Security
December 16, 2020
Share

45 million medical images left exposed online

More than 45 million medical images – including X-rays and CT scans – are left exposed on unprotected servers, a CybelAngel report reveals.

medical images exposed

The analysts discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.

No need for a username or password

The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances login portals accepted blank usernames and passwords.

“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” says David Sygula, Senior Cybersecurity Analyst at CybelAngel.

“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

Todd Carroll, CybelAngel CISO further commented, “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.

“The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”

Security risks of publicly accessible images

The report highlights the security risks of publicly accessible images containing highly personal information including ransomware and blackmail. Fraud is a particular risk, as this type of imagery fetches a premium on the dark web.

From a compliance standpoint, healthcare providers are also liable to sanctions under regulations such as GDPR in Europe, and HIPAA in the US, for breaches of sensitive patient information.

Simple steps that healthcare facilities can take to safeguard the way they share and store data including to:

  • Determine if pandemic response exceeds your security policies: Ad hoc NAS devices, file-sharing apps and contractors may take data beyond your ability to enforce access controls.
  • Ensure proper network segmentation of connected medical imaging equipment: Minimize any exposure critical diagnostic equipment and supporting systems have to wider business or public networks.
  • Conduct real-world audit of third-party partners: Assess which parties may be unmanaged or not in compliance with required policies and protocols.
More about
  • compliance
  • CybelAngel
  • cyber risk
  • cybersecurity
  • data leak
  • data security
  • fraud
  • healthcare
  • metadata
  • passwords
  • privacy
  • regulation
  • servers
Share this
Active Directory

Rethinking Active Directory security

  • Are you vetting your MSSPs?
  • Vulnerability management isn’t working for cloud security: Here’s how to do it right
Product showcase: Pentest Robots

What's new

MSSP

Are you vetting your MSSPs?

OpenWRT

OpenWrt discloses forum data breach

dnsmasq

Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning

secure

How to defend against today’s top 5 cyber threats

Don't miss

dnsmasq

Dnsmasq vulnerabilities open networking devices, Linux distros to DNS cache poisoning

OpenWRT

OpenWrt discloses forum data breach

Active Directory

Rethinking Active Directory security

MSSP

Are you vetting your MSSPs?

Pentest Robots

Product showcase: Pentest Robots

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Newsletters
  • Twitter

In case you’ve missed it

  • How do I select a fraud detection solution for my business?
  • Securing the connected home: A joint task for homeowners and their ISP
  • Cybersecurity sales: Do you have what it takes to succeed?
  • How do I select a data control solution for my business?

(IN)SECURE Magazine ISSUE 67 (November 2020)

  • Hardware security: Emerging attacks and protection mechanisms
  • Justifying your 2021 cybersecurity budget
  • Cooking up secure code: A foolproof recipe for open source
  • Mapping the motives of insider threats
Read online
© Copyright 1998-2021 by Help Net Security
Read our privacy policy | About us | Advertise