Skip to main content

Millions of people’s MRIs, X-rays, and CT scans are easily accessible online

x-ray / Pexels

Servers containing sensitive medical data — including X-rays, CT scans, and MRIs — are unprotected in doctors’ offices, imaging centers, and archiving services all over the world. Records for at least 5 million U.S. patients are available online, according to an investigation by ProPublica and German public broadcaster Bayerischer Rundfunk.

Reporters found 187 servers in the U.S. without passwords and other security protocols, leaving them open to access via software or basic web searches. The scans contained not only medical information but birthdates and social security numbers, in some cases. The Health Insurance Portability and Accountability Act (HIPAA) requires medical data be kept private, and failing to keep these images secure may violate that law.  

An industry group of radiologists and device makers created the standard Digital Imaging and Communications in Medicine (DICOM) in 1985, which lays out the standard for handling, storing, printing, and transmitting medical imaging. Before its security measures were standardized, devices that didn’t meet them were already showing up in hospitals and clinics. Some hospitals may have never have made changes after DICOM’s security measures were released, and vendors continued to sell devices without built-in security. “Nobody ever tried to connect all these pieces together, and that’s how the whole problem happened,” Dr. Oleg Pianykh, an assistant professor of radiology and the director of medical analytics at Massachusetts General Hospital, told Digital Trends.

Pianykh has been tracking the problem for years. In 2016, he discovered 2,774 unprotected radiology or DICOM servers and published the results in a research paper. “The reason we were able to be able to connect to those DICOM devices was because the fundamental network security was missing,” he said.  

Large hospitals have fully staffed IT departments, but Pianykh aid smaller offices and centers may outsource their IT needs to companies unfamiliar with medical privacy standards. They may assume the devices have built-in protections. “What happens is that they just buy some kind of medical device and keep all the default settings and keep the network wide open,” said Pianykh. “And that’s it. That’s the breach.” 

As a baseline, any provider handling medical data needs to have its own secured network, Pianykh said. Otherwise, he compares securing individual devices to locking up the jewelry in your home while leaving the front door unlocked. The thieves will just steal something else. 

In one case, a Denver-based archival service, Offsite Image, had over 340,000 records that were vulnerable, including some from both human doctors and veterinarians. Its tech consultant, Matthew Nelms, said the company fixed its servers after told ProPublica alerted him of the issue. “We were just never even aware that there was a possibility that could even happen,” he said.

The Medical Imaging & Technology Alliance oversees DICOM but claims the security standards are adequate but seemed to suggest individual offices and centers are responsible for seeing them through. “Proper security, however, requires more than just technical measures,” the alliance said in a statement. “It requires the implementation of institutional plans and policies to address various aspects of security (for example: infrastructure, device configuration, procedures, policies, training, auditing, and oversight).”  

“You cannot just delegate to people, particularly physicians or patients, and tell them ‘Okay, well, go and take care of that,’” said Pianykh. Many will follow through, but some will not. Instead, he sees the need for a proactive approach, an agency that regularly scans for these issues and reaches out to the offices, cloud providers, or other entities who don’t have proper security in place. “The magnitude of this problem is monumental,” he said. “It’s beyond the scope of a single person doing some kind of single scan.” 

Update 9/18: Added additional comments from Dr. Oleg Pianykh.

Correction: An earlier version of this story misspelled Dr. Pianykh’s name.

Editors' Recommendations

Jenny McGrath
Former Digital Trends Contributor
Jenny McGrath is a senior writer at Digital Trends covering the intersection of tech and the arts and the environment. Before…
Is the messages app on your Samsung phone crashing? Here’s how to fix it
Google messages versus samsung messages app icons side by side on Galaxy Z Fold 5.

App crashes are annoying, but they’re extra annoying when it's your text messaging app that crashes while you’re trying to reach someone or — worse — when you're trying to get a two-factor authentication code.

According to users on Reddit and the Samsung Community forum, the Samsung Messages app keeps closing when they try to open any conversation. This is happening across Samsung Galaxy models, including the S21 and S4 Ultra, and across different carriers, meaning it’s not a device or carrier issue. Many users have reported that restarting their phone, restarting in safe mode, and clearing the app cache hasn’t helped.

Read more
This cyberattack took out 600,000 routers across the country
A Wi-Fi router with an ethernet cable plugged in.

We've been hit with a number of high-profile cyberattacks lately, most notably with a group of hackers allegedly carrying out a Christie’s cyberattack. But now, a recently published research by Lumen Technologies mentioned a cyberattack that happened last year (but was not disclosed until now), which left over 600,000 personal routers inoperable.

The attack was reportedly made possible through a malicious firmware update that erased the router’s operational code, which bricked them. This is an attack that independent experts call one of the most severe cyberattacks ever against America’s telecommunication sector.

Read more
AMD’s new Ryzen AI 300 chips look like the real deal
AMD's CEO delivering the Computex 2024 presentation.

The pressure is on at Computex this year. With the May announcement of Copilot+ PCs and Microsoft's deep partnership with Qualcomm, the stakes were high for AMD coming into the show. But the company certainly didn't show up empty-handed.

Its announcements have all centered around Zen 5, the company's latest architecture, both on desktop and mobile. But at the moment, these mobile chips feels especially noteworthy in light of Copilot+. AMD calls it the Ryzen AI 300 series. It's a complete rebrand for AMD, not unlike Intel's move to "Core Ultra" in its most recent generation. But this time, it's all about AI.

Read more