back to article 45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all. Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive …

  1. N2

    quelle surprise?

    The incompetence of it all beggars belief.

    1. Gene Cash Silver badge

      Re: quelle surprise?

      Well, most all of the doctors I've met absolutely despise all technology, including computers.

      I get the impression they'd be happy with a bottle of leeches and a candle.

      1. Santa from Exeter
        FAIL

        Re: quelle surprise? @Gene Cash

        I would suggest you change your doctors then.

        Most of the ones I know are at least au fait with the technology they use day to day and many actually love it as it maked their job easier.

        There again, maybe I just know *competent* doctors

        1. Kefik

          Re: quelle surprise? @Gene Cash

          "Most of the ones I know are at least au fait with the technology"

          You're bloody right. Some are even checking their mail while you are on the operating table.

        2. N2

          Re: quelle surprise? @Gene Cash

          I would suggest you change your doctors then.

          No thanks, perhaps we are alone in that we know competent doctors and whilst mine speaks with a funny accent, I get to manage my own records.

        3. Grease Monkey Silver badge

          Re: quelle surprise? @Santa From Exeter

          Doctors have little to do with this. Clinical staff just use the tools, they don't design them or manage the servers. As ever this is down to incompetence at the management level.

      2. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        My experience is they love tech but hate security as it's inconvenient.

      3. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        My daughter, a Hospital Doctor, says that most Consultants have to take a Doctor on the ward rounds to access the data and to type in the treatment updates. They were much happier when they could scribble illegibly on paper at the foot of the bed, although many wouldn't even lower themselves to that!

        1. Imhotep Silver badge

          Re: quelle surprise?

          My last visit to the doctor had a white coated individual typing away on a tablet during the consult. I asked her if she was student or intern, but no: she said she was a scribe. She was doing the paperwork so the doctor could 'doctor'.

          I was pleased to see the scribes are making a combat. Been slim pickings for them the past millenium or so.

          1. parlei

            Re: quelle surprise?

            A surprising amount of time is wasted on barely-fit-for-purpose digital medical record systems. If the expensive MD can repurpose the time otherwise spent doing battle with such systems by having "scribes" employed then that should be a win for everyone.

          2. AMBxx Silver badge

            Re: quelle surprise?

            I wish my wife's consultant had a scribe. He types one fingered and scans the whole keyboard. It's hard for me not to just push him out the way and do his typing. Maybe that's his plan? Bit like loading the dishwasher badly or making crap tea.

      4. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        Where do you live?

      5. Imhotep Silver badge

        Re: quelle surprise?

        It's not doctors that set these systems up. It's the IT staff and vendors and having worked in IT for large American healthcare providers, I'm not surprised by these findings.

      6. Tony W

        Re: quelle surprise?

        Doctors are not employed as IT consultants. And I see no evidence that these leaks are the fault of doctors.

        1. Anonymous Coward
          Anonymous Coward

          Re: quelle surprise?

          This is supply chain issue most likely, services demanding to use X supplier externally and the health trusts only being able to do so much in terms of checking, legal agreements etc.

          Bottom line is when you outsource reviewing this sort of data there's always going to be a risk of poorly managed storage etc. It's why I hate it when we do it, which we increasingly do..

  2. hoola Silver badge

    Who is at fault?

    This is not the fault of the medical professionals but the IT teams that support them coupled with the incompetent layers of management that inhabit every NHS trust. The underlying problem is that in the rush to provide diagnostic material online or across different Health Authorities basic security principals appear to have been abandoned. Doctors often have all sorts of convoluted steps to be able to login to systems to provide secure access but it is becoming increasingly common for the source to be as secure as a sieve.

    You can put as much MFA, VPN and whatever you like between the consumer of the material and the system in the hospital but it the raw data is directly accessible it is a smokescreen.

    1. Kefik

      Re: Who is at fault?

      Naturally it is only at the front-end where security is beefed up. Your back-end penetrability is their business model.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is at fault?

        Your back-end penetrability is their business model.

        No, that's the BBC

      2. TonyR
        WTF?

        Re: Who is at fault?

        You have been watching too much Billy Connelly.

        https://vimeo.com/24340828

      3. JeffB
        Paris Hilton

        Re: Who is at fault?

        Back-end penetrability... Fnar, fnar!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Who is at fault?

      My Hospital Doctor daughter counted it one day. 49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!

      Until 2 months into Covid they were still having to carry personal phones around all day for the 2FA - scrubs do not have pockets!

      Things actually changed when the IT Manager caught Covid - yes, they dispensed with the 2FA on personal phones!

      Anonymous for hopefully obvious reasons

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is at fault?

        @"49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!"

        Passwords have repeatedly proven useless for security, they should have a authentication cards that logged them in based upon what they were permitted to see but regardless maintaining security is part of their jobs and you can bet they knew they were not supposed to reuse passwords.

