loader gif

Unprotected PACS servers accounted for 1.19 billion medical images leaked in span of three months

Unprotected PACS servers accounted for 1.19 billion medical images leaked in span of three months
  • PACS servers are used by a majority of healthcare organizations to archive medical images and share the same with other providers.
  • United States, India, South Africa, Brazil, and Ecuador account for 75% of the total images exposed.

Health providers using unsecured Picture Archiving and Communication Systems (PACS) pose a potential threat to patients. New research from Greenbone has revealed that there has been a 60 percent increase in the exposed medical data due to leaky PACS servers.

PACS servers are used by a majority of healthcare organizations to archive medical images and share the same with other providers.

What does the research say?

  • According to Greenbone’s research into the security of PACS servers used by health providers, it has been found that about 1.19 billion confidential images are now publicly available on the internet.
  • That’s a 60 percent increase from the findings that was observed between July and September 2019.
  • Of the total images exposed, United States, India, South Africa, Brazil, and Ecuador account for 75% of the total images exposed.

United States

  • Around 786 million exposed images were identified to be from the US.
  • A subset of, i.e around 114.5 million images were fully accessible.
  • These images were exposed by 60 new PACS servers belonging to over 800 institutions including clinics, hospitals, and radiology service providers.
  • A total of 195 systems using unguarded PACS servers were identified for this huge leak.
  • 49 of these were taken offline and are no longer available online.

India

  • About 121 million images from 1.19 billion exposed images were found belonging to Indians.
  • Out of these, 114.7 million images were fully accessible.
  • A total of 97 systems running unprotected PACS servers were responsible for the leak.
  • 19 were secured, following the discovery of the leak.

South Africa

  • The country recorded a total of 38.2 million exposed images, out of which 3.7 million could be fully accessed.
  • 43 systems were identified for the leak and 9 of these are no longer available on the public internet.

Brazil and Ecuador

Brazil and Ecuador saw 42.3 million and 13 million images exposed respectively.

23.3 million (out of 42.3 million) and 7.5 million (out of 13 million) could be accessed completely.

While Brazil experienced data due to 35 systems running unprotected PACS servers, Ecuador had 29 systems using unguarded PACS servers.

Missing controls

For the U.S, the major problem is associated with the lack of proper security controls. The healthcare providers were found not complying with HIPAA rules, following which 6.6% of the consumers became victims of medical identity theft.

Some of the other major victim countries are working on drafting a proper data privacy bill to protect their patients’ data.

Recommended actions

  • Hospitals, clinics, and service providers should establish a comprehensive list of public-facing IP addresses of their organizations and maintain them from time to time.
  • All IP addresses that hit public Wi-Fi established in the premises must be scanned for threats.
  • Physicians, on their part, should be very precise when storing patients’ data as per data privacy rules.
  • Physicians should also limit access to electronic forms and check the data is encrypted before storing it.
loader gif