Almost 20,000 Malaysian Medical Records, 1Mil Scan Images Found Online

Greenbone Networks found that 24 million patient data records from 52 countries were accessible online.

KUALA LUMPUR, Sept 18 — An online security firm has discovered about 20,000 confidential patient records of Malaysians online, among 24 million data records from patients across 52 countries.

A report by Germany-based security firm Greenbone Networks showed that a vast majority of the 24 million patient data records accessible online contained personal information like one’s full name, date of birth, date of examination, the scope of the investigation, type of imaging procedure, attending physician, institute or clinic, as well as pictures of X-ray, CT and MRI scans.

A total of 19,922 patient records from Malaysia were publicly accessible from three systems allowing unprotected access via DICOM (Digital Imaging and Communications in Medicine), as well as 1.2 million images linked to these records.

“The sum of these data leaks of unprotected patient data available on the Internet is one of the largest data glitches worldwide to date,” said the Greenbone report released Monday.

“Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out.

“As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net,” it added.

Greenbone found over 700 million images linked to the 24.3 million accessible patient data sets, out of which about 400 million images could be accessed, displayed and downloaded.

The network security company said it analysed about 2,300 medical image archiving systems connected to the public internet between mid-July and early September this year, 590 of which were identified to be accessible on the internet.

It said these PACS servers (Picture Archiving and Communication Systems) are used by hospitals to archive images created by radiological processes and to make them available to attending physicians to review. This protocol is known as DICOM.

“The fact that PACS servers are vulnerable to attack or are accessible is not new information, and there have been a number of reports on this topic in the past. No report, however, has dealt with the breadth and depth of the problem associated with unsecured PACS servers.

“Greenbone’s analysis shows that several hundred PACS servers worldwide are connected to the public internet without any kind of protection for the personal and medical data stored on them. A not inconsiderable number of these systems even allow access to the individual image data of any patient,” said Greenbone.

It said the confidential data was accessible because of the careless configuration of the systems, many of which lacked password protection or encryption.

“In addition to the general ‘openness’ of the systems, they also have thousands of ‘real’ vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.”

Greenbone estimated the value of the confidential patient data on the Darknet to exceed US$1 billion.

“This data could be exploited by attackers for various purposes. These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as Social Security Numbers, in preparation for identity theft.”

The countries affected include China, the UK, the US, France, Germany, India, and Russia.

It is not known which hospitals the affected Malaysian medical image archiving systems originated from, as Greenbone says it will only disclose details of the individual vulnerable systems to authorised bodies.

You may also like