Cybersecurity News

Number of Exposed PACS Medical Images Increasing, US Biggest Culprit

Researchers from Germany’s Greenbone Networks have seen a 60 percent increased in the number of PACS medical archive images left exposed online, with US patients most affected by the breach.

PACS medical image data servers exposure patient privacy data leak cyber hygiene risk management

By Jessica Davis

- A 60-day update on the number of Picture Archiving and Communication Systems (PACS) images left unprotected online has found a 60 percent increase in exposed medical data, to about 1.19 billion images, according to the latest research from Greenbone Networks.

The majority of healthcare organizations use PACS servers to archive medical images and share the images with other providers. But most organizations have not ensured the security of that data. In September, ProPublica published findings from the first Greenbone report, which revealed millions of PACS medical images were being exposed online.

The German researchers sought to provide an update on those servers 60 days after the initial report, with hopes to find these images secured. However, they found the situation has only worsened and the number of unsecured PACS servers and medical images has increased.

There are now more than 35 million studies connected to the internet, a 40 percent increase from 24.5 million two months ago. About 129 new archiving systems were found, while 172 “went off the grid.”

“To find even more studies, with more images related to them, isn’t what we expected to see,” researchers wrote. “The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination.”

“For most of the systems we scrutinized, we had – and still have – continued access to the personal health information,” they added.” There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.”

A recent IntSights report upheld these findings: one-third of US healthcare databases are exposing senstive data.

For the US, the situation is the most severe. Greenbone found that the US had the largest number of impacted patients and data sets. The aggregated numbers rose to a “disturbing level,” as well as an increase in the sensitivity of the exposed data.

The initial report found 13.7 million US studies, 303 medical images related to the studies, 45.8 million medical images, and 184 systems. The latest findings show 21.8 million studies with 6 million affected US patients, 786 million images related to the studies, a subset of 114.5 million images related to 1.78 million studies, and 60 new exposed PACS servers, bringing the total to 195 exposed PACS databases.

In total, 2,000 providers from 800 US institutions, including clinics, hospitals, and radiology service providers are exposing PACS images. And the US is largely missing proper controls on these databases, such as those mandated by HIPAA.

One large dataset allows full access to protected health information, including all images related to 1.2 million examinations and the Social Security numbers for 75 percent of those patients, or about 250,000.

The researchers estimated the potential risk of medical identity theft for those individuals is would total about $3.3 billion – or about two-thirds of the overall financial risk calculated for this type of exposure.

“The medical archives we found, specially that one system affecting the New York metropolitan area, are ‘perfect’ data troves for malicious actors with the intend to exploit individuals using medical identity theft,” researchers explained.

Greenbone also found archive images that appear to be from military personnel, including their Department of Defense identification.

“Although the number of data sets isn’t huge, the fact itself provides for means of exploitation,” researchers explained. “The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region.”

Notably, the researchers have not seen any of these data leaks reported to the Department of Health and Human Services. Sen. Mark Warner, D-Virginia, recently sent a letter to the agency asking for information as to whether they are investigating these exposures, as they are not listed on its breach reporting tool.

“We appreciate the efforts made by Sen. Mark Warner and his team to raise the awareness about and the urgency of getting the PACS servers off the public Internet as soon as possible,” the researchers wrote.

Given the sensitivity of the data, Greenbone did not share the names of the organizations exposing data. The researchers plan to release a follow-up report on cyber resiliency in the near future.