back to article 45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware

Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all. Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive …

  1. N2

    quelle surprise?

    The incompetence of it all beggars belief.

    1. Gene Cash Silver badge

      Re: quelle surprise?

      Well, most all of the doctors I've met absolutely despise all technology, including computers.

      I get the impression they'd be happy with a bottle of leeches and a candle.

      1. Santa from Exeter
        FAIL

        Re: quelle surprise? @Gene Cash

        I would suggest you change your doctors then.

        Most of the ones I know are at least au fait with the technology they use day to day and many actually love it as it maked their job easier.

        There again, maybe I just know *competent* doctors

        1. Kefik

          Re: quelle surprise? @Gene Cash

          "Most of the ones I know are at least au fait with the technology"

          You're bloody right. Some are even checking their mail while you are on the operating table.

        2. N2

          Re: quelle surprise? @Gene Cash

          I would suggest you change your doctors then.

          No thanks, perhaps we are alone in that we know competent doctors and whilst mine speaks with a funny accent, I get to manage my own records.

        3. Grease Monkey Silver badge

          Re: quelle surprise? @Santa From Exeter

          Doctors have little to do with this. Clinical staff just use the tools, they don't design them or manage the servers. As ever this is down to incompetence at the management level.

      2. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        My experience is they love tech but hate security as it's inconvenient.

      3. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        My daughter, a Hospital Doctor, says that most Consultants have to take a Doctor on the ward rounds to access the data and to type in the treatment updates. They were much happier when they could scribble illegibly on paper at the foot of the bed, although many wouldn't even lower themselves to that!

        1. Imhotep

          Re: quelle surprise?

          My last visit to the doctor had a white coated individual typing away on a tablet during the consult. I asked her if she was student or intern, but no: she said she was a scribe. She was doing the paperwork so the doctor could 'doctor'.

          I was pleased to see the scribes are making a combat. Been slim pickings for them the past millenium or so.

          1. parlei

            Re: quelle surprise?

            A surprising amount of time is wasted on barely-fit-for-purpose digital medical record systems. If the expensive MD can repurpose the time otherwise spent doing battle with such systems by having "scribes" employed then that should be a win for everyone.

          2. AMBxx Silver badge

            Re: quelle surprise?

            I wish my wife's consultant had a scribe. He types one fingered and scans the whole keyboard. It's hard for me not to just push him out the way and do his typing. Maybe that's his plan? Bit like loading the dishwasher badly or making crap tea.

      4. Anonymous Coward
        Anonymous Coward

        Re: quelle surprise?

        Where do you live?

      5. Imhotep

        Re: quelle surprise?

        It's not doctors that set these systems up. It's the IT staff and vendors and having worked in IT for large American healthcare providers, I'm not surprised by these findings.

      6. Tony W

        Re: quelle surprise?

        Doctors are not employed as IT consultants. And I see no evidence that these leaks are the fault of doctors.

        1. Anonymous Coward
          Anonymous Coward

          Re: quelle surprise?

          This is supply chain issue most likely, services demanding to use X supplier externally and the health trusts only being able to do so much in terms of checking, legal agreements etc.

          Bottom line is when you outsource reviewing this sort of data there's always going to be a risk of poorly managed storage etc. It's why I hate it when we do it, which we increasingly do..

  2. hoola Silver badge

    Who is at fault?

    This is not the fault of the medical professionals but the IT teams that support them coupled with the incompetent layers of management that inhabit every NHS trust. The underlying problem is that in the rush to provide diagnostic material online or across different Health Authorities basic security principals appear to have been abandoned. Doctors often have all sorts of convoluted steps to be able to login to systems to provide secure access but it is becoming increasingly common for the source to be as secure as a sieve.

    You can put as much MFA, VPN and whatever you like between the consumer of the material and the system in the hospital but it the raw data is directly accessible it is a smokescreen.

    1. Kefik

      Re: Who is at fault?

      Naturally it is only at the front-end where security is beefed up. Your back-end penetrability is their business model.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is at fault?

        Your back-end penetrability is their business model.

        No, that's the BBC

      2. TonyR
        WTF?

        Re: Who is at fault?

        You have been watching too much Billy Connelly.

        https://vimeo.com/24340828

      3. JeffB
        Paris Hilton

        Re: Who is at fault?

        Back-end penetrability... Fnar, fnar!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Who is at fault?

      My Hospital Doctor daughter counted it one day. 49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!

      Until 2 months into Covid they were still having to carry personal phones around all day for the 2FA - scrubs do not have pockets!

      Things actually changed when the IT Manager caught Covid - yes, they dispensed with the 2FA on personal phones!

      Anonymous for hopefully obvious reasons

      1. Anonymous Coward
        Anonymous Coward

        Re: Who is at fault?

        @"49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!"

