
A billion medical images are exposed online - OrgNet
https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/
======
prostheticvamp
An odd line from the article, wherein it states that security researchers
don’t blame vendors, but the physicians and hospitals that fail to properly
secure the software.

I have never, in all my years of working in healthcare, seen a hospital or
physicians office directly install and manage PACS. They pay a third-party -
usually the vendor - to install, configure, and walk them through it. Maybe a
behemoth system like Northwell has the IT bench to do it themselves, but that
would be the exception.

So allow me to rephrase slightly: “technologically inept organization pays
vendor to make machine go vroom. Vendor leaves keys in ignition. Damn that
technologically inept organization.”

To take a 10,000-foot view of the situation, though:

Healthcare-related technologically was largely pushed on the industry via
legislation. Said legislation was almost entirely stick, no carrot. The result
was healthcare organizations with a gun to their head to buy from a handful of
vendors, with no real ROI to be seen from it - aka, the government outsourcing
its costs to private industry, and throwing pork to some major health IT firms
along the way. When a technology is forced on you at a loss, from a vendor
with little incentive to optimize ease of use or utility, you get a terrible
piece of shit that no one wants to invest more time and money into than
absolutely needed. That’s going to show itself in a myriad of ways.

~~~
txcwpalpha
I’ve been the IT vendor in this scenario. While I’m sure there are plenty of
inept vendors not doing their part to ensure the systems they implement are
secure, a big part of it is doctors and their work culture.

Many doctors see themselves as too important to deal with security. They have
an attitude of “I went to school for medicine, not computers! How dare you ask
me to use a computer.” They are not only technologically inept, they are proud
of it. And I’m not just talking about refusing to use complicated software.
I’m talking about doctors that insist that they shouldn’t be forced to use
passwords (not even complicated passwords; ANY passwords). And in most of the
organizations I have dealt with, doctors are the most important people in the
organization and have final say on anything, which often means that the
security department’s efforts are all overridden by doctors that can’t be
arsed to even type in a password before using their EMR, and don’t even dream
of something more complicated like asking them to use multi-factor auth.

I once worked at a hospital where a doctor was looking at porn at work,
clicked a phishing link, and gave up his network credentials. An attacker then
used those credentials to breach the network and siphoned several hundred
thousand dollars from the financial system (wiring money to himself). Security
detected this and disabled his account. 20 minutes later the doctor had called
the CEO, yelled at him (“how dare you lock me out of my account!”) who then
called security to yell at us and insist we re-enable his account. The doctor
was never reprimanded (for falling for phishing or for the porn) meanwhile the
security team got a stern talking to and was instructed to never disable a
doctor’s account again.

Healthcare is a different world for security. You have to acknowledge that
yes, patient safety is more important than security, but oftentimes these
doctors take it to an extreme and they are very difficult to work with. I have
never met a group of people more elitist and “too important to be bothered” by
security than doctors.

~~~
Gatsky
It goes both ways. I keep telling the IT people at my hospital to stop using
SMS 2-factor and they blow me off and treat me like an idiot.

Anyway, ‘Doctors’ are a pretty diverse bunch, and most of them aren’t arrogant
porn-fiends.

~~~
wolco
Porn fiends? Doctors don't have the time. But you must admit that the
profession brings out some very arrogant traits. They usually express the
pointof view that they learned everything they needed to at med school and any
new outside information is suspect and not important including IT security.

~~~
Gatsky
I'm not sure how to reply to your comment. I know a lot of doctors personally,
and less than 1% are what I would describe as very arrogant. Some specialties
probably enrich for arrogant people, particularly cardiothoracics, cardiology
or neurosurgery at large prestigious institutions, and some countries have a
system which tends to permit arrogance (eg the USA).

------
sbarre
The key takeaway from that article, for me, is that the government body that
is supposed to monitor, enforce, and penalize organizations who fail to follow
the HIPAA rules is basically doing nothing.

So with no consequence to these massive lapses, why would these companies
care?

~~~
modmans2nd
Under funded...just like the IRS.

------
moviuro

      % curl -L 'https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/'
      curl: (7) Failed to connect to guce.advertising.com port 443: Connection refused
    

WTF?

I have a lying DNS server, and it's getting ridiculous.

Here's the outline for people who care about privacy/tracking/GDPR, etc.
[https://outline.com/Ep5u4K](https://outline.com/Ep5u4K)

~~~
eitland
For now I'd be happy if techcrunch was blocked so people had to submit other
sources.

