Nearly one million medical files and 107 million related medical images of Indian patients, including X-rays and scans, are freely accessible on the internet, an investigation by German security firm Greenbone Networks has found.
The records and images include details such as patient name, date of birth and ID, name of the medical institution, ailment, physician names and other sensitive details.
ET has reviewed a screenshot containing a list of patient names (but blurred to protect privacy) and corresponding patient identification numbers, study descriptions and names of doctors who referred and reviewed the cases.
These including ones from Breach Candy Hospital and Utkarsh Scans in Mumbai.
ET also accessed a web portal link that allows access to, and downloads of, medical images of patients.
The servers on which these records are stored have been left vulnerable, Greenbone said.
Medical practitioners use a file format known as Digital Imaging and Communications in Medicine (DICOM) to store and share medical images. These DICOM images are typically stored in a picture archiving and communications system (PACS) server, which allows for easy access and storage.
In this case, however, the security protocol to be followed in securing these servers had not been followed and the images are directly available on the internet without a screening process or a password, according to Greenbone.
In response to a query, Dirk Schrader, chief marketing officer and security researcher of Greenbone Networks said, “The vulnerability is the complete lack of protection, a PACS system uses the DICOM protocol to communicate. For those systems in India (and found globally), there was no access control, encryption…in place. That allowed us to access the system… sometimes the understanding of the term ‘vulnerability’ is a kind of software flaw, which is not the case here. It’s a configuration issue.”
Responding to ET’s queries on the availability of medical records and the investigation by Greenbone, Breach Candy Hospital said that patient data is secured with “SSL certification.”
A spokesperson said that the data that was accessed by the security firm was not from the hospital’s “secured servers”.
The server can only be accessed by qualified physicians with usernames and passwords. The data accessed by the security firm may have been from links forwarded by “patients sharing their medical data” with other people, the spokesperson said.
The hospital follows a system where patients and the referring doctors are sent a link with the medical image and report data. The access to such links was earlier indefinite, but has now be restricted to 48-hours, the spokesperson said.
“We are also going to put a disclaimer now that it is intended only for the particular patients and his referring doctor and not for anybody else. We never thought this could be misused, so (this is) one of the learnings from this.”
ET contacted Utkarsh Scans multiple times but did not receive a response.
Queries to The Indian Computer Emergency Response Team (CERT-In), the country’s nodal cyber security agency, and German Federal Office for Information Security did not receive responses until press time on Monday.
Greenbone Networks said it had not reached out to Indian officials directly but had contacted the German Federal Office for Information Security in September to inform India through government channels.
The firm reported the vulnerability in servers across countries including India for the first time in September. It, however, said no Indian government officials had contacted it yet for further information.