Article 43

 

Your MRI

image: hippa

Maybe this explains why:

The treatment consent form included text that gives the hospital the ok to share any medical and personal information with any third party they wish, without restriction.
- Florida Hospital insists I let them do whatever they want with my medical records

Millions of Americans Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek.
Hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records. One expert warned about it for years.

ByJack Gillum, Jeff Kao and Jeff Larson
ProPublica
September. 17, 2019

Medical images and health data belonging to millions of Americans, including X-rays, MRIs and CT scans, are sitting unprotected on the internet and available to anyone with basic computer expertise.

The records cover more than 5 million patients in the U.S. and millions more around the world. In some cases, a snoop could use free software programs or just a typical web browser - to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

We identified 187 servers - computers that are used to store and retrieve medical data in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers and mobile X-ray services.

“It’s not even hacking. It’s walking into an open door,” said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security. Some medical providers started locking down their systems after we told them of what we had found.

Our review found that the extent of the exposure varies, depending on the health provider and what software they use. For instance, the server of U.S. company MobilexUSA displayed the names of more than a million patients all by typing in a simple data query. Their dates of birth, doctors and procedures were also included.

Alerted by ProPublica, MobilexUSA tightened its security last week. The company takes mobile X-rays and provides imaging services to nursing homes, rehabilitation hospitals, hospice agencies and prisons. “We promptly mitigated the potential vulnerabilities identified by ProPublica and immediately began an ongoing, thorough investigation,” MobilexUSA’s parent company said in a statement.

Another imaging system, tied to a physician in Los Angeles, allowed anyone on the internet to see his patients echocardiograms. (The doctor did not respond to inquiries from ProPublica.)

All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates and, in some cases, Social Security numbers.

Experts say it’s hard to pinpoint who’s to blame for the failure to protect the privacy of medical images. Under U.S. law, health care providers and their business associates are legally accountable for securing the privacy of patient data. Several experts said such exposure of patient data could violate the Health Insurance Portability and Accountability Act, or HIPAA, the 1996 law that requires health care providers to keep Americans’ health data confidential and secure.

Although ProPublica found no evidence that patient data was copied from these systems and published elsewhere, the consequences of unauthorized access to such information could be devastating. Medical records are one of the most important areas for privacy because they’re so sensitive. Medical knowledge can be used against you in malicious ways: to shame people, to blackmail people, said Cooper Quintin, a security researcher and senior staff technologist with the Electronic Frontier Foundation, a digital-rights group.

“This is so utterly irresponsible,” he said.

The issue should not be a surprise to medical providers. For years, one expert has tried to warn about the casual handling of personal health data. Oleg Pianykh, the director of medical analytics at Massachusetts General Hospital’s radiology department, said medical imaging software has traditionally been written with the assumption that patients data would be secured by the customer’s computer security systems.

But as those networks at hospitals and medical centers became more complex and connected to the internet, the responsibility for security shifted to network administrators who assumed safeguards were in place. “Suddenly, medical security has become a do-it-yourself project,” Pianykh wrote in a 2016 research paper he published in a medical journal.

ProPublicas investigation built upon findings from Greenbone Networks, a security firm based in Germany that identified problems in at least 52 countries on every inhabited continent. GreenboneҒs Dirk Schrader first shared his research with Bayerischer Rundfunk after discovering some patients health records were at risk. The German journalists then approached ProPublica to explore the extent of the exposure in the U.S.

Schrader found five servers in Germany and 187 in the U.S. that made patients’ records available without a password. ProPublica and Bayerischer Rundfunk also scanned Internet Protocol addresses and identified, when possible, which medical provider they belonged to.

ProPublica independently determined how many patients could be affected in America, and found some servers ran outdated operating systems with known security vulnerabilities. Schrader said that data from more than 13.7 million medical tests in the U.S. were available online, including more than 400,000 in which X-rays and other images could be downloaded.

The privacy problem traces back to the medical professions shift from analog to digital technology. Long gone are the days when film X-rays were displayed on fluorescent light boards. Today, imaging studies can be instantly uploaded to servers and viewed over the internet by doctors in their offices.

