Why Indian healthcare data is not safe? Who can access it and How
Some months ago a news spread about medical imaging storage servers that are not configured securely and are exposed online. We have a check on this and found the truth.
For you to understand the content better, you have some basic but important concepts.
Those are :
Q. What is DICOM?
Ans. DICOM stands for Digital Imaging and Communications in Medicine and is a very old file format that is used for storing and sharing medical images. A series of images are stored in a single DICOM file which makes sharing data with other medical professionals easier.
You require a DICOM viewer to view these files. There are various software in the market(some of them free to download and use) doing this. As an analogy, you can think of them as regular photos.
Q. What is PACS?
Ans. PACS stands for Picture Archiving and Communication System. You can think of it as a storage server for the medical images. These support imaging modalities such as X-Ray, CT scan, MRIs, etc.
As an analogy, you can think of PACS as a system with a hard disk inside which photos are stored. Take a look at the image below. It should give you a good overview.
Q.How Can You Access the Data?
There are 2 ways you can access the data which is inside PACS systems.
1. Connect directly to PACS servers:
There are 305 PACS available online in India. Out of which 193 of them are available to connect without any kind of password or restriction.
All you need to know to access this data is which IP address these servers are running on and connect using any software which can retrieve and view DICOM files.
Here is a list of the cities in India which has these insecurely configured servers. In 4 months, some servers were taken down and some new ones came online as well.
Each record is made up of many images so if you count the number of images then the count is very high.
The records are available from 2012 onwards. Personal info such as Name, Age, Date of Birth, Patient ID, Referring physician, Performing physician, Institution name(Hospital or imaging center), etc is available.
Once you connect through a DICOM viewer this is the kind of data you will be presented with along with above mentioned personal info. Just imagine Lakhs of such X-rays, CT scans, and MRIs. All of which are on the internet left unprotected with no password.
2. Accessing through web Interface:
The already published research by Greenbone doesn’t cover this in-depth. I found approx 20+ instances of web interfaces developed by various companies in India. This is at first look, there could be many more.
Seems secure doesn’t it? Well, I went ahead to do what I do on every login screen that I come across, type admin: admin as username and password combination and to my dismay, this is what happened.
Got access to all the patients’ healthcare records of various public/government hospitals. As you can see below a few of them.
KGM Hospitals |
Medica Hospitals |
Govt Hospital OOTY |
Thousands of patient's medical records and their Personally identifiable information is accessible on the internet by typing the username and password as admin: admin. This is the state of cybersecurity of these government/private medical companies.
This data could be exploited by attackers for various purposes. These include publishing individual names and images to destroy a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective.
Post a Comment