45 million medical scans from hospitals all over the world left exposed online for anyone to view – some servers were laced with malware Two thousand servers containing 45 million images of X-rays and other medical scans were left online during the course of the past twelve months, freely accessible by anyone, with no security protections at all. Or so says research by CybelAngel, which sells a Digital Risk Protection Platform. Not only was the sensitive …
My daughter, a Hospital Doctor, says that most Consultants have to take a Doctor on the ward rounds to access the data and to type in the treatment updates. They were much happier when they could scribble illegibly on paper at the foot of the bed, although many wouldn't even lower themselves to that!
My last visit to the doctor had a white coated individual typing away on a tablet during the consult. I asked her if she was student or intern, but no: she said she was a scribe. She was doing the paperwork so the doctor could 'doctor'.
I was pleased to see the scribes are making a combat. Been slim pickings for them the past millenium or so.
This is supply chain issue most likely, services demanding to use X supplier externally and the health trusts only being able to do so much in terms of checking, legal agreements etc.
Bottom line is when you outsource reviewing this sort of data there's always going to be a risk of poorly managed storage etc. It's why I hate it when we do it, which we increasingly do..
This is not the fault of the medical professionals but the IT teams that support them coupled with the incompetent layers of management that inhabit every NHS trust. The underlying problem is that in the rush to provide diagnostic material online or across different Health Authorities basic security principals appear to have been abandoned. Doctors often have all sorts of convoluted steps to be able to login to systems to provide secure access but it is becoming increasingly common for the source to be as secure as a sieve.
You can put as much MFA, VPN and whatever you like between the consumer of the material and the system in the hospital but it the raw data is directly accessible it is a smokescreen.
My Hospital Doctor daughter counted it one day. 49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!
Until 2 months into Covid they were still having to carry personal phones around all day for the 2FA - scrubs do not have pockets!
Things actually changed when the IT Manager caught Covid - yes, they dispensed with the 2FA on personal phones!
Anonymous for hopefully obvious reasons
@"49 times she had to log into one system or another, and that's 7 different logins - no wonder they use the same password across all the systems!"
Passwords have repeatedly proven useless for security, they should have a authentication cards that logged them in based upon what they were permitted to see but regardless maintaining security is part of their jobs and you can bet they knew they were not supposed to reuse passwords.
My thinking is that this is just another intentional release of medical data for personal profit by those charged with it's protection.
Now there are companies set up just to harvest data for resale, that they are willing to pay for access and data is leaked cannot be seen as being a coincidence.
I used to work for a company that was once part of the NHS, it had rooms filled with medical records to the ceilling that were stored there back when it was still NHS, reading other peoples medical histories was break time entertainment for anyone who was bored non of which were NHS employees. The rooms were not even locked and no one cared even when told what was happening, thus data security and confidentiality has never in my experience been a priority in the NHS .
"... they should have a authentication cards that logged them in based upon what they were permitted to see ..."
At least some if the wards at my local hospital have this system. Three or four years ago, I was a patient on one of those wards, in the bed closest to the doctors' station. Four junior doctors logging in at the same time - one says to the others" Can you log me in? I don't know where my card is." One of them duly did. The look on their faces when I said, "Hello, remember me? I taught you medical law and ethics" was priceless. They knew what they had done was wrong, but, as it was explained to me by the one who had mislaid their card, to report it would mean disciplinary proceedings, and it didn't solve the problem of not having their card. They had also rung their flat-mate to bring the card in.
According to the article, ~23K UK records, of ~45M worldwide. I don't think you can blame the NHS for more than about 2.5% of the problem at most.
It's the same issue we've seen with other industries and data domains: long-standing common practices that did not include any real attention to security. It's systemic, not specific.
Also, take note of the comment about "automated scripts". This is why we'll always have ransomware, mining ware, spam, etc: even if these types of common IT abuse become no longer economically viable, there are large bot armies running on compromised systems which are busy finding and infecting vulnerable targets, without any significant human supervision. We've created an industry that attacks itself automatically.
(Of course, a number of other industries are not free of such revenge effects - take, for example, the breeding of "superbugs" in hospitals. But in IT we've really grabbed the brass ring on this one. There are already mostly-automated systems for identifying new vulnerabilities and constructing exploits for them, and those will only get better.)
There are some interesting and valid comments here. Yes, the number of logins required to pull together all of the imaging for a given patient can be a real PITA, hence why busy docs in overloaded clinics hate the login process. Answer, you say, a SSO.
