The Patient-Doctor Privilege: A Not-So Secure Agreement

The Doctor (*ahem* Hacker) will see you now

Imagine going to a routine check-up and your doctor says, “Just gonna take a few x-rays and an MRI to update our records.”

No big deal. You trust them. Then, a few weeks later, you receive an email from your doctor's office saying “we’re currently dealing with a security breach where our patients' medical images have been exposed.” Pretty scary, right? Knowing your personal (and I mean *very* personal) images are roaming free on the internet? Unfortunately, this scenario has become an all too real a commonality, affecting millions on a daily basis. (Is this too much? Could probably cut back)

In 2021 alone, we’ve already reached over a billion exposed medical images, with more than 40 million patient records, containing said images, also compromised. According to HealthcareItNews, there have already been 10 massive data breaches within health conglomerates, on top of the thousands occurring within smaller businesses, this year, with millions (from children to the elderly) affected.

The main causes of these attacks included:

• Companies use cheap, third-party software to store confidential information.
• Allowing patients, clients, and any employee to access records and images through free, underdeveloped apps.
• Employees opening malware content (via email and/or social media scams) and leaving it unreported.
• Sharing images with other clinics and medical centers, that have also dealt with the same cyber intrusions.
• Scammers easily access the vulnerabilities within each company’s server foundation.

Now, while the first two can be handled by updating to proper software and sending out a memo saying “seriously, you clicked on that?” The last two causes are easily the most concerning. 

Shouldn’t doctors and their employees be a little more worried? It’s not as high on the priority list as you’d think.

Scamming, Intruding and the Doctors Who Aren’t Too Worried (Yikes)

In a 2020 study conducted by TechCrunch, hundreds of hospitals, doctors' offices, and health organizations continued to run insecure storage and sharing systems, even though they were fully aware of the warnings and violations these broken systems implemented. 

While an industry standard known as “Digital Imaging and Communications in Medicine” (DICOM) was (and still is) widely used within medical fields to provide storing and archiving medical images easier, many doctors would neglect to safely store their medical images by not applying safe security practices (like, say, including a password) and connecting their information directly to the internet.

Because of this constant mishandling, over 24 million patient exams that stored over 720 million images were exposed and within two months, the number increased to 35 million patient exams with over 1.8 billion exposed images.

Unfortunately, these organizations consider this to be a small wound that can be easily handled with a band-aid (A.K.A. using free and/or inexpensive data protection services), without realizing this is causing the wound to fester, due to improper treatment. (I knew I could squeeze in some medical lingo!)

This leads to:

• Lawsuits and penalties, due to neglect of HIPAA law, lead to thousands (if not more) of dollars in money owed.
• A lack of trust between patient and doctor.
• A tarnished reputation within the medical community, due to lack of action.

Setting a Plan of Action

Many within the medical field have admitted they use the excuse of “I don’t have time” or “I can hire someone else for that,” but cyber security is never as simple as just handing off the keys to someone else. Mistakes and neglect can still occur.

In a follow-up of TechCrunch’s 2020 article, SCMedia reported that hundreds of medical practices, (beginning in early 2021) upon reading the study, immediately dove into providing a stronger, more secure server. All it took was providing some simple, yet extremely effective practices:

• Actually setting password for everything used (crazy that I had to write that)
• Enabling “HTTPS”
• Requiring that patients and healthcare professionals verify their network is secure before accessing any records/images
• Companies providing private networks, which in turn, will provide a stronger encryption

With Cyber Security, We Wear the White Coats

In the growing field of Telehealth, the understanding of Cyber Security is even more crucial than ever before. Having medical images spread across the internet is not only unethical but a breach of privacy (and frankly, pretty gross). Being flippant about the interpretation of cyber threats, especially to your colleagues and vendors is, frankly, no longer an option.

At CyberManiacs, we don’t care if you wear scrubs or business suits; we want you and your team to be more knowledgeable than before. We understand that every profession has its own language, so we’re dedicated to providing programs that make sure you can add “Cyber” to your linguistic tongue.

Developing a culture of security awareness, no matter what field, can offer a strong deterrent for your organization, because let’s face it, we’re already dealing with selfies, so let’s not have your CT Scan available for all.