Your MRIs, X-rays, and CT Scans Could Be Easily Accessible Online

News X Ray Online Featured

This is an area of tech that we may never have thought of. While it may seem like it’s not really exposing sensitive information, per se, it does seem like it would be an invasion of privacy, and in some cases it is exposing sensitive information.

For at least 5 million people, when they’re having medical tests done, the files are saved on a computer or network somewhere, and that includes X-rays, MRIs, and CT scans. They are not protected files, meaning anyone could get their hands on them.

Unprotected Files

No matter what you do now medically, it seems much of it is done through the Internet. It’s where all our records are. The doctor doesn’t carry a big folder with all your files into the room anymore. He or she is carrying in a laptop or tablet.

Because of that, that’s where your tests are stored as well. They’re on those computers or tablets in doctors’ offices, or in imagining centers, or archiving services. Truthfully, they’re not actually in there but in the servers for those locations.

The bad part? Those are unprotected, at least for those aforementioned 5 million people in the United States. These are the results of an investigation by ProPublica and German public broadcaster Bayerischer Rundfunk.

187 servers were located in the U.S. that didn’t have passwords or other security protocols. This leaves them available via software or through a Web search.

But these images of your arm, chest, leg, brain, etc. sometimes include more than just medical information. Think of how they keep track of you in a hospital or pharmacy. They always want to know your birthdate. That’s how they track you, so of course that would be on your image files. In some cases they even include a patient’s social security number.

News X Rays Online Mri

The reason these are left unprotected is because radiologist offices and other independent centers are failing to follow the security standards they’re supposed to that were put there by the 1996 Health Insurance Portability and Accountability Act (HIPAA). Medical data is required to be kept private and secure.

Dr. Oleg Pianykh, the director of medical analytics and an assistant professor of radiology at Massachusetts General Hospital has spent years following this issue.

“Despite more than two decades of active development and implementation, our radiology data still remains insecure,” he wrote in a research paper in 2016.

Pianykh explains that IT administrators assume that devices have built-in protections, and many offices don’t meet the standard required for handling, storing, printing, and transmitting medical imaging.

With no built-in protection, it “was left to generic solutions and protocols, such as firewalls, virtual private networks, or identity access management,” he wrote.

DICOM Protocol

The Medical Imaging & Technology Alliance oversees Digital Imaging and Communications in Medicine (DICOM), the protocol offices should be following.

Where MITA sees the problem is that while individual offices and centers are responsible for ensuring the standards are adequate, “Proper security, however, requires more than just technical measures. It requires the implementation of institutional plans and policies to address various aspects of security (for example: infrastructure, device configuration, procedures, policies, training, auditing, and oversight).”

Does it concern you that your medical imaging may be available for just anyone to see? Do you have concerns over your X-rays, MRIs, and CT scans? Add your thoughts to the comments section below.

3 comments

  1. “They are not protected files”
    If they are medical files and you are in the United States, those files are protected by the provisions of HIPAA (Health Insurance Portability and Accountability Act). If they are, as you say, freely available to anyone and everyone, then someone is breaking the law.

    1. You must have missed where I mentioned HIPAA in the article.

      1. I must have. :-)

        However, if the culprits are know, why aren’t they prosecuted according to the provisions of the law.

        When I was developing software for the Health Department, the procedure in regards to using their patient data for testing programs was “shred before reading”. We did not have to use burn bags but we did have to shred any output printed during a day’s work.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.