More than 45 million medical procedures and results, including X-rays and CT scans, have been left exposed on unprotected servers.
According to a revealing report by CybelAngel There are millions of sensitive medical results, including personal health care information, available without encryption and password protection.
No username or Password
Analysts found that available medical results, including up to 200 lines of metadata per enrollment, που περιελαμβάνουν προσωπικά αναγνωρίσιμες πληροφορίες, όπως όνομα, ημερομηνία γέννησης, διεύθυνση, ύψος, βάρος, διάγνωση κ.λπ., μπορούν να τα δουν χωρίς να απαιτείται όνομα χρήστη ή κωδικός πρόσβασης. Σε ορισμένες περιπτώσεις, οι πύλες connections accepted blank usernames and passwords.
“The fact that we didn't use any tool πειρατείας σε όλη την έρευνά μας, υπογραμμίζει την ευκολία με την οποία μπορέσαμε να ανακαλύψουμε και να αποκτήσουμε πρόσβαση σε αυτά τα αρχεία”, λέει ο David Sygula , αναλυτής στο CybelAngel.
"This is a worrying finding and demonstrates that stricter security procedures need to be put in place to protect the way in which sensitive medical data is communicated and stored by health professionals. "The balance between security and accessibility is imperative to prevent data leakage."
Todd Carroll, CISO of CybelAngel, further commented: “Medical centers work with a vast, interconnected network of third-party providers and the cloud is an essential platform for data sharing and storage. However, security vulnerabilities pose a huge risk, both to individuals whose data has been compromised and to health care facilities governed by patient data protection regulations.
"The health sector faced unprecedented precalls this year, however the security and privacy of most of their patients' personal records must be protected to prevent confidential data from falling into the wrong hands."
Security risks for accessible results
The report emphasizes the security risks of publicly available results that contain highly personal information, such as ransomware and blackmail. This type of data earns a premium on the dark web.
In terms of compliance, healthcare providers are also subject to regulatory sanctions, such as the GDPR in Europe and the HIPAA in the US, for breaches of sensitive patient information.