It’s four months since Bayerischer Rundfunk and ProPublica ran reports on our research, which revealed that vast numbers of Picture Archiving & Communication Systems (PACS) – which are widely used by health providers to share and store medical scans – were leaking confidential patient data.

X-rax from 19th century, source WikiCommons

X-rax from 19th century, source WikiCommons

During the last days we sent faxes (haven’t used fax in years) to more than 40 institutions, which should help to secure about 10 million studies and 460 milllion images from unprotected access.

We think that now’s the time for a new instalment and, while this blog post isn’t a new report, it does shine a spotlight on a few barely mentioned aspects of the data leak. It also highlights some extra noteworthy things that have happened since September 17th 2019.

A bit of history

It was Spring 2019 when we found the first example of a PACS system leaking data. We weren’t searching for one specifically, we were actually conducting some different research at the time.  However, because we discovered it, our first step was to alert the affected organization about the problem (they acted quickly and removed the system). We didn’t think much more about it at the time, other than writing the words “PACS server” on a Post-It and pinning it on our notice board.

In August 2019, we decided to revisit the topic and initial work began by establishing a base data set of connected and accessible (aka unprotected) PACS systems. We soon realized the immense scale of the issue and it became obvious that we would need the help of authorities and media outlets around the globe to draw much-needed attention to the problem. Simply put, it wouldn’t have been possible to get so many systems off the public Internet without their help. (This process still remains very much a ‘work in progress,’, as January’s story on TechCrunch highlights.

I’m thankful for the work done by so many around the globe; from authorities in Germany, the United Kingdom, France, Switzerland, the United States, Malaysia, and many other countries. This extends to all the news outlets that highlighted the need to check and change PACS systems, as well as to the hospitals and clinics who took their responsibilities seriously, and asked for specific advice. We have also spoken with quite a few information security professionals, and they all deserve kudos too. THANK YOU!

Some untold chapters

While on the topic of history, one particularly interesting aspect of our research was the sheer volume of historic medical data that was freely available on the Internet, and how this could be used to generate medical profiles.

For example, we selected a few systems, each allowing access to data that goes way back in time. The youngest archive in the sample dated from December 11th 2007.

The following graph & timeline visualizes what we found on those selected systems.

 

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

By ‘history-building’ in this way we could see:

  • a person who had their first examination back in March 1987 and has since had 55 other radiology examinations, most recently in December 2019
  • another person who had more than 130 radiology examinations over a span of 22 years
  • The oldest data set which dated back to January 3rd, 1980; an examination that took place in the evening.

We also uncovered some further aspects that, although they don’t necessarily place patients at risk of medical identity fraud, are still important from a data privacy perspective, for example:

  • one PACS system contained usual data like the patient’s full name, DoB and examination details, however, the origin of the data was from a range of prisons and correction centers dating back to 2007. You could easily work out if someone had served prison time, which could be a clear breach of their privacy
  • Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.

It’s not just past data that’s at risk, its future information too. One system we found offered a very easy way to view future appointments, with each patient’s full name and DoB on display.  And because this PACS server was used by a regional health provider, it could be relatively easy to find out the patient’s address, phone number, work place and any other details, thanks to the amount of information that’s readily available to view on Facebook, Instagram, etc.

 

Some extra plot twists

As we are talking about the future, which includes the bright new world of Artificial Intelligence, its noteworthy that we were even contacted by vendors of medical AI solutions asking us for access the data, presumably so they could use the data to improve their algorithms. We obviously said no, not just because of EU privacy laws, but also to protect patient security and on ethical grounds. It might be better to leave that piece of the story as it is.

When we first published our research, a typical reaction from medical interest groups was: “No, no that can’t be. System used by veterinarians maybe, or education/university systems. But our hospitals and doctors take good care of privacy.” We did indeed find 72 vulnerable PACS systems being used by vets, but we didn’t use them for our research. While there is a chance that these servers hold a good amount of personal data (i.e. billing information), the health of animals is a different story than the health of people. Diligence was also needed to distinguish between the abbreviations VET and PET, as the former can relate to both veterinarians and veterans, while the latter could be a technical term for a scan: PET-CT.

It will come as no surprise that were also contacted by lawyers seeking class-action lawsuits. We did not – and will never – share details of our methodology or any detailed findings; that’s not our business.

While speaking about legal aspects, when we sent out the 140+ individual responsible disclosures to the effected health providers, we prepared ourselves to receive a bunch of ‘cease and desist’ letters. But we haven’t received any. Those organizations who received the disclosure and contacted us for more information, all (re)acted with  intent to remedy the problem and not to ‘shoot the messenger’. I’d like to thank Troy Hunt [add link] again for his work on how to handle responsible disclosures, it helped us a lot.

Randomly, we even received a message over Twitter, asking whether we found images of bone spurs. No, we didn’t, but then again, we didn’t search for any.

What’s next

We will keep an eye on the issue of unprotected PACS systems around the globe and will certainly help data protection and law enforcement authorities worldwide with their ongoing work to get the identified systems off grid. There are still more than 400 PACS systems unprotected out there, with more than 27 million studies affecting an estimate of 9 million persons.

For us, this exercise was an important example of how information security and data privacy isn’t always about highly sophisticated APTs, devious social engineering tricks, and BlackHats doing some code magic. It’s about being diligent with the basics. And basic is exactly how we kept it: no coding, no automation, no scripting. Anyone would have been able to do it.

We intend to keep this approach in mind as we conduct future research into the resilience of other critical national infrastructures.