1.19 billion scans from on-premises PACS are being leaked compromising patient privacy. Here’s what can you do about it

Kovey Kovalan

We live in an age when data is transforming into the most important currency. It holds a lot of opportunities as well as a number of significant risks. As such data security and data privacy debates are gaining resonance across sectors and regions. Unsurprisingly, the field of medical imaging is not immune to these events. The sector handles unimaginable volumes of sensitive personal information on a daily basis.

Data Security in Medical Imaging

Last year it was reported that more than 1.19 billion medical images were insecure and exposed online, according to a report released by TechCrunch and Heavy.com in collaboration with German security firm Greenbone Networks. The major share of this data was stated to be from the USA. This brings out the grave nature of the issue. A number of large hospitals were in the list of medical service providers who were not complying with adequate data security safeguards. An issue of such scale is a huge threat to patients who are (or have been) required to undergo medical imaging procedures. Unsecured data can be accessed by anyone with minimum effort. Not only are medical images unsecure, but the situation is also getting worse. It is not merely scans and other medical images that are accessible. The data available on medical image sheets can include sensitive information about a person’s health, name, date of birth and in some cases even his social security number. Identifiable personal information is put out in the open when medical providers compromise on data security. This can be used for profiling, insurance theft and other ignominious activities. More than 1 billion medical images — approximately half of which are from U.S. patients — remain unsecured and accessible using publicly available software, according to new reporting by TechCrunch and Heavy.com in collaboration with German security firm Greenbone Networks. And the problem is only getting worse. [Reference 4]

What the law says

The US Government had passed the Health Insurance Portability and Accountability Act(HIPAA) in 1996 with significant provisions to protect the personal identifiable data of patients. Medical imaging data is comprehensively covered under this law which prescribes a range of penalties for different violations. Civil violations under the law can entail fines ranging from $100 to $50,000 per individual violation. Criminal violations can entail fines of up to $250,000 along with imprisonment of up to 10 years. The gravity of the punishments make it explicit why medical service providers need to stay HIPAA-compliant. Despite this, the USA was the country that was the source of the largest share of unsecure medical images. Around 75% of the medical images stored in unprotected PACS had the social security numbers of the patients as well. Among the unsecure data was also imaging data of defence personnel along with other professional information. The losses accruing as a result of the threat posed by this lack of security would run into billions.

Reasons for lack of data security

The publishers of the study mentioned earlier stated that upon being informed about the unsecure nature of the data stored on their PACS, many smaller organizations made necessary changes in their image storage infrastructure. However large institutions which accounted for around 20% of the total unsecure data did not respond adequately.

Outdated technology is one of the reasons for the poor standards that we witness today in ensuring security of medical imaging data. Medical service providers need to be investing more in this regard. Conventional RIS-PACS and DICOM has its limitations in an age where technology in general and information technology, in particular, is evolving at lightning speed. However the more serious threat with regard to data security is the lax attitude of medical service providers in complying with the guidelines specified by tech providers and enforcement agencies. This needs to be rectified.

In order to improve the scenario, medical service providers need to be investing in better technology and become proactive in their approach to maintaining the proper standards. If the erring medical service providers upgrade their technology and adopt other necessary safeguards then at least around 600 million medical images would be made secure.

HIPAA compliance and Data Security with LifeVoxel

LifeVoxel has been investing a great deal in improving the quality of medical imaging and solving the issues in the sector. It has combined the use of high-end technology such as Artificial Intelligence and visual GPU computing to ensure best outcomes in medical imaging industry. Maintaining compliance with the relevant laws has always been among the company’s top priorities. LifeVoxel solves the data security issue by providing a HIPAA compliant solution where only authorized users can access privately and securely just using the internet. Special emphasis has been laid on offering solutions that ensure perfect compliance with laws such as MACRA and HIPAA which ultimately ensures that its clients reap enhanced benefits. The service contracts that LifeVoxel enter into come with a HIPAA Business Associate section ensuring that the client medical imaging centers and service providers stay HIPAA-compliant.

RIS PACS Software

With LifeVoxel's solution, authorized users can access medical imaging data with ease in a highly secure environment utilizing cloud computing technology. An edge device is used to make communications secure between the facility’s existing systems to the cloud through the use of authenticated access and encryption. LifeVoxel's patented platform does this transmission very quickly to our proprietary cloud. Once the cloud receives the information, the data is stored in a manner similar to how credit card data is stored, securely and privately. Third-party auditing is also done for HIPAA certification.

RIS PACS Software

Partnering with LifeVoxel helps medical imaging centers and providers to ensure data security and maintain compliance while at the same time enhance their productivity and performance. One of the added benefits of using LifeVoxel is when compared to other legacy cloud providers, customers know where physically the data is stored on our proprietary cloud. The issues of data security are set to gain more prominence in the years to come. Stakeholders cannot afford to waste more time and need to ensure that they have the best technology and compliance.

Where to now?

For more information on this article or to view our software in action, please don't hesitate to schedule a virtual tour.

References

1. Every day, millions of new medical images containing the personal health information of patients are spilling out onto the internet. https://techcrunch.com/2020/01/10/medical-images-exposed-pacs

2. How screwed is Indian healthcare data?

The story behind how I was able to view, edit & delete classified personal information of lakhs of patients all over India

https://medium.com/bugbountywriteup/how-screwed-is-indian-healthcare-data-fa4584be8a04

3.U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement

4.With the continued growth of healthcare data and a higher degree of interoperability between provider systems, HIPAA covered entities will need to form partnerships with other organizations to ensure the security of their data assets. These partnerships are known as business associate agreements (BAAs). https://healthitsecurity.com/features/what-is-a-hipaa-business-associate-agreement-baa

5.Greenbone Networks discovered that 24.5 million patient exams and 737 million images were available online worldwide. By November, 35 million patient studies (up 40%) and 1.19 billion images (up 60%) were found to be publicly accessible. “60 days later, the overall status of unprotected PACS [servers] around the globe isn’t getting better,” Greenbone wrote in a blog post. “The situation is the U.S. seems to be an unstoppable information security and data privacy disaster.” https://www.auntminnie.com/index.aspx?sec=sup&sub=pac&pag=dis&ItemID=127853