Περισσότερες από 45 εκατομμύρια ιατρικές πράξεις και Results, συμπεριλαμβανομένων των ακτίνων Χ και των σαρώσεων CT, έχουν αφεθεί εκτεθειμένες σε διακομιστές χωρίς προστασία.
According to a revealing report by CybelAngel there are millions of sensitive medical results, including personal health care information, available unencrypted and without password protection accesss.
No username or password required
Analysts found that available medical results, including up to 200 lines of metadata per record, containing personally identifiable information such as name, date of birth, address, height, weight, diagnosis, etc., could be viewed without the need for a username. or password. In some cases, gateways accepted blank usernames and passwords.
“The fact that we didn't use any tools piracys throughout our research, highlights the ease with which we were able to discover and access these files," says David Sygula, analyst at CybelAngel.
"This is a worrying one discovery and demonstrates that stricter security procedures must be in place to protect how sensitive medical information is shared and stored data by health professionals. The balance between security and accessibility is imperative to prevent leakage from a data breach.”
Todd Carroll, CISO of CybelAngel, further commented: “Medical centers work with a vast, interconnected network of third-party providers and the cloud is an essential platform for data sharing and storage. However, security vulnerabilities pose a huge risk, both to individuals whose data has been compromised and to health care facilities governed by patient data protection regulations.
"The health sector has faced unprecedented challenges this year, but the security and confidentiality of most of their patients' personal records must be protected to prevent confidential data from falling into the wrong hands."
Security risks for accessible results
The report emphasizes the security risks of publicly available results that contain highly personal information, such as ransomware and blackmail. This type of data earns a premium on the dark web.
In terms of compliance, healthcare providers are also subject to regulatory sanctions, such as the GDPR in Europe and the HIPAA in the US, for breaches of sensitive patient information.