Thousands of NHS medical images found ‘unprotected’ on web

This is a failure to implement privacy controls during the software development lifecycle. My suspicion is that there a many, many more pieces of personal information on unprotected servers and Amazon storage that are relying on nothing more that a complicated url to keep them ‘safe’…:

Six UK systems storing x-rays, MRI and CT scans were found to be allowing unprotected access to anyone with a web browser, according to German security firm Greenbone Networks.

Some 1,500 patient records were publicly accessible to due “careless configuration” of these systems, along with more than 5,000 medical images. More than 13,000 medical images in the UK were found to be unprotected.

The Information Commissioner’s Office (ICO) and the NHS are investigating.

Using RadiAnt DICOM (digital imaging and communications in medicine) Viewer, an application easily accessible to download on the internet, security experts were able to download and view the patient information.

The vast majority of information discovered in the global study including names; date of birth; date of examination; scope of the examination; type of imaging procedure undertaken; attending physician; institute or clinician; and number of images taken.

In total about 24.3 million data records worldwide were found to be unprotected.

The researchers “did not have to write any special code” to access the patient data, nor was any software vulnerability “exploited”, they said.

To view and download the data, all that was needed was a list of IPs and a DICOM viewer.


Original article here