Thousands of NHS medical images found ‘unprotected’ on web

  • 30 September 2019
Thousands of NHS medical images found ‘unprotected’ on web

An investigation has been launched after thousands of patients medical images were found accessible on the internet.

Six UK systems storing x-rays, MRI and CT scans were found to be allowing unprotected access to anyone with a web browser, according to German security firm Greenbone Networks.

Some 1,500 patient records were publicly accessible due to “careless configuration” of these systems, along with more than 5,000 medical images. More than 13,000 medical images in the UK were found to be unprotected.

The Information Commissioner’s Office (ICO) and the NHS are investigating.

Using RadiAnt DICOM (digital imaging and communications in medicine) Viewer, an application easily accessible to download on the internet, security experts were able to download and view the patient information.

The vast majority of information discovered in the global study including names; date of birth; date of examination; scope of the examination; type of imaging procedure undertaken; attending physician; institute or clinician; and number of images taken.

In total about 24.3 million data records worldwide were found to be unprotected.

The researchers “did not have to write any special code” to access the patient data, nor was any software vulnerability “exploited”, they said.

To view and download the data, all that was needed was a list of IPs and a DICOM viewer.

“This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted,” said Greenbone Networks.

“Even regular, everyday internet users could gain access with a few simple actions.”

In some cases, the PACS (picture archiving and communication system) servers even allowed patient data and images to be viewed via http and a web browser.

“This data could be exploited by attackers for various purposes,” the report warned.

“These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective; reading and automatically processing the data to search for valuable identity information, such as social security numbers, in preparation for identity theft.”

NHS Digital confirmed it was investigating the matter and would “support any NHS organisations that may be affected”.

“We are aware of this report and have contacted the authors to ask them to provide additional technical detail, which we are investigating,” a spokesperson said.

“NHS organisations are responsible for their own technology and cyber security with our role being to provide advice, guidance and specialist expertise to support organisations to make good decisions around data security and to help them to keep patient information safe.”

A spokesperson for the ICO said: “The ICO are in contact with the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), as the relevant data protection authority in Germany, about this matter.

“The ICO will continue to liaise with the data protection authority and partner authorities to establish the details of the incident and to ensure the protection of UK citizens data.”

READ MORE:

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

‘Lessons can be learned’ from DHSC cyber progress, says PAC

‘Lessons can be learned’ from DHSC cyber progress, says PAC

The Public Accounts Committee has said “lessons can be learned” from DHSC’s efforts to improve cyber resilience in public services.
Digital Health Coffee Time Briefing ☕

Digital Health Coffee Time Briefing ☕

Today's coffee briefing covers a new round of DSIT fellowships and the first real-time 3D "digital twin" of a hospital room in Denmark.
Estimated £21bn over five years needed to digitise health and care

Estimated £21bn over five years needed to digitise health and care

Digitising NHS and adult social care services across the UK will require an estimated £21bn over the next five years, according to research.