KUALA LUMPUR, Sept 19 — Authorities will review the risk of vulnerabilities at hospitals with medical image archiving systems, amid claims that 20,000 Malaysian patient records are available online.
Health Minister Dzulkefly Ahmad said the Health Ministry met this morning with the Malaysian Communications and Multimedia Commission and the National Cyber Security Agency to identify the cause of the exposure of confidential Malaysian patient data records, including 1.2 million medical images linked to these records, as revealed by Germany-based security firm, Greenbone Networks.
“This could have happened at any health facility, including in private hospitals and medical centres at higher education institutions,” Dzulkefly said in a statement today.
He added that besides reviewing vulnerabilities at hospitals that use Picture Archiving and Communication Systems (PACS), the government will also map out the risk of vulnerabilities and continuously improve the security of apps and information technology infrastructure at all health facilities.
“The lessons from the Greenbone Networks report and cyberattacks throughout the world show that we have entered a new era of cyber threats. Cyber security is an ongoing challenge that requires greater expertise and resources.”
Greenbone said last Monday that 19,922 patient records, along with 1.2 million linked images, from Malaysia were publicly accessible on the internet from three systems allowing unprotected access via DICOM (Digital Imaging and Communications in Medicine). DICOM is a protocol in the PACS servers used by hospitals to archive images created by radiological processes (X-ray, CT, MRI) and to make them available to attending physicians to review.
Greenbone found 24.3 million patient data records accessible online from 52 countries, including Malaysia, that were linked to more than 700 million images, 400 million of which were actually downloadable.
A vast majority of the 24 million records contained sensitive personal information like one’s full name, date of birth, date of examination, the scope of the investigation, type of imaging procedure, attending physician, institute or clinic, as well as images of X-ray, CT and MRI scans.
Greenbone did not identify the individual vulnerable systems in Malaysia or in other countries, saying it would only speak to authorities.