Hospital closures and a billion exposed medical images

According to Bloomberg data, at least 30 hospitals in the US went bankrupt in 2019.  Aside from my opinion that this is probably not a concept indicative of a healthy society, cybersecurity lists among the several reasons behind the struggles.

Last year, around 40 breaches per month plagued the healthcare industry.  Amid all their other financial troubles—fewer patient visits (a drop of 5.5% over ten years), flaws within the insurance system, and political uncertainty—hospitals can often be hard pressed to find the budget for strong cybersecurity initiatives.

Unfortunately, those that don’t become even more susceptible to data breaches.  All the numbers are trending up year-over-year: number and frequency of breaches, cost per record (7.8% over four years), amount of data targeted.  The result has been some hospitals being unable to maintain their operations and closing their doors, like the Brookside ENT and Hearing Center in Michigan.  This has especially affected hospitals in rural areas, with 120 of them closing in the 2010s.

As long as the healthcare industry comes up short in the face of cyber opponents, we will continue to read headlines like this most recent one from TechCrunch, where cybersecurity firm Greenbone Networks discovered almost one billion medical images that had been exposed online.  To break it down, Greenbone analyzed over 2,300 servers called Picture Archiving and Communication Systems (PACs), and found that 590 were accessible online, some with an unencrypted HTTP web viewer.  Within these PACs were the nearly one billion images (from X-ray scans to MRIs), connected with 24 million patient records across 52 countries.  Anybody who wanted to download these would have little issue.

This first came to light last September, but by November, the problem had worsened.  Greenbone then reported that the numbers of exposed servers were also increasing.  The total had since risen to 35 million patient records and 1.19 billion medical scans.  One of these was a major US military hospital that exposed the names and medical images of military personnel.  When Greenbone contacted 10 of the largest of affected institutions, however, the ones with the greatest proportion of images, they received no response.  After follow-up from TechCrunch, only one, Northeast Radiology, apparently secured its servers.

This particular story is just another example of the risks of IoT in the healthcare industry.  Medical imaging devices are connected to share information about patients, which makes them as vulnerable as any other smart device.  It’s no wonder that people are more commonly expecting that their personal information will be breached these days.  Nor is it surprising when hospitals have to fight to stay open, all the while risking incurring severe damage from a major security incident.  That may be the reality, but it doesn’t change the fact that the best defense remains robust and sophisticated protection of patient data.