I've not been able to find a way to read content on that domain for months
now.

Edit:

PS: unlike many here I've little against ads as long as they aren't tracking
me, but the "consent screen" on techcrunch is less "consent" and more
"strongarm".

PPS: as others are mentioning it seems the whole thing seems to be compliance
theater since they seem to set a tracking cookie before even displaying the
consent screen :-/

~~~
uponcoffee
I'm on Firefox Preview for Android and am having no problems with the article.
No ads, popups etc. Just pure content.

------
OliverJones
From Techcrunch's article it looks like it's possible to see so-called
"protected health information" (PHI) in these images. PHI includes patient
names, diagnoses, hospital and doctor names, contact information, and so
forth. It's sometimes possible to "de-identify" medical images by scrubbing
off patient info. But I bet most of these are not de-identified.

The examples in the TechCrunch article are redacted, but I guess that was done
for publication and not on the stored images themselves.

In the USA, HIPAA and ARRA 2009 (followon legislation) made it a federal crime
to knowingly or negligently disclose PHI. It's a crime that "pierces the
corporate veil." That is, natural persons can be tried and convicted, even if
they were acting on behalf of corporations.

The Centers for Medicare and Medicaid Services (CMS) has a Breach Notification
Rule, requiring holders of data to notify patients and CMS themselves if PHI
is breached. [https://www.hhs.gov/hipaa/for-professionals/breach-
notificat...](https://www.hhs.gov/hipaa/for-professionals/breach-
notification/index.html)

CMS announces breaches involving 500 or more patient records here
[https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

It wouldn't surprise me if the people involved in securing these sloppily
configured DICOM servers are in a state of panic. I was involved in dealing
with an unintentional breach of 44 patient records a few years back, and yeah,
we had some panic. (Misrouted fax messages was the root cause, for what it's
worth.) Also observe that I remember to this day how many records leaked out.
Breaches are a big deal. It stinks to be them. I know that for sure.

I hope they get it sorted out. It will take a while. It will also take a while
for the affected medical professionals and their IT providers to start
responding to these breach reports rationally. Kubler-Ross's stages of
grieving are still in play for them: anger, denial, negotiation, etc.

------
savrajsingh
On the user side, we have to jump through hoops and sign so many onerous paper
HIPAA compliance forms at dr’s offices, to just get doctors to share records
about us. On the backend it’s free for anyone to access. It’s all backwards!

~~~
jessaustin
The signature demands that really annoy me are the ones in which I must
acknowledge that the provider has informed me of their HIPAA policies, which
demands are seldom accompanied by actual information about HIPAA policies,
which I probably wouldn't read anyway even if they were included.

~~~
1996
Then refuse to sign: you can't be denied care for refusing communication of
your records to 3rd parties. It's certainly better for your privacy too.

------
Eikon
It feels like the places where security is of utmost importance like in
banking, security cards or health are the worst at doing it.

At least, lack of security of credit cards is understandable as banks are
profiting from fraud by charging the victim a fee.

In health? This must stop. It's a failure of regulatory bodies as they throw
so much junk policies around that the things that really require attention is
just overlooked. The overabundance of paperwork and policies is not improving
security, it's keeping away actors that could do way better.

~~~
modmans2nd
They focus on visible security more than actually securing things. Example:
making it very hard for a user to log into a system “because of security “ but
not using security certificates to secure their email servers.

~~~
Eikon
Related:
[https://en.wikipedia.org/wiki/Security_theater](https://en.wikipedia.org/wiki/Security_theater)

------
ageyfman
In 2009 I was building an enterprise medical imaging SaaS for hospitals, and
we would constantly come across hospital IT admins who were adamantly against
trusting a cloud vendor with their sensitive healthcare data - even one that's
audited, security-checked and whose sole responsibility is to take care of
these images.

We always thought it was a joke that these guys questioned us, when we knew
how bad their internal security practices were. At some point around 2011-2012
we seized on the idea that holding your images inside of the hospital's four
walls was a liability for them, and not a point of pride.

So, not at all surprised about this, nor about the complete lack of security
practices at many of these healthcare IT vendors.