In the early days of this technology, as with much of the internet, little thought was given to security. The passage of HIPAA required patient information to be protected from unauthorized access. Three years later, the medical imaging industry published its first security standards.

Our reporting indicated that large hospital chains and academic medical centers did put security protections in place. Most of the cases of unprotected data we found involved independent radiologists, medical imaging centers or archiving services.

One German patient, Katharina Gaspari, got an MRI three years ago and said she normally trusts her doctors. But after Bayerischer Rundfunk showed Gaspari her images available online, she said: “Now, I am not sure if I still can.” The German system that stored her records was locked down last week.

We found that some systems used to archive medical images also lacked security precautions. Denver-based Offsite Image left open the names and other details of more than 340,000 human and veterinary records, including those of a large cat named ԓMarshmellow, ProPublica found. An Offsite Image executive told ProPublica the company charges clients $50 for access to the site and then $1 per study. ԓYour data is safe and secure with us, Offsite ImageԒs website says.

The company referred ProPublica to its tech consultant, who at first defended Offsite Images security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged Offsite ImageҒs servers had been accessible but were now fixed.

“We were just never even aware that there was A POSSIBILITY that could even happen,” Nelms said.

In 1985, an industry group that included radiologists and makers of imaging equipment created a standard for medical imaging software. The standard, which is now called DICOM, spelled out how medical imaging devices talk to each other and share information.

We shared our findings with officials from the Medical Imaging & Technology Alliance, the group that oversees the standard. They acknowledged that there were hundreds of servers with an open connection on the internet, but suggested the blame lay with the people who were running them.

Even though it is a comparatively small number,Ӕ the organization said in a statement, it may be possible that some of those systems may contain patient records. Those likely represent bad configuration choices on the part of those operating those systems.Ӕ

Meeting minutes from 2017 show that a working group on security learned of Pianykhs findings and suggested meeting with him to discuss them further. That ғaction item was listed for several months, but Pianykh said he never was contacted. The medical imaging alliance told ProPublica last week that the group did not meet with Pianykh because the concerns that they had were sufficiently addressed in his article. They said the committee concluded its security standards were not flawed.

Pianykh said that misses the point. ItԒs not a lack of standards; its that medical device makers donҒt follow them. Medical-data security has never been soundly built into the clinical data or devices, and is still largely theoretical and does not exist in practice,Ӕ Pianykh wrote in 2016.

ProPublicas latest findings follow several other major breaches. In 2015, U.S. health insurer Anthem Inc. revealed that private data belonging to more than 78 million people was exposed in a hack. In the last two years, U.S. officials have reported that more than 40 million people have had their medical data compromised, according to an analysis of records from the U.S. Department of Health and Human Services.

Joy Pritts, a former HHS privacy official, said the government isn’t tough enough in policing patient privacy breaches. She cited an April announcement from HHS that lowered the maximum annual fine, from $1.5 million to $250,000, for whats known as “corrected willful neglect” - the result of conscious failures or reckless indifference that a company tries to fix. She said that large firms would not only consider those fines as just the cost of doing business, but that they could also negotiate with the government to get them reduced. A ProPublica examination in 2015 found few consequences for repeat HIPAA offenders.

A spokeswoman for HHS Office for Civil Rights, which enforces HIPAA violations, said it wouldn’t comment on open or potential investigations.

“What we typically see in the health care industry is that there is Band-Aid upon Band-Aid applied to legacy computer systems,” said Singh, the cybersecurity expert. She said it’s a “shared responsibility: among manufacturers, standards makers and hospitals to ensure computer servers are secured.

“It’s 2019,” she said. “There’s no reason for this.”

How Do I Know if My Medical Imaging Data is Secure?

If you are a patient:

If you have had a medical imaging scan (e.g., X-ray, CT scan, MRI, ultrasound, etc.) ask the health care provider that did the scan - or your doctor - if access to your images requires a login and password. Ask your doctor if their office or the medical imaging provider to which they refer patients conducts a regular security assessment as required by HIPAA.

