A health data breach has revealed millions of patient records on the Internet. This highlights the critical importance of data security in healthcare.
Researchers have found millions of health records on the open Internet. This was due to a well-known weakness in medical image storage systems. The breach highlights the critical importance of good data security in healthcare. Here, we analyse what happened, and explain how you can avoid becoming the next subject of a data breach.
What happened?
GreenBone Networks investigated a well-known issue affecting medical picture archiving and communication (PACS) servers. They found over 600 PACS systems worldwide that are connected to the Internet and unsecured. PACS servers are used for storing sensitive medical imagery such as X-rays and MRI scans. In their report, Greenbone Networks found they could access over 700 million images along with the details of some 24 million patents.
What is the impact in Europe?
Here in Europe, several countries were badly affected. In total, 37 PACS servers were identified, compromising the data of over 5 million patients. France, Germany and Italy were especially badly hit, accounting for almost all of the compromised patients.
Why are PACS servers vulnerable?
PACS servers are well known to be vulnerable. Identifying PACS servers is relatively easy because they use a protocol called DICOM (digital imaging and communications in medicine). Greenbone Networks actually found over 2,000 PACS servers in their investigation. In itself, that wasn’t a problem. The real issue was that so many of them had no password protection at all or only protected some of the data.
All identified systems disclosed the patient’s name, date of birth, date of examination and some medical information about the reason for examination.
Why is this a big problem under GDPR?
The GDPR classifies health data as a special category of personal data. That means such data has to receive the highest possible level of protection. This includes providing suitable (state of the art) data security and encryption. It also means creating organisational measures to ensure all security risks are evaluated and responded to.
Companies and institutions that get it wrong can face huge fines as well as damaging PR and loss of trust. Importantly, in cases like this, the data doesn’t have to be actually stolen. Just the fact it was openly available constitutes a breach.
For larger companies, GDPR fines can reach hundreds of millions of euros. They are based on your global annual turnover.
What should they have done?
Systems that store sensitive data like this have to be properly secured. This is even more vital if the data needs to be made available over the Internet. As a minimum, this involves user management, firewalls and encryption. Only registered users should ever have access to the sensitive data. This requires strong user and permissions management. The server should be protected by a firewall, with sensitive ports blocked by default. Where you have to allow access, you should do this via VPN or similar. Even then, you should use record-level encryption (aka application-level encryption).
How can Chino help you do it better?
Chino.io solves data security for digital health companies. Our offer includes market-leading technology, technical advice and legal consultancy. Using our platform, you can quickly add user management and secure encryption to your existing system. We can also give you detailed advice on data protection, data security and GDPR/HIPAA compliance. Contact us to talk to our experts or download our eBook on GDPR and HIPAA compliance.