But since the idiots in DoH/DHSC (and HMRC) went 'digital' they've turned the security model upside down. Back in the day, your medical notes and silver-based imaging were physical, tangible entities. Difficult to find (because no-one in the DoH had heard of barcodes in the 1990s, except us) but impossible to snoop. No idle trawling through some remote DB, thinking 'I wonder if Matt Hancock's syphilis test result is back yet?' Same with tax records: it was policy that your tax office was the other end of the country to where you worked and lived. No social engineering there either.
Skip forward and *all* tax records are on a single system and every HMRC call centre operative can pull up John Smith's tax records. Except that HMRC realised this might be an issue: there's an entirely separate tax record system for MPs/celebs and VIPs! No browsing through the declared tax from the nomenclatura/friends of Gov with their snouts in the PPE trough.
But in Health Care, ALL records are on line, belonging to each Trust. So imagine the impact of a single-sign-on solution across the NHS. Any GP's receptionist could idly trawl through anyone's health care records. Given how many warranted coppers and civilian workers are disciplined or fired each year for inappropriate access to the PNC (hint: El Reg article 11th Nov 2019 - about 1 every 3 days), imagine the leaks from all of those juicy WAGS and COVIDiot browsing sessions.
Shudder!
NHS records are not online, the only things that are available across the entire NHS (if you can say such a thing still exists) are the Summary care record (which you can opt out of) and the demographic data linked to your NHS Number.
The actual detail of your record is maintained in a miriad of diferent systems, that are generally completley incompatable with each other,) held and operated by GPs, Hospitals, Community Teams, Support Units and other entities that you deal with and the transfer of which is covered by a miriad of controller/processor and controller/controller agreements.
The majority of your information is stored in your GP record, and this gets shuttled around the country when you move doctors or a specialist needs the detail.
This information is dicom images. these are ultrasounds, xrays, cts etc they are transfered in a common format, which is constantly maintained and updated, the current version 2020d, there are usually 5 a year, its even has an ISO Standard 12052.
As with all standards, the majority of issues are not with the actual standard, but its implementation.
This specific incident is more down to an imaging system and vendor implementation. Normally if these are stored in the cloud the demographics are stripped from the images before they leave the organisation and replaced with a unique reference.
Single sign on doesn't mean giving everyone access to everyone's records. It means that you have one authentication, which then gives you access to the things you have the right to access, whatever system they're in.
Working out what you have a right to access becomes more complicated, but it isn't impossible. One solution I heard is that every access should be audited and the patient themselves can review, along with reviews of suspicious events (e.g. doctors receptionist getting records of someone not registered at the surgery - there are valid reasons - emergency appointment when visiting relatives - but if one receptionist goes outside the statistical norms you can ask them what's going on).
This is a complex problem to solve, and making things too secure could end up with the patient getting incorrect treatment. However we should be honest about what the problem is.
Even a specialist firm "advertising a paid service to securely host and manage DICOM images" was leaking around 500,000 files online because nobody had thought to secure its Network File System (NFS) on port 2049, Cybelangel found.
Fer reals?! This would have been embarrassing in 1995. How is that even possible? They have firewalls, surely?
Meanwhile after 20y in security I'm unemployed, mostly because I'm burned out by being caught between crap like that, and management who could't care less :)
Sure am glad the NHS protects our records and would never leave them on trains, resold IT equipment, unprotected websites, never mind straight up sell them without our permission, consent or compensation to foreign companies with no restrictions on what they do with it.
Can I go on my balcony and clap these clowns like the performing seal the government wants me to be?
I think I can see the root cause here. Or rather causes.
One will probably be old tech that was probably never intended to be connected to the internet, which managers have decided would be great if they just connected it to the internet. The IT department will haves then been duly instructed.
The other is procurement managers buying products and just assuming that the vendor will have made them secure, then these will then be passed on to IT departments to deploy.
In other words the root cause is management.
In both cases I wouldn't be surprised to find an email trail with IT staff telling management that the deployments are not secure and managers telling these IT staff to shut up and get on with it. This is often worse where IT has been outsourced as the message from the grunts on the ground floor one reason or another may never reach the client.
I once worked for a large organization which had clear policies and procedures for raising security concerns. I soon found that this didn't make anything more secure, all it meant was that there was a better paper trail when it came to playing the blame game (obviously I mean carrying out post incident reviews). As somewhere up the chain any concerns would be overridden by bean counters or senior managers who just wanted three project in on time and in budget.
OK so for those of us working on three ground it meant protection as the paper chain would almost always incriminate some manager, but it didn't prevent huge holes in security being created.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