~~~
toomuchtodo
Lots of open S3 buckets full of critical data not helping the counter
argument. Security is hard, proving you’re secure to others more so. How do I
know you’re not just storing my data in S3, abstracting away the mechanism,
but your bucket policy or acls are garbage? I don’t. Cloud does not
immediately mean more secure.

~~~
ageyfman
The point I was making isn't that the cloud is naturally more secure, it's
that the company was 100% focused on medical imaging, not the 1000 projects a
typical network/system admin at a hospital has to juggle.

------
xiphias2
Sensitive data should be thrown away and the medical images could improve on
the current state of the art medical image database used for machine learning.

I'd be more than happy to publish my medical images with results if it would
be used for an open database.

I have been at doctors in third world countries, where doctors don't get the
same level of education, but try to use the best tools available without
paying too much money.

~~~
ghaff
Define sensitive data.

One of the challenges is that just deleting a name, say, doesn't necessarily
fully anonymize a medical record/image. In general, I actually agree with you
but anonymization/privacy is a challenging problem.

------
jasonlaramburu
Could this data be anonymized and open-sourced for training diagnostic
algorithms? It’s hard to put the genie back in the bottle so why not at least
make some use of the images?

~~~
quasarj
Possibly, though with only the images you'd be missing some useful info, like
the actual outcome. Also they are likely not "high quality" images on
average.. so for example, if there is cancer present, it may not be identified
in the image.

See
[https://www.cancerimagingarchive.net/](https://www.cancerimagingarchive.net/)
for some examples of carefully curated data.

------
pg_bot
DICOM is a standard that does too much. They should scrub everything related
to networking and focus solely on encoding/decoding medical images.

~~~
quasarj
As someone who deals with it every day, I completely agree. In fact, I mostly
pretend the networking part doesn't exist anyway, and do all networking the
normal way..

------
anonpartners
I work for one of the largest health care networks in the northeast US. Nearly
all of our PACS use the default installer password - which in at least two
cases is literally just the name of the company that makes it.

------
chiefalchemist
Clickbait-y headline that they forget to mention hospitals as well. Yes
doctors should be more responsive and responsible. But they're (only) doctors.

Hospitals on the other have have staff dedicated to technology and such
infrastructure.

Dr X being unaware of the implications is understandable. Perhaps not
forgivable but certainly no surprise. But hospitals? They have no excuse.

~~~
reaperducer
I work in health, and I sometimes have to interact with the federal database
of doctors. It's amazing the things you see in there.

There are doctors who don't know their own addresses. Can't spell the name of
their town. Don't know their ZIP Code. Don't know the difference between a
mailing address and a physical address. Don't keep their information current.
Or sometimes don't even know what town they're in, putting a neighborhood or
region on federal paperwork because "everybody knows where that is."

We assume that because doctors are smart at medicine, they should also be
smart at computers. They're not. Just like my commercial airline pilot
neighbor is great at flying transcontinental jumbo jets, but every few days
has to shout across the street at me to ask if today's the day to put out the
trash bins.

~~~
DataWorker
Not smart at computers, but maybe they are smart _about_ computers. Everyone
thinks old people can’t use tech but what if they don’t want to and that
resistance is a manifestation of wisdom that’s incomprehensible to those
without the same wisdom. To believe doctors as a class of people are less
intelligent than average is silly and probably ego defensive. As a group
doctors are of above average intelligence and certainly smarter than most of
the people they work with in IT.