        Passwords have repeatedly proven useless for security, they should have a authentication cards that logged them in based upon what they were permitted to see but regardless maintaining security is part of their jobs and you can bet they knew they were not supposed to reuse passwords.

        My thinking is that this is just another intentional release of medical data for personal profit by those charged with it's protection.

        Now there are companies set up just to harvest data for resale, that they are willing to pay for access and data is leaked cannot be seen as being a coincidence.

        I used to work for a company that was once part of the NHS, it had rooms filled with medical records to the ceilling that were stored there back when it was still NHS, reading other peoples medical histories was break time entertainment for anyone who was bored non of which were NHS employees. The rooms were not even locked and no one cared even when told what was happening, thus data security and confidentiality has never in my experience been a priority in the NHS .

        1. Intractable Potsherd

          Re: Who is at fault?

          "... they should have a authentication cards that logged them in based upon what they were permitted to see ..."

          At least some if the wards at my local hospital have this system. Three or four years ago, I was a patient on one of those wards, in the bed closest to the doctors' station. Four junior doctors logging in at the same time - one says to the others" Can you log me in? I don't know where my card is." One of them duly did. The look on their faces when I said, "Hello, remember me? I taught you medical law and ethics" was priceless. They knew what they had done was wrong, but, as it was explained to me by the one who had mislaid their card, to report it would mean disciplinary proceedings, and it didn't solve the problem of not having their card. They had also rung their flat-mate to bring the card in.

    3. Tom Paine

      Re: Who is at fault?

      I may be reading too much between the lines, but these don't sound like leaks from the mainstream NHS.

    4. Michael Wojcik Silver badge

      Re: Who is at fault?

      According to the article, ~23K UK records, of ~45M worldwide. I don't think you can blame the NHS for more than about 2.5% of the problem at most.

      It's the same issue we've seen with other industries and data domains: long-standing common practices that did not include any real attention to security. It's systemic, not specific.

      Also, take note of the comment about "automated scripts". This is why we'll always have ransomware, mining ware, spam, etc: even if these types of common IT abuse become no longer economically viable, there are large bot armies running on compromised systems which are busy finding and infecting vulnerable targets, without any significant human supervision. We've created an industry that attacks itself automatically.

      (Of course, a number of other industries are not free of such revenge effects - take, for example, the breeding of "superbugs" in hospitals. But in IT we've really grabbed the brass ring on this one. There are already mostly-automated systems for identifying new vulnerabilities and constructing exploits for them, and those will only get better.)

  3. Blazde Silver badge
    Meh

    Some ol' fashioned Naming and Shaming would be nice..

    ..otherwise what does Joe Public do with this info? (Aside from applying for a job at CybelAngel of course)

  4. Winkypop Silver badge
    Coat

    X-rays and other medical scans were left online

    Why did it take so long to see though the problem?

    --> Not a lab coat

  5. Neil Barnes Silver badge
    Coat

    each Application Entity must insure that their own local environment is secure

    And that's the problem right there. They insured it, when they should have ensured it...

    The one with the sheaf of policy documents in the pocket --->

  6. MadAsHell

    Security model is upside down so they can't implement SSO

    There are some interesting and valid comments here. Yes, the number of logins required to pull together all of the imaging for a given patient can be a real PITA, hence why busy docs in overloaded clinics hate the login process. Answer, you say, a SSO.

    But since the idiots in DoH/DHSC (and HMRC) went 'digital' they've turned the security model upside down. Back in the day, your medical notes and silver-based imaging were physical, tangible entities. Difficult to find (because no-one in the DoH had heard of barcodes in the 1990s, except us) but impossible to snoop. No idle trawling through some remote DB, thinking 'I wonder if Matt Hancock's syphilis test result is back yet?' Same with tax records: it was policy that your tax office was the other end of the country to where you worked and lived. No social engineering there either.

    Skip forward and *all* tax records are on a single system and every HMRC call centre operative can pull up John Smith's tax records. Except that HMRC realised this might be an issue: there's an entirely separate tax record system for MPs/celebs and VIPs! No browsing through the declared tax from the nomenclatura/friends of Gov with their snouts in the PPE trough.

    But in Health Care, ALL records are on line, belonging to each Trust. So imagine the impact of a single-sign-on solution across the NHS. Any GP's receptionist could idly trawl through anyone's health care records. Given how many warranted coppers and civilian workers are disciplined or fired each year for inappropriate access to the PNC (hint: El Reg article 11th Nov 2019 - about 1 every 3 days), imagine the leaks from all of those juicy WAGS and COVIDiot browsing sessions.

    Shudder!

    1. TimMaher Silver badge
      Facepalm

      Re: Security model is upside down so they can't implement SSO

      I doubt if Hancock would be lucky enough to get syphilis.

      1. Anonymous Coward
        Anonymous Coward

        Re: Security model is upside down so they can't implement SSO

        It’s more likely the syphilis would want to be tested for Hancock.

