Sen. Warner Asks HHS for Answers on Unsecured Medical ImagesQuestions HIPAA Enforcement Agency in Wake of Millions of Patient Files Discovered Online
This article has been updated.
Senator Mark Warner, D-Va., is scrutinizing the Department of Health and Human Services' Office for Civil Rights' response to the recent discovery by German researchers of millions of patients' medical image files being exposed on the internet - including by a U.S. company.
In a Friday letter to OCR Director Roger Severino, Warner writes that he wants to determine how "an enormous oversight" in the HIPAA-enforcement agency "has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by [researchers via a] German IP address."
Back in October, Warner also sent a letter to Andrei Soran, CEO of Maryland-based TridentUSA, after a joint investigation by news media site ProPublica and German broadcaster Bayerischer Rundfunk reported finding millions of patient medical imaging records exposed on the internet, including those of MobilexUSA, a TridentUSA-affiliated company (see Senator Demands Answers About Exposed Medical Imaging Data).
The media sites in September reported that researchers found 187 servers in the U.S. - including a MobilexUSA server - left "unprotected by passwords or basic security precautions." In total, the exposed records included medical images and health data - including X-rays, MRIs and CT scans - belonging to about 5 million Americans - plus "millions more around the world," the report said.
Of those, the names of more than 1 million patients were accessible on the unsecured MobilexUSA server "all by typing in a simple data query," ProPublica reported. "Their dates of birth, doctors and procedures were also included."
Warner's letter to TridentUSA demanded that the company answer several questions about its data security practices, including what audit and monitoring tools the company used to analyze data to remain HIPAA compliant.
In his new letter to OCR, Warner writes that TridentUSA told him in response "that that they successfully completed the HHS audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online."
A spokeswoman from Warner's office tells Information Security Media Group, "TridentUSA has indicated that their audits were done by third-party experts and that they have always complied with HHS/OCR audits in the past."
TridentUSA/MobilexUSA in a statement to Information Security Media Group says it conducts internal security assessments and facilitates external security assessments.
The company says that it immediately mitigated the security vulnerabilities in its medical imaging system when it learned of the issues through the ProPublica report. "These vulnerabilities comprised five of 187 of the affected servers brought to light in the ProPublica report," the statement says.
TridentUSA/MobilexUSA also says it immediately began a comprehensive forensic investigation to determine whether any patient information was exposed. The forensic investigation has not uncovered any misuse or exploitation of patient data, the company says.
Inaction by Agency?
In his OCR letter, Warner also notes that U.S.-CERT, a unit of the Department of Homeland Security, was notified by German officials of what the researchers had found. U.S.-CERT - after communicating with German researchers involving in the discovery - stated that it would convey the information to HHS, he writes.
Warner writes that according to the researchers who made the discovery of the exposed files, there has been no further communication from U.S.-CERT or HHS with the researchers, "even though data privacy authorities from other countries like France and the U.K. contacted [the researchers] following the publication of ProPublica' s report."
Warner also writes: "While the information security lapses by the medical companies using the PACS [picture archiving and communications systems] are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included [among the breaches] on your breach portal website, and I have seen no evidence that, once contacted by U.S.-CERT, you acted on that information in any meaningful way."
Senator Questions OCR
Warner asks that OCR by Nov. 18 answer his questions, including:
- Did HHS receive a notice from U.S.-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
- If so, what actions were taken to address the issue?
- What evidence does OCR require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
- Does OCR have information security experts on staff or does it rely on external consultants as part of these audits?
- What are the follow-up procedures if an organization's log files reveal access to sensitive data from outside the U.S., such as in this case?
- Does OCR require organizations to implement access controls? Does OCR require fulldisk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?
In his letter to OCR, Warner notes that on Oct. 15, German researchers also demonstrated to his office "a number of U.S.-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X rays and mammograms, and identifying details like names and Social Security numbers. Those images and medical records continue to be accessible."
Those exposures "indicate egregious privacy violations and represent a serious national security issue," Warner writes. "The files may be altered, extracted, or used to spread malware across an organization."
Warner adds that earlier this year, "other researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected (see Researchers: Malware Can Be Hidden in Medical Images).
OCR did not immediately respond to ISMG request for comment on Warner's scrutiny.
Issues involving protected health information being exposed in medical image files fall under the regulatory umbrella of OCR, compliance and legal experts confirm.
"Medical images identifying a patient are PHI. Unsecured access to this PHI on the internet is a HIPAA breach because it is a disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule," says independent HIPAA attorney Paul Hales.
OCR is the correct office within HHS to investigate the facts of a disclosure of PHI and proceed with enforcement if it finds violations, Hales adds. "The wheels of an OCR investigation turn slowly - as they must to be thorough and fair. Accordingly, the fact that OCR has taken no immediate public action is neither surprising nor an indication that it is not performing its HIPAA enforcement duties."
Other government agencies also potentially have oversight in incidents involving medical image security, depending on the circumstances.
For instance, the Food and Drug Administration, also part of HHS, oversees security of medical imaging devices "and, depending on the facts, may also have jurisdiction," over the issues found by the researchers, Hales adds.
"Every HIPAA breach involves patient safety because, among other potential harm, it exposes each patient to medical identity theft, the fastest growing form of identity theft in the U.S."
The Federal Trade Commission also could become involved "if for-profit companies maintained medical information with information security practices that the FTC interprets are unfair or deceptive," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Regarding Warner's question to OCR about the agency's oversight of the DICOM protocol and PACS security, "while OCR would not oversee the applications themselves, they would oversee any business associates who are responsible for whether the applications' security was properly configured," Greene adds.
Privacy attorney David Holtzman of the security consultancy CynergisTek notes that Congress has not passed any law that empowers OCR to oversee the creation or adoption of specific information security standards.
"OCR, through its enforcement of the HIPAA Security Rule, is empowered to enforce requirements that organizations take a risk-based approach to managing the application of effective safeguards to protect the confidentiality, integrity and availability of ePHI," he says.
"The healthcare industry has been very late to detecting and mitigating threats and vulnerabilities to medical devices and diagnostic imaging