
Millions of Americans’ Medical Images and Data Are Available on the Internet - jph00
https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet
======
zaroth
It sounds like the underlying cause in this particular case is a piece of
software is running an open port that a lot of people don't even realize is
there, and for some reason is exposed outside the firewall.

Take the case of "Offsite Image" as an example;

> _The company referred ProPublica to its tech consultant, who at first
> defended Offsite Image’s security practices and insisted that a password was
> needed to access patient records. The consultant, Matthew Nelms, then called
> a ProPublica reporter a day later and acknowledged Offsite Image’s servers
> had been accessible but were now fixed._

> _“We were just never even aware that there was a possibility that could even
> happen,” Nelms said._

That sounds like to me that they build a custom front-end to serve the images
which was doing password authentication and billing, but failed to notice the
underlying image server software was exposed and responding to queries with no
authentication.

I'm guessing somewhere there's a configuration file which has a default IP
binding of 0.0.0.0 and a blank password field.

~~~
dsr_
There's an entire industry of consultants who will help your business pass a
PCI audit, and everyone who handles payments requires a PCI audit annually.

There should be equivalent standards and audits and consultants for private
information of all sorts, including healthcare info.

~~~
auspex
There is HIPPA

~~~
dragonwriter
No, there's HIPAA, but it is actually weaker than lots of people think (in
part because of required regs that the executive branch simply has not
bothered to develop, in part because the regs that do exist have big gaping
escape-from-liability holes in them.)

------
lostmsu
Finally I could see my raw records without going through the beuracratical
shenanigans.

------
roywiggins
It _sounds_ like these are DICOM servers being exposed to the internet. DICOM
is the standard file format for medical images, and there's also a DICOM
server standard. Medical equipment sends images to DICOM servers so your
ultrasound (or whatever) can be archived and stored in your medical records.
The generic term is a PACS ("Picture Archiving and Communication System") but
since equipment speak DICOM, they're always(?) DICOM servers.

DICOM servers are often not very secured, so if you allow the internet to talk
to them, you're in for a bad time.

~~~
taborj
Most of the DICOM providers I've worked with assume that the clinic will be
handling security, as the images are stored on a local DICOM server, though
lately there's been much more emphasis on setting up a VPN between the clinic
and the PACS/DICOM provider's cloud-based system.

~~~
roywiggins
It makes sense. You can't exactly update dicom clients easily so really
there's no universe where the data should be passing over the internet without
wrapping it all in a VPN. There's not much point in trying to secure it since
that might just encourage people to expose it to the internet...

------
rainyMammoth
Nothing scares me more than my medical records on internet. I have close to
zero confidence into any of the hospitals or medical companies to implement
their IT securely.

~~~
earthboundkid
I've met people whose job is to put honeypots on hospital networks to detect
ransomware installation attempts. They supposedly have a very short response
time SLA, like "if there's bad network activity, we will call your
administrator within 5 minutes." It's interesting that job exists, since the
ransomware mostly uses old exploits that shoulda been patched anyway.

~~~
aperrien
One of the problems is that many of the medical devices on hospital networks
have badly outdated software, that runs proprietary applications. There should
be a better job done by vendors to clean that up, but no-one seems interested
in supporting this once the sale is made.

Sometimes the IT staff simply have their hands tied, and network isolation is
the best they can do, at least for medical devices.

Billing and file sharing vendors should on the other hand have active
maintenance contracts to prevent exactly this.

~~~
taborj
> There should be a better job done by vendors to clean that up, but no-one
> seems interested in supporting this once the sale is made.

Working in healthcare IT (and I should note this is my personal opinion _only_
), it's actually a little more complicated than that. Healthcare software
vendors are generally building their software to meet certain certifications
(because the clinics are demanding that), as well as fixing security/patient
safety issues, and lastly adding in features the clinics want

The problem comes in that not every clinic cares about the certifications, and
the software they have "works fine." So there's no incentive to upgrade to a
newer version that has security fixes.

It's important to remember that, with a few exceptions, doctors are not IT,
and many clinics are small enough that they outsource their IT. If that IT
group doesn't force the clinics to upgrade, the clinic will continue using the
version that does what they want, as long as it isn't obviously broken.

Clinics are generally risk-averse, which in many cases is the correct mindset.
Unfortunately, that affects their perception of the benefits of updated
software.

------
jkao-propublica
Hey folks -- Jeff Kao at ProPublica here.

What was most frustrating to me while reporting this story, was that a
researcher had written about this exact problem (after scanning ipv4 for the
port) back in 2016. HIPAA is one of the only federal data privacy laws w/
teeth, and this type of obvious insecurity is pretty inexcusable.

Thanks for reading. If you think there's something we should look into, we'd
love to hear about it. :-)

P.S. As a fast.ai student -- thanks Jeremy for posting!

------
LinuxBender
If my images are on the internet, then I expect crowd-sourcing of doctors and
scientists to tell me everything that is breaking / broken in my body. ;-)

------
olliej
Sooo HIPPA lawsuits any body?

------
catacombs
I'm shocked Jeff Larson is back at ProPublica after the debacle he and Sue
Gardner caused by removing Julia Angwin as editor in chief at The Markup
earlier this year.

I'm guessing he might be freelancing or contracting, but he does have a
ProPublica staff page.

I'd love for anyone with knowledge about this to chime in.

