The story behind how I was able to view, edit & delete classified personal information of lakhs of patients all over India
Some months ago, I read an interesting article on Techcrunch titled “A billion medical images are exposed online” about medical imaging storageservers that are not configured securely and are exposed online. This caught my attention, and I wanted to dig deeper, especially in the Indian context.
For you to understand the content better, I wrote this blog in a question-answer format.
Before going into the details, I am discussing some important concepts that are critical to this article.
What is DICOM?
DICOM stands for Digital Imaging and Communications in Medicine and is a very old file format which is used for storing and sharing medical images. A series of images are stored in a single DICOM file which makes sharing data with other medical professionals easier.
You require a DICOM viewer to view these files. There are various software in the market(some of them free to download and use) doing this. As an analogy, you can think of them as regular photos.
What is PACS?
PACS stands for Picture Archiving and Communication System. You can think of it as a storage server for the medical images. These support imaging modalities such as X-Ray, CT scan, MRIs etc.
As an analogy, you can think PACS as a system with a hard disk inside which photos are stored. Take a look at the image below. It should give you a good overview.
How Can You Access the Data?
There are 2 ways you can access the data which is inside PACS systems.
1. Connect directly to PACS servers:
As on February 11, 2020, there are 305 PACS available online in India. Out of which 193 of them are available to connect without any kind of password or restriction.
All you need to know to access this data is which IP address these servers are running on and connect using any software which can retrieve and view DICOM files.
Here is a list of the cities in India which has these insecurely configured servers. In 4 months, some servers were taken down and some new ones came online as well. Mumbai ranks on top of this list.
I was able to access 1,51,646+ patient records using this method as of 4th June 2020, the number used to be much higher. Each record is made up of many images so if you count the number of images then the count is very high.
The records are available from 2012 onwards. On 4th June, there were nearly 200 + studies added in that single day
Personal info such as Name, Age, Date of Birth, Patient ID, Referring physician, Performing physician, Institution name(Hospital or imaging centre)etc is available
Once you connect through a DICOM viewer this is the kind of data you will be presented with along with above mentioned personal info. Just imagine Lakhs of such X-rays, CT scans and MRIs. All of which is on the internet left unprotected with no password.
2. Accessing through web Interface:
The already published research by Greenbone doesn’t cover this in-depth. I found approx 20+ instances of web interfaces developed by various companies in India. This is at first look, there could be many more. Thankfully, they ask for a username/password for logging in.
Seems secure doesn’t it? Well, I went ahead to do what I do on every login screen that I come across, type admin:admin as username and password combination and to my dismay, this is what happened.
I got access to all the patients’ healthcare records of various public/government hospitals. As you can see below.
- Govt Head QTRS Hospital, Krishnagiri
2. Your Center, A unit of Dr Kuttys
3. K.G.M Hospital Pvt Ltd
4. Star imaging and research centre
5. Soni Hospital
6. Medica Hospitals Pvt Ltd
7. Govt Hospital OOTY
What do These Screenshots Mean?
Thousands of patients medical records and their Personally identifiable information is accessible on the internet by typing the username and password as admin:admin. Take a minute to let that sink in. This is the state of cybersecurity of these government/private medical companies.
I only listed 7 websites here which gave me admin access to view/edit/delete all their patient’s data. But if you look hard you will definitely find more of these online.
Also, all this data is hosted on an HTTP server and not on HTTPS servers. Which means there is no encryption between the server and the client and any malicious third party can intercept and tamper with the data.
What About Security Vulnerabilities in the Software?
I didn’t even try to find security vulnerabilities in the web applications. That would have been a whole different story.
I was also able to get access to Medical receipts and some other medical documents which have the patients phone number and other personal details in some cases as well.
This just blew my mind and made me realise how unprepared India is to protect healthcare information of the patients. News about insecure PACS servers is not new. In February, some news outlets reported about the insecure PACS servers, and there was no change. Majority of the servers are still online.German firm finds one million files of Indian patients leakedET has reviewed a screenshot containing a list of patient names (but blurred to protect privacy) and corresponding…economictimes.indiatimes.comMaharashtra tops list of States hit by global medical data leakMedical details of over 120 million Indian patients have been leaked and made freely available on the Internet…www.thehindu.com
How can it be misused?
This data could be exploited by attackers for various purposes. These include publishing individual names and images to the detriment of a person’s reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective.
In image-driven fields like politics or entertainment, knowledge about certain ailments faced by people from these fields could deal a huge blow to their image.
Are there any laws to protect my data?
You must be probably wondering that this shouldn’t happen, right? Getting access to your health care data shouldn’t be this simple. Where is doctor-patient confidentiality?
Personally identifiable medical information is considered sensitive personal data or information (“SPDI”) under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) and processing of such SPDI can only be done in compliance with the same.
Hospitals and medical clinics will, therefore, be liable under Section 43A of the Information Technology Act, 2000 (the parent provision under which the SPDI Rules have been issued). Accordingly, they will be liable to pay compensation for failure to protect data as they have been negligent in implementing and maintaining reasonable security practices and procedures as required by law.
Read more about it here: Link
Here is the link to the draft of “Digital Information Security in Healthcare, act (DISHA)” which was proposed in 2018 but wasn’t passed in parliament yet. At times like these when everything is going digital, health care included, it is high time for the government to pass such act.
Some highlights of DISHA are
- It is focused on healthcare data privacy, confidentiality, security and standardisation.
- It creates regulatory authorities, both at the central and state level, to enforce the rights and duties envisaged under the legislation.
- At the central level, the National Electronic Health Authority (NeHA) and State Electronic Health Authority (SeHA) will be responsible.
If the said act was in place already I could have reported the above findings to them directly. Right now, I have no clue whom to report these issues to.