Anyone Can Look at Millions of Americans’ Medical Images and Data, Report Finds
It turns out that anyone with basic computing skills and an internet connection can access millions of private medical images and data—such as MRIs, X-rays, and CT scans—as well as a buffet of valuable private info, according to a disturbing report from ProPublica.
The gist is that as the medical community moved from analog to digital methods of sharing test results, security practices lagged behind. Unlike data breaches in other industries, where hackers make use of flaws in a company’s security practices, many digital medical records systems don’t even require passwords. What that means is you don’t even need fancy hacker software to peep at millions of medical test results. All you need is to know where to look, and an internet browser.
In its investigation, ProPublica worked with German security firm Greenbone Networks, and journalists from German broadcaster Bayerischer Rundfunk. It ultimately identified 187 servers in the U.S. that lacked passwords or basic security precautions. In total, the data from more than 16 million medical scans worldwide are available online. What’s worse is that on top of private medical images, the scans include sensitive information such as names, birthdates, and in some cases, Social Security numbers.
One issue is it’s unclear who exactly is at fault, and many of the parties involved seem to think securing data is someone else’s responsibility. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to “assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care.” Among its provisions is a requirement that standards be publicized for the “electronic exchange, privacy and security of health information.”
That would appear to put the onus on health care providers and the services they use. However, the report found companies creating medical imaging software and medical device makers assumed their customers—health providers—would be in charge of securing data. At the same time, while large hospital chains and academic medical centers did, in fact, implement security