Mumbai Feb 7
Nearly one million medical files and 107 million related medical images of Indian patients, including X-rays and scans, are freely accessible on the internet, as per the report titled “Information Security Report, Unprotected patient data in the Internet – a review 60 days later” released by German security firm “Greenbone Networks” engaged in handling vulnerability management.
The records and images include details such as patient name, date of birth and ID, name of the medical institution, ailment, physician names and other sensitive details. A German security firm “Greenbone Networks” has claimed that globally 114 crore medical reports have been leaked.
As per “Greenbone”, the servers storing these records are vulnerable due to the system used by many healthcare providers. Overall, the company found 1.19 Billion images in its review this year, which is a 60% increase, compared to last year.
In India the states whose medical files were impacted : Maharashtra, Karnatak, West Bengal, Telangana, Gujarat, Punjab, Delhi, Andhra Pradesh, Haryana, Uttar Pradesh, Madhya Pradesh and Chandigarh.
Mumbai’s high-end Breach Candy Hospital and “Utkarsh Scan Centre”(Dombivali, Thane district) are among the providers impacted. The leak is a result of bad password practices at these hospitals and medical service providers. The servers on which these records are stored have been left vulnerable, says Greenbone’s report .
Medical practitioners use a file format known as Digital Imaging and Communications in Medicine (DICOM) to store and share medical images. These DICOM images are typically stored in a picture archiving and communications system (PACS) server, which allows for easy access and storage. But in this case, the security protocol to be followed in securing these servers, was not followed and the images were directly available on the internet without a screening process or a password.
Reacting to Greenbone’s report a spokesperson for the Breach Candy Hospital said that the data that accessed by the “Greenbone”, was not from the hospital’s “secured servers” since the patient data is secured with “SSL certification.” The server can only be accessed by qualified physicians with usernames and passwords. The data accessed by the security firm may have been from links forwarded by “patientssharing their medical data” with other people. The hospital follows a system where patients and the referring doctors are sent a link with the medical image and report data. The access to such links was earlier indefinite, but has now been restricted to 48 hours. We are also going to put a disclaimer now that it is intended only for the particular patients and his referring doctor and not for anybody else”.
“Utkarsh Utkarsh Scan Centre” couldn’t be reached.
“Greenbone”s study came across 97 vulnerable systems in India and noted that the systems located in India, allow full access to related images. The particulars of Greenbone’s report are: Maharashtra-studies conducted- 308.451, images studied-68.789.685, images accessible-68.789.685, studies with image access-308.451, systems examined-46. Karnatak-studies conducted- 182.865, images studied-13.731.001, images accessible-13.731.001, studies with image access-182.865, systems examined-07. West Bengal-studies conducted- 172.885, images studied-3.441.255, images accessible-3.441.255, studies with image access-172.885, systems examined-02.Telangana-studies conducted- 126.160, images studied-5.997.360, images accessible-110.160, studies with image access-7344, systems examined-03, Gujarat-studies conducted- 111.408, images studied-13.997.757, images accessible-13.997.757, studies with image access-111.408, systems examined-19, Punjab-studies conducted- 45.973, images studied-7.156.545, images accessible-7.156.545, studies with image access-45.973, systems examined-06. Delhi -studies conducted- 40.709, images studied-2.105.605, images accessible-2.105.605, studies with image access-40.709, systems examined-04.
Andhra Pradesh—studies conducted- 17.302, images studied-446.870, images accessible-446.870, studies with image access-17.302, systems examined-02, Haryana -studies conducted- 10.713, images studied-1.548.165, images accessible-1.548.165, studies with image access-10.713, systems examined-02. Uttar Pradesh -studies conducted- 6.013, images studied-1.749.150, images accessible-1.749.150, studies with image access-6.013, systems examined-04.
Madhya Pradesh-studies conducted- 4.329, images studied-432.900, images accessible- studies with image access- systems examined-01 and Chandigarh -studies conducted- 1.121, images studied-672.600, images accessible- 672.600 studies with image access-1.121 systems examined-01.
As India moves towards data protection with the “Personal Data Protection Bill”, insecure healthcare institutions are expected to be held liable for using unsecured servers and weak password practices, since the PDP bill is likely to govern all healthcare data.
Besides the government’s National Digital Health Blueprint report has proposed the creation of district-level electronic databases of citizen’s health data and registries for all diseases of public importance and has proposed a National Health Information Architecture to roll-out and link systems across public and private health providers at state and national level.