60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.

1.19 billion images

That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.

Is it ignorance or negligence?

“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.

There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.

“Good, bad, and ugly”

Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.

  • The “Good”
    Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
  • The “Bad”
    Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
  • The “Ugly”
    That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.

New datapoints

For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.

Extra focus: USA

The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.

One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.

Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).

The following graphic highlights the situation in the US, per state affected.

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.

Recommended actions

In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.

The report

Greenbone’s updated report can be downloaded here [1].

Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Outlook

The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely

  • Health
  • Finance
  • Transport
  • Energy
  • Water
  • IT&Telecommunications

More to come in our blog.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] Greenbone Security Report – Unprotected Patient Data, a review

[2] Greenbone Whitepaper – Health Sector