I think it’s the academic and professional institutions that are most culpable
for the current state of things. They should have been the ones who foisted
tech requirements on doctors, instead it was done through federal regulation.
Most of the blame for most of today’s problems comes back to universities. If
using tech is part of the job if being a doctor, then make it so from inside
the profession.

~~~
mewpmewp2
There are different types of intelligence. Both fields require totally
different talent, interests and skills. One is solving very abstract problems,
the other is talking to people and learning a huge amount of information about
how humans work.

I am good with abstract stuff, but in no way I could remember that amount of
information about people as doctors too. I still have no idea what most of my
bones or other things within me are named and I have zero interest in it. I
can imagine one could be also the other way around. Have huge amount of
interest in people, but despise techy knowledge.

In the end both doctors and it workers are so different from each other that
they have so much trouble understanding one another. Remember doctors never
asked for all this abstract shit. Also as you age you will get more set in the
field you choose. That is just the way people work. Not an excuse or why one
should not keep improving themselves.

------
salad77
From the article :

"We’re not naming the affected organizations to limit the risk of exposing
patient data."

However, a google inurl:dicom search sure shows up the affected organizations
on the first page (and plenty pages after that).

And the sites are still fully open. Absolutely zero hacking required.

A lot of organizations had better get to work fast on this.

(edit: no images were viewed in the making of this post)

~~~
quasarj
It's hard to know what Google returns for a different person these days, but
inurl:dicom does not return anything suspect for me.

It's also worth noting that the types of systems mentioned in the article
(unsecured PACS) would not show up on Google anyway. They must be accessed
using one of the DICOM network protocols.

------
arminiusreturns
I've contracted for some medical orgs and I can tell you there is plenty of
blame to go around, and most of it belongs on the heads of administration
(C-levels), who let doctors get away with things they shouldn't while at the
same time underfund and generally shit on their IT departments. IT directors
without the backbone or knowledge to speak boardroom and convince the C-levels
to have their back are failing, doctors are failing, and administrations are
failing when it comes to IT, add all that to a complex regulatory scheme in
which some vendors are basically immune to being dropped, overworked doctors
and nurses because congress keeps them artificially scarce, and it's a recipe
for disaster.

To those making excuses for doctors, you should be ashamed of yourselves.
There is enough blame for everyone in this case.

------
wswope
Fun experiment: use google maps API to search a major US metro area for
medical practices. Pick out any websites that don't use TLS. Crawl them for
HTML forms that include common PHI keywords. You'll find a lot. Those same
practices are usually going to have a whole mess of more serious HIPAA issues.

------
7QdfBKNNfP
Not only is transport security mostly lacking in DICOM, but there is little to
no notion of access control for records. And I'm not just talking DICOM, but
the apps themselves. It's no surprise though, when the DICOM standard has
sections like this:

 _The DICOM Standard does not address issues of security policies, though
clearly adherence to appropriate security policies is necessary for any level
of security. The Standard only provides mechanisms that could be used to
implement security policies with regard to the interchange of DICOM objects
between Application Entities. For example, a security policy may dictate some
level of access control. This Standard does not consider access control
policies, but does provide the technological means for the Application
Entities involved to exchange sufficient information to implement access
control policies._

[http://dicom.nema.org/medical/dicom/current/output/html/part...](http://dicom.nema.org/medical/dicom/current/output/html/part15.html)

The original DICOM TCP protocol requires that every device connected use an
encrypted tunnel, and it's not easy to get all the device venders to agree on
which ones to use, and then update their software. DICOM Web Services are a
thing, and at least they would get HTTPS basically for free from their choice
of web client and server.

HIPAA has been out since the 90's so we need to get more fines against the
providers to make them implement confidentiality and access controls. It's
actually the GDPR which is now driving access controls rather than HIPAA.

To be fair though, the DICOM folks are busy constantly trying to standardize
new image data coming from innovations in the modalities (scanners).

------
cornflake
[https://picsafe.com](https://picsafe.com) is a HIPAA compliant tool that
solves this. Until penalties are applied, health organizations won't act on
this.

~~~
thed
No, picsafe does not solve the issues described in the article. What makes you
think it does?

------
dave_aiello
If this article is correct, it's such a huge problem that health systems are
likely to hesitate to take steps toward basic imaging security, because they
won't know what to do first.

~~~
thed
I think what to do first is really quite simple: Do not let back-end servers
face the internet.

------
Spooky23
I wish one of my past providers was impacted by this a few years ago. I had to
waste hours and thousands on MRIs when a practice closed and they made getting
imagery impossible.

------
peter303
Knock. Knock. The average human body is rather boring. especially for the
3/4ths that outside the young adult age range of 15-35.

As to insurance company exposure, almost all of these imaging procedures were
paid by health insurance companies and already know all your ailments.