    2. EnviableOne

      Re: Security model is upside down so they can't implement SSO

      NHS records are not online, the only things that are available across the entire NHS (if you can say such a thing still exists) are the Summary care record (which you can opt out of) and the demographic data linked to your NHS Number.

      The actual detail of your record is maintained in a miriad of diferent systems, that are generally completley incompatable with each other,) held and operated by GPs, Hospitals, Community Teams, Support Units and other entities that you deal with and the transfer of which is covered by a miriad of controller/processor and controller/controller agreements.

      The majority of your information is stored in your GP record, and this gets shuttled around the country when you move doctors or a specialist needs the detail.

      This information is dicom images. these are ultrasounds, xrays, cts etc they are transfered in a common format, which is constantly maintained and updated, the current version 2020d, there are usually 5 a year, its even has an ISO Standard 12052.

      As with all standards, the majority of issues are not with the actual standard, but its implementation.

      This specific incident is more down to an imaging system and vendor implementation. Normally if these are stored in the cloud the demographics are stripped from the images before they leave the organisation and replaced with a unique reference.

    3. Stuart Moore

      Re: Security model is upside down so they can't implement SSO

      Single sign on doesn't mean giving everyone access to everyone's records. It means that you have one authentication, which then gives you access to the things you have the right to access, whatever system they're in.

      Working out what you have a right to access becomes more complicated, but it isn't impossible. One solution I heard is that every access should be audited and the patient themselves can review, along with reviews of suspicious events (e.g. doctors receptionist getting records of someone not registered at the surgery - there are valid reasons - emergency appointment when visiting relatives - but if one receptionist goes outside the statistical norms you can ask them what's going on).

      This is a complex problem to solve, and making things too secure could end up with the patient getting incorrect treatment. However we should be honest about what the problem is.

  7. Anonymous Coward
    Anonymous Coward

    I hope they enpoy

    The beauty of my intestines...

    1. chivo243 Silver badge
      Unhappy

      Re: I hope they enpoy

      And my root canal...

    2. Imhotep

      Re: I hope they enpoy

      Perhaps they could answer some questions about my prostate.

  8. Anonymous Coward
    Anonymous Coward

    Leaky S3 buckets is one thing, but...

    Even a specialist firm "advertising a paid service to securely host and manage DICOM images" was leaking around 500,000 files online because nobody had thought to secure its Network File System (NFS) on port 2049, Cybelangel found.

    Fer reals?! This would have been embarrassing in 1995. How is that even possible? They have firewalls, surely?

    Meanwhile after 20y in security I'm unemployed, mostly because I'm burned out by being caught between crap like that, and management who could't care less :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Leaky S3 buckets is one thing, but...

      The budget goes to management and direct costs, not to fripperies like IT security! Seen that before.

  9. Anonymous Coward
    Anonymous Coward

    We can use for AI training

    It can improve diagnosis of certain fractures and diseases by a lot on a sample that size. Since it is all there already....why not...

  10. scrubber

    Pride of the nation

    Sure am glad the NHS protects our records and would never leave them on trains, resold IT equipment, unprotected websites, never mind straight up sell them without our permission, consent or compensation to foreign companies with no restrictions on what they do with it.

    Can I go on my balcony and clap these clowns like the performing seal the government wants me to be?

  11. spold Silver badge

    Not just images and metadata...

    Many DI systems have free-text annotation fields that doctors may use...

    "This is an image of Meg's broken leg, after her husband Bob pushed her down the stairs".

  12. Anonymous Coward
    Anonymous Coward

    I think I can see the root cause here. Or rather causes.

    One will probably be old tech that was probably never intended to be connected to the internet, which managers have decided would be great if they just connected it to the internet. The IT department will haves then been duly instructed.

    The other is procurement managers buying products and just assuming that the vendor will have made them secure, then these will then be passed on to IT departments to deploy.

    In other words the root cause is management.

    In both cases I wouldn't be surprised to find an email trail with IT staff telling management that the deployments are not secure and managers telling these IT staff to shut up and get on with it. This is often worse where IT has been outsourced as the message from the grunts on the ground floor one reason or another may never reach the client.

    I once worked for a large organization which had clear policies and procedures for raising security concerns. I soon found that this didn't make anything more secure, all it meant was that there was a better paper trail when it came to playing the blame game (obviously I mean carrying out post incident reviews). As somewhere up the chain any concerns would be overridden by bean counters or senior managers who just wanted three project in on time and in budget.

    OK so for those of us working on three ground it meant protection as the paper chain would almost always incriminate some manager, but it didn't prevent huge holes in security being created.

  13. DevOpsTimothyC

    23,000 images of UK patients

    So did CybelAngel report any of exposed information to the ICO or any other government data protection agency (in other countries) who are suppose to do something about it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like