If you are a medical imaging provider or doctor’s office:

Researchers have found that picture archiving and communication systems (PACS) servers implementing the DICOM standard may be at risk if they are connected directly to the internet without a VPN or firewall, or if access to them does not require a secure password. You or your IT staff should make sure that your PACS server cannot be accessed via the internet without a VPN connection and password. If you know the IP address of your PACS server but are not sure whether it is (or has been) accessible via the internet, please reach out to us at “medicalimaging at propublica.org.”

SOURCE

---

FDA informs patients, providers and manufacturers about potential cybersecurity vulnerabilities for connected medical devices and health care networks that use certain communication software

FDA
October 1, 2019

Today, the U.S. Food and Drug Administration is informing patients, health care professionals, IT staff in health care facilities and manufacturers of a set of cybersecurity vulnerabilities, referred to as URGENT/11,Ӕ thatif exploited by a remote attackerחmay introduce risks for medical devices and hospital networks. URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment. These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all.

To date, the FDA has not received any adverse event reports associated with these vulnerabilities. The public was first informed of these vulnerabilities in a July 2019 advisory sent by the Department of Homeland Security. Today, the FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to certain medical devices.

While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,Ӕ said Amy Abernethy, M.D., Ph.D., FDAs principal deputy commissioner. ғThe FDA urges manufacturers everywhere to remain vigilant about their medical productsto monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them. This is a cornerstone of the FDAגs efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe.

The URGENT/11 vulnerabilities exist in a third-party software, called IPnet, that computers use to communicate with each other over a network. This software is part of several operating systems and may be incorporated into other software applications, equipment and systems. The software may be used in a wide range of medical and industrial devices. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today.

Security researchers, manufacturers and the FDA are aware that the following operating systems are affected, but the vulnerability may not be included in all versions of these operating systems:

VxWorks (by Wind River)
Operating System Embedded (OSE) (by ENEA)
INTEGRITY (by GreenHills)
ThreadX (by Microsoft)
ITRON (by TRON)
ZebOS (by IP Infusion)

The agency is asking manufacturers to work with health care providers to determine which medical devices, either in their health care facility or used by their patients, could be affected by URGENT/11 and develop risk mitigation plans. Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they notice the functionality of their device has changed.

The FDA takes reports of vulnerabilities in medical devices very seriously and todayԒs safety communication includes recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities. The FDA is recommending that manufacturers conduct a risk assessment, as described in the FDAs cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities on medical devices they manufacture and develop risk mitigation plans. Medical device manufacturers should work with operating system vendors to identify available patches and other recommended mitigation methods, work with health care providers to determine any medical devices that could potentially be affected, and discuss ways to reduce associated risks.

Some medical device manufacturers are already actively assessing which devices may be affected by URGENT/11 and are identifying risk and remediation actions. In addition, several manufacturers have already proactively notified customers of affected products, which include medical devices such as an imaging system, an infusion pump and an anesthesia machine. The FDA expects that additional medical devices with one or more of the cybersecurity vulnerabilities will be identified.

ғWhile we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant, said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDAԒs Center for Devices and Radiological Health. The safety communication issued today contains recommendations for what actions patients, health care providers and manufacturers should take to reduce the risk this vulnerability could pose. ItӒs important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.

The FDA will continue its work with manufacturers and health care delivery organizationsԗas well as security researchers and other government agenciesto help develop and implement solutions to address cybersecurity issues throughout a device’s total product lifecycle.

The FDA will continue to assess new information concerning the URGENT/11 vulnerabilities and will keep the public informed if significant new information becomes available.

The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, effectiveness, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and security of our nationגs food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.

SOURCE

Posted by Elvis on 09/18/19 •
Link to this articleLink to this article and comments
Home
 

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Next entry: Ageism

Previous entry: Suicide Redux

<< Back to main

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

The man who says I told you so is making an excuse for not expressing his position clearly in the first place. - Rod McKuen

Search


Advanced Search

Categories

Archives

Favorite Posts

Recent Entries

American Solidarity

Favorites

Statistics