        My thinking is that this is just another intentional release of medical data for personal profit by those charged with it's protection.

        Now there are companies set up just to harvest data for resale, that they are willing to pay for access and data is leaked cannot be seen as being a coincidence.

        I used to work for a company that was once part of the NHS, it had rooms filled with medical records to the ceilling that were stored there back when it was still NHS, reading other peoples medical histories was break time entertainment for anyone who was bored non of which were NHS employees. The rooms were not even locked and no one cared even when told what was happening, thus data security and confidentiality has never in my experience been a priority in the NHS .

        1. Intractable Potsherd

          Re: Who is at fault?

          "... they should have a authentication cards that logged them in based upon what they were permitted to see ..."

          At least some if the wards at my local hospital have this system. Three or four years ago, I was a patient on one of those wards, in the bed closest to the doctors' station. Four junior doctors logging in at the same time - one says to the others" Can you log me in? I don't know where my card is." One of them duly did. The look on their faces when I said, "Hello, remember me? I taught you medical law and ethics" was priceless. They knew what they had done was wrong, but, as it was explained to me by the one who had mislaid their card, to report it would mean disciplinary proceedings, and it didn't solve the problem of not having their card. They had also rung their flat-mate to bring the card in.

    3. Tom Paine

      Re: Who is at fault?

      I may be reading too much between the lines, but these don't sound like leaks from the mainstream NHS.

    4. Michael Wojcik Silver badge

      Re: Who is at fault?

      According to the article, ~23K UK records, of ~45M worldwide. I don't think you can blame the NHS for more than about 2.5% of the problem at most.

      It's the same issue we've seen with other industries and data domains: long-standing common practices that did not include any real attention to security. It's systemic, not specific.

      Also, take note of the comment about "automated scripts". This is why we'll always have ransomware, mining ware, spam, etc: even if these types of common IT abuse become no longer economically viable, there are large bot armies running on compromised systems which are busy finding and infecting vulnerable targets, without any significant human supervision. We've created an industry that attacks itself automatically.

      (Of course, a number of other industries are not free of such revenge effects - take, for example, the breeding of "superbugs" in hospitals. But in IT we've really grabbed the brass ring on this one. There are already mostly-automated systems for identifying new vulnerabilities and constructing exploits for them, and those will only get better.)

  3. Blazde
    Meh

    Some ol' fashioned Naming and Shaming would be nice..

    ..otherwise what does Joe Public do with this info? (Aside from applying for a job at CybelAngel of course)

  4. Winkypop Silver badge
    Coat

    X-rays and other medical scans were left online

    Why did it take so long to see though the problem?

    --> Not a lab coat

  5. Neil Barnes Silver badge
    Coat

    each Application Entity must insure that their own local environment is secure

    And that's the problem right there. They insured it, when they should have ensured it...

    The one with the sheaf of policy documents in the pocket --->

  6. MadAsHell

    Security model is upside down so they can't implement SSO

    There are some interesting and valid comments here. Yes, the number of logins required to pull together all of the imaging for a given patient can be a real PITA, hence why busy docs in overloaded clinics hate the login process. Answer, you say, a SSO.

    But since the idiots in DoH/DHSC (and HMRC) went 'digital' they've turned the security model upside down. Back in the day, your medical notes and silver-based imaging were physical, tangible entities. Difficult to find (because no-one in the DoH had heard of barcodes in the 1990s, except us) but impossible to snoop. No idle trawling through some remote DB, thinking 'I wonder if Matt Hancock's syphilis test result is back yet?' Same with tax records: it was policy that your tax office was the other end of the country to where you worked and lived. No social engineering there either.

    Skip forward and *all* tax records are on a single system and every HMRC call centre operative can pull up John Smith's tax records. Except that HMRC realised this might be an issue: there's an entirely separate tax record system for MPs/celebs and VIPs! No browsing through the declared tax from the nomenclatura/friends of Gov with their snouts in the PPE trough.

    But in Health Care, ALL records are on line, belonging to each Trust. So imagine the impact of a single-sign-on solution across the NHS. Any GP's receptionist could idly trawl through anyone's health care records. Given how many warranted coppers and civilian workers are disciplined or fired each year for inappropriate access to the PNC (hint: El Reg article 11th Nov 2019 - about 1 every 3 days), imagine the leaks from all of those juicy WAGS and COVIDiot browsing sessions.

    Shudder!

    1. TimMaher Silver badge
      Facepalm

      Re: Security model is upside down so they can't implement SSO

      I doubt if Hancock would be lucky enough to get syphilis.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security model is upside down so they can't implement SSO

        It’s more likely the syphilis would want to be tested for Hancock.

    2. EnviableOne Silver badge

      Re: Security model is upside down so they can't implement SSO

      NHS records are not online, the only things that are available across the entire NHS (if you can say such a thing still exists) are the Summary care record (which you can opt out of) and the demographic data linked to your NHS Number.

