It seems shocking that millions of Americans’ private medical records are free and easy to access online. What’s more terrifying is that it shouldn’t be shocking. Experts have been warning the people storing this data for years that their storage methods weren’t at all secure, but no action was taken on their part. Now, nearly anyone can look at your MRI with minimal effort.
Here’s How Your Information Leaked
Over 5 million medical patients in the United States (and millions more in other countries) have been put at risk by care providers that store and transmit medical imaging and reports. It’s not unusual for a medical practice to digitally store this information – they need to be able to keep an accurate record of their patients and also to be able to send relevant information to the patient’s other care providers. What’s unusual is that 187 of these medical storage servers aren’t even password protected.
Anyone who wanted to look at someone else’s medical information would only need to know what to type into their web browser. When they reached the website, nothing would stop them from accessing every single record on that server. This isn’t even a data breach – the data was never secured in the first place. It’s always been out there for anyone to peruse and use as they see fit.
What is HIPAA and How Does This Violate HIPAA?
HIPAA is an abbreviation for Health Insurance Portability and Accountability Act, a measure passed by Congress in 1996. HIPAA is designed to do several things, but most importantly, it required that all protected health information is handled confidentially. HIPAA is the reason why the hospital won’t tell you things on the phone, especially if a friend or loved one hasn’t listed to you as a contact. You need to be there, in person, and have the person involved express consent for you to be informed of their medical status unless you are their next of kin or immediate family member.
It can easily be argued that storing medical imaging and patient information on unsecured servers that can be remotely accessed by anyone is not compliant with HIPAA. The problem is that there are nearly 200 of these servers, and there’s nothing in place to enforce compliance or to hold the individuals responsible accountable for the loss of confidentiality of medical data.
The Medical Industry’s Lackluster Attitude Surrounding Security
Many medical professionals view security as a “do it yourself” project, according to Massachussetts General Hospital’s director of analytics in radiology, Oleg Pianykh. Hospitals do medical best – they aren’t cybersecurity experts. While many hospitals have some kind of network leader or IT support specialist, they don’t have much of a plan in place to keep medical data safe.
Some hospitals outsource to private data storage firms that specialize in highly secure solutions. Other medical care providers attempt to do things themselves without a fundamental understanding of security. There is technically an official security standard in place, overseen by Medical Imaging & Technology Alliance. This organization does not actually provide security solutions, making it harder for medical care providers to know where to begin. A lack of ready-to-go solutions makes it difficult for people who aren’t in the business of cybersecurity to understand an adopt the standards necessary for full patient privacy.
The Medical Imaging & Technology Alliance is slightly cryptic in what security means and how to securely transmit information. Their response (or lack of response) to the findings that most data wasn’t secure at all was troubling. They seemed to be happy to accept whatever was going on, no matter what it was.
Keep Yourself Safe
The way medical data is handled is absolutely unacceptable. Your medical data is of the utmost importance – it’s ten times more personal than your tweets or your Instagram story, and the medical industry is treating it with far less respect. This is unacceptable and against HIPAA regulations, yet no one of authority seems to be pushing for mandatory higher security standards. The American public should be outraged.
If you need to digitally exchange medical information with a care provider, we suggest that you use PrivateMail Files. PrivateMail Files’s cloud storage is HIPAA compliant and end to end encrypted. Only your doctor will be able to receive your X-Rays, MRI, CAT scan, or other medical documents you choose to send. PrivateMail Files business plans offer 100GB cloud storage that features AES256 encryption and easy to use files sync apps for any operating system.