A billion medical images are exposed online

An odd line from the article, wherein it states that security researchers don’t blame vendors, but the physicians and hospitals that fail to properly secure the software.<p>I have never, in all my years of working in healthcare, seen a hospital or physicians office directly install and manage PACS. They pay a third-party - usually the vendor - to install, configure, and walk them through it. Maybe a behemoth system like Northwell has the IT bench to do it themselves, but that would be the exception.<p>So allow me to rephrase slightly: “technologically inept organization pays vendor to make machine go vroom. Vendor leaves keys in ignition. Damn that technologically inept organization.”<p>To take a 10,000-foot view of the situation, though:<p>Healthcare-related technologically was largely pushed on the industry via legislation. Said legislation was almost entirely stick, no carrot. The result was healthcare organizations with a gun to their head to buy from a handful of vendors, with no real ROI to be seen from it - aka, the government outsourcing its costs to private industry, and throwing pork to some major health IT firms along the way. When a technology is forced on you at a loss, from a vendor with little incentive to optimize ease of use or utility, you get a terrible piece of shit that no one wants to invest more time and money into than absolutely needed. That’s going to show itself in a myriad of ways.

The key takeaway from that article, for me, is that the government body that is supposed to monitor, enforce, and penalize organizations who fail to follow the HIPAA rules is basically doing nothing.<p>So with no consequence to these massive lapses, why would these companies care?

<p><pre><code> % curl -L &#x27;https:&#x2F;&#x2F;techcrunch.com&#x2F;2020&#x2F;01&#x2F;10&#x2F;medical-images-exposed-pacs&#x2F;&#x27; curl: (7) Failed to connect to guce.advertising.com port 443: Connection refused </code></pre> WTF?<p>I have a lying DNS server, and it&#x27;s getting ridiculous.<p>Here&#x27;s the outline for people who care about privacy&#x2F;tracking&#x2F;GDPR, etc. <a href="https:&#x2F;&#x2F;outline.com&#x2F;Ep5u4K" rel="nofollow">https:&#x2F;&#x2F;outline.com&#x2F;Ep5u4K</a>

From Techcrunch&#x27;s article it looks like it&#x27;s possible to see so-called &quot;protected health information&quot; (PHI) in these images. PHI includes patient names, diagnoses, hospital and doctor names, contact information, and so forth. It&#x27;s sometimes possible to &quot;de-identify&quot; medical images by scrubbing off patient info. But I bet most of these are not de-identified.<p>The examples in the TechCrunch article are redacted, but I guess that was done for publication and not on the stored images themselves.<p>In the USA, HIPAA and ARRA 2009 (followon legislation) made it a federal crime to knowingly or negligently disclose PHI. It&#x27;s a crime that &quot;pierces the corporate veil.&quot; That is, natural persons can be tried and convicted, even if they were acting on behalf of corporations.<p>The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification Rule, requiring holders of data to notify patients and CMS themselves if PHI is breached. <a href="https:&#x2F;&#x2F;www.hhs.gov&#x2F;hipaa&#x2F;for-professionals&#x2F;breach-notification&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;www.hhs.gov&#x2F;hipaa&#x2F;for-professionals&#x2F;breach-notificat...</a><p>CMS announces breaches involving 500 or more patient records here <a href="https:&#x2F;&#x2F;ocrportal.hhs.gov&#x2F;ocr&#x2F;breach&#x2F;breach_report.jsf" rel="nofollow">https:&#x2F;&#x2F;ocrportal.hhs.gov&#x2F;ocr&#x2F;breach&#x2F;breach_report.jsf</a><p>It wouldn&#x27;t surprise me if the people involved in securing these sloppily configured DICOM servers are in a state of panic. I was involved in dealing with an unintentional breach of 44 patient records a few years back, and yeah, we had some panic. (Misrouted fax messages was the root cause, for what it&#x27;s worth.) Also observe that I remember to this day how many records leaked out. Breaches are a big deal. It stinks to be them. I know that for sure.<p>I hope they get it sorted out. It will take a while. It will also take a while for the affected medical professionals and their IT providers to start responding to these breach reports rationally. Kubler-Ross&#x27;s stages of grieving are still in play for them: anger, denial, negotiation, etc.

On the user side, we have to jump through hoops and sign so many onerous paper HIPAA compliance forms at dr’s offices, to just get doctors to share records about us. On the backend it’s free for anyone to access. It’s all backwards!

It feels like the places where security is of utmost importance like in banking, security cards or health are the worst at doing it.<p>At least, lack of security of credit cards is understandable as banks are profiting from fraud by charging the victim a fee.<p>In health? This must stop. It&#x27;s a failure of regulatory bodies as they throw so much junk policies around that the things that really require attention is just overlooked. The overabundance of paperwork and policies is not improving security, it&#x27;s keeping away actors that could do way better.