      The actual detail of your record is maintained in a miriad of diferent systems, that are generally completley incompatable with each other,) held and operated by GPs, Hospitals, Community Teams, Support Units and other entities that you deal with and the transfer of which is covered by a miriad of controller/processor and controller/controller agreements.

      The majority of your information is stored in your GP record, and this gets shuttled around the country when you move doctors or a specialist needs the detail.

      This information is dicom images. these are ultrasounds, xrays, cts etc they are transfered in a common format, which is constantly maintained and updated, the current version 2020d, there are usually 5 a year, its even has an ISO Standard 12052.

      As with all standards, the majority of issues are not with the actual standard, but its implementation.

      This specific incident is more down to an imaging system and vendor implementation. Normally if these are stored in the cloud the demographics are stripped from the images before they leave the organisation and replaced with a unique reference.

    3. Stuart Moore

      Re: Security model is upside down so they can't implement SSO

      Single sign on doesn't mean giving everyone access to everyone's records. It means that you have one authentication, which then gives you access to the things you have the right to access, whatever system they're in.

      Working out what you have a right to access becomes more complicated, but it isn't impossible. One solution I heard is that every access should be audited and the patient themselves can review, along with reviews of suspicious events (e.g. doctors receptionist getting records of someone not registered at the surgery - there are valid reasons - emergency appointment when visiting relatives - but if one receptionist goes outside the statistical norms you can ask them what's going on).

      This is a complex problem to solve, and making things too secure could end up with the patient getting incorrect treatment. However we should be honest about what the problem is.

  7. Anonymous Coward
    Anonymous Coward

    I hope they enpoy

    The beauty of my intestines...

    1. chivo243 Silver badge
      Unhappy

      Re: I hope they enpoy

      And my root canal...

    2. Imhotep Silver badge

      Re: I hope they enpoy

      Perhaps they could answer some questions about my prostate.

  8. Anonymous Coward
    Anonymous Coward

    Leaky S3 buckets is one thing, but...

    Even a specialist firm "advertising a paid service to securely host and manage DICOM images" was leaking around 500,000 files online because nobody had thought to secure its Network File System (NFS) on port 2049, Cybelangel found.

    Fer reals?! This would have been embarrassing in 1995. How is that even possible? They have firewalls, surely?

    Meanwhile after 20y in security I'm unemployed, mostly because I'm burned out by being caught between crap like that, and management who could't care less :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Leaky S3 buckets is one thing, but...

      The budget goes to management and direct costs, not to fripperies like IT security! Seen that before.

  9. Anonymous Coward
    Anonymous Coward

    We can use for AI training

    It can improve diagnosis of certain fractures and diseases by a lot on a sample that size. Since it is all there already....why not...

  10. scrubber

    Pride of the nation

    Sure am glad the NHS protects our records and would never leave them on trains, resold IT equipment, unprotected websites, never mind straight up sell them without our permission, consent or compensation to foreign companies with no restrictions on what they do with it.

    Can I go on my balcony and clap these clowns like the performing seal the government wants me to be?

  11. spold Silver badge

    Not just images and metadata...

    Many DI systems have free-text annotation fields that doctors may use...

    "This is an image of Meg's broken leg, after her husband Bob pushed her down the stairs".

  12. Anonymous Coward
    Anonymous Coward

    I think I can see the root cause here. Or rather causes.

    One will probably be old tech that was probably never intended to be connected to the internet, which managers have decided would be great if they just connected it to the internet. The IT department will haves then been duly instructed.

    The other is procurement managers buying products and just assuming that the vendor will have made them secure, then these will then be passed on to IT departments to deploy.

    In other words the root cause is management.

    In both cases I wouldn't be surprised to find an email trail with IT staff telling management that the deployments are not secure and managers telling these IT staff to shut up and get on with it. This is often worse where IT has been outsourced as the message from the grunts on the ground floor one reason or another may never reach the client.

    I once worked for a large organization which had clear policies and procedures for raising security concerns. I soon found that this didn't make anything more secure, all it meant was that there was a better paper trail when it came to playing the blame game (obviously I mean carrying out post incident reviews). As somewhere up the chain any concerns would be overridden by bean counters or senior managers who just wanted three project in on time and in budget.

    OK so for those of us working on three ground it meant protection as the paper chain would almost always incriminate some manager, but it didn't prevent huge holes in security being created.

  13. DevOpsTimothyC Bronze badge

    23,000 images of UK patients

    So did CybelAngel report any of exposed information to the ICO or any other government data protection agency (in other countries) who are suppose to do something about it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Billion-record stolen Chinese database for sale on breach forum
    Appears to have leaked from a cloud thanks to sloppy coding

    A threat actor has taken to a forum for news and discussion of data breaches with an offer to sell what they assert is a database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police.

    Over the weekend, reports started to surface of a post to a forum at Breached.to. The post makes the following claim:

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022