Wouldn't it be weird if people could see your bones, organs and other body parts whenever they wanted? Well, it turns out there's a decent chance they can, as TechCrunch reported Friday that more than 1 billion medical images are easily discoverable online without even basic security precautions to protect them.
The report said that many hospitals, doctors' offices and other medical organizations share patient images using an open file standard called DICOM on picture archiving and communications system (PACS) servers connected to the Internet. That set-up allows medical professionals to conveniently share patient images without having to worry about file formats, delivery methods and other technical considerations.That convenience should lead to better patient care that isn't delayed by technical issues.
The problem, according to TechCrunch, is that "many doctors’ offices disregard security best practices and connect their PACS server directly to the Internet without a password." That means anyone who finds those servers can access the medical images stored on them without any hassle whatsoever.
This isn't the first time security researchers have warned about this problem. ProPublica reported in September 2019 that it discovered 187 unprotected servers used by medical organizations throughout the U.S. that stored medical images for more than 5 million Americans, along with millions of other people outside the country. A German company called Greenbone Security informed both reports.
Greenbone told TechCrunch it contacted "more than 100 organizations last month about their exposed servers." Smaller organizations were said to have solved the problem right away. The 10 largest companies, however, offered "no response at all." Those companies handle approximately 20% of the 1 billion images Greenbone discovered at the tail end of 2019.
Many people probably don't even know how their medical images are managed; we suspect that fewer still would deny imaging services from companies that don't secure their PACS servers. Reports like this can raise awareness about the issue, but it's up to the medical organizations themselves to respond, not the patients affected by their lackadaisical security practices.