In 2009 I was building an enterprise medical imaging SaaS for hospitals, and we would constantly come across hospital IT admins who were adamantly against trusting a cloud vendor with their sensitive healthcare data - even one that&#x27;s audited, security-checked and whose sole responsibility is to take care of these images.<p>We always thought it was a joke that these guys questioned us, when we knew how bad their internal security practices were. At some point around 2011-2012 we seized on the idea that holding your images inside of the hospital&#x27;s four walls was a liability for them, and not a point of pride.<p>So, not at all surprised about this, nor about the complete lack of security practices at many of these healthcare IT vendors.

Sensitive data should be thrown away and the medical images could improve on the current state of the art medical image database used for machine learning.<p>I&#x27;d be more than happy to publish my medical images with results if it would be used for an open database.<p>I have been at doctors in third world countries, where doctors don&#x27;t get the same level of education, but try to use the best tools available without paying too much money.

Could this data be anonymized and open-sourced for training diagnostic algorithms? It’s hard to put the genie back in the bottle so why not at least make some use of the images?

DICOM is a standard that does too much. They should scrub everything related to networking and focus solely on encoding&#x2F;decoding medical images.

I work for one of the largest health care networks in the northeast US. Nearly all of our PACS use the default installer password - which in at least two cases is literally just the name of the company that makes it.

Clickbait-y headline that they forget to mention hospitals as well. Yes doctors should be more responsive and responsible. But they&#x27;re (only) doctors.<p>Hospitals on the other have have staff dedicated to technology and such infrastructure.<p>Dr X being unaware of the implications is understandable. Perhaps not forgivable but certainly no surprise. But hospitals? They have no excuse.

From the article :<p>&quot;We’re not naming the affected organizations to limit the risk of exposing patient data.&quot;<p>However, a google inurl:dicom search sure shows up the affected organizations on the first page (and plenty pages after that).<p>And the sites are still fully open. Absolutely zero hacking required.<p>A lot of organizations had better get to work fast on this.<p>(edit: no images were viewed in the making of this post)

I&#x27;ve contracted for some medical orgs and I can tell you there is plenty of blame to go around, and most of it belongs on the heads of administration (C-levels), who let doctors get away with things they shouldn&#x27;t while at the same time underfund and generally shit on their IT departments. IT directors without the backbone or knowledge to speak boardroom and convince the C-levels to have their back are failing, doctors are failing, and administrations are failing when it comes to IT, add all that to a complex regulatory scheme in which some vendors are basically immune to being dropped, overworked doctors and nurses because congress keeps them artificially scarce, and it&#x27;s a recipe for disaster.<p>To those making excuses for doctors, you should be ashamed of yourselves. There is enough blame for everyone in this case.

Fun experiment: use google maps API to search a major US metro area for medical practices. Pick out any websites that don&#x27;t use TLS. Crawl them for HTML forms that include common PHI keywords. You&#x27;ll find a lot. Those same practices are usually going to have a whole mess of more serious HIPAA issues.

Not only is transport security mostly lacking in DICOM, but there is little to no notion of access control for records. And I&#x27;m not just talking DICOM, but the apps themselves. It&#x27;s no surprise though, when the DICOM standard has sections like this:<p><i>The DICOM Standard does not address issues of security policies, though clearly adherence to appropriate security policies is necessary for any level of security. The Standard only provides mechanisms that could be used to implement security policies with regard to the interchange of DICOM objects between Application Entities. For example, a security policy may dictate some level of access control. This Standard does not consider access control policies, but does provide the technological means for the Application Entities involved to exchange sufficient information to implement access control policies.</i><p><a href="http:&#x2F;&#x2F;dicom.nema.org&#x2F;medical&#x2F;dicom&#x2F;current&#x2F;output&#x2F;html&#x2F;part15.html" rel="nofollow">http:&#x2F;&#x2F;dicom.nema.org&#x2F;medical&#x2F;dicom&#x2F;current&#x2F;output&#x2F;html&#x2F;part...</a><p>The original DICOM TCP protocol requires that every device connected use an encrypted tunnel, and it&#x27;s not easy to get all the device venders to agree on which ones to use, and then update their software. DICOM Web Services are a thing, and at least they would get HTTPS basically for free from their choice of web client and server.<p>HIPAA has been out since the 90&#x27;s so we need to get more fines against the providers to make them implement confidentiality and access controls. It&#x27;s actually the GDPR which is now driving access controls rather than HIPAA.<p>To be fair though, the DICOM folks are busy constantly trying to standardize new image data coming from innovations in the modalities (scanners).

<a href="https:&#x2F;&#x2F;picsafe.com" rel="nofollow">https:&#x2F;&#x2F;picsafe.com</a> is a HIPAA compliant tool that solves this. Until penalties are applied, health organizations won&#x27;t act on this.

If this article is correct, it&#x27;s such a huge problem that health systems are likely to hesitate to take steps toward basic imaging security, because they won&#x27;t know what to do first.

I wish one of my past providers was impacted by this a few years ago. I had to waste hours and thousands on MRIs when a practice closed and they made getting imagery impossible.

Knock. Knock. The average human body is rather boring. especially for the 3&#x2F;4ths that outside the young adult age range of 15-35.<p>As to insurance company exposure, almost all of these imaging procedures were paid by health insurance companies and already know all your ailments.