Radiology data remains insecure, especially in U.S.

Despite the increased awareness of digital security in recent years, a significant amount of radiology data is still not secure, according to a recent analysis published in the American Journal of Roentgenology.

Mark Stites, Harvard Medical School graduate division, and Oleg S. Pianykh, PhD, Harvard Medical School department of radiology, used a legal, radiology-compliant DICOM-probing tool to scan more than 3.7 billion IP addresses across the world. The goal was to initiate standard “DICOM handshakes” and then judge the security of each address by how it “replied.”

Overall, the duo’s scan discovered more than 2,700 unprotected radiology or DICOM servers, and 719 of those were completely open to communication with patient data. As Stites and Pianykh explained, this is a problem that must be addressed for the safety of patients throughout the world.

“In a complex universe of clinical information technology, where patients, physicians, and IT professionals speak completely different languages and have entirely different expectations, too many things can fall between the cracks or simply be ignored,” the authors wrote. “Medical devices and archives, left wide open at their default DICOM ports and settings, are by far the most common security problem. During our study, we stopped only one step away from actually downloading patient data from the remote facilities we have identified. We stopped because it was illegal, yet it was completely possible.”

Breaking the data down by country, the United States led the way with 346 open DICOM servers. Brazil (51), Turkey (49), Iran (34), and India (28) rounded out the top five. Stites and Pianykh noted it is especially concerning that countries such as the United States, where DICOM infrastructure is most prevalent, have failed to solve this problem.

“This leads us to a rather gloomy conclusion that, despite several decades of digital medicine, clinical security is still largely neglected, even in the countries where security should have been implemented years ago,” the authors wrote.

Looking for more information about the security? In October 2015, Scott Erven, associate director at the global consulting firm Protiviti, spoke with at length about this same topic. In March 2016, Stephen Cobb, CISSP, senior security researcher for ESET, spoke to about common security threats affecting radiologists, including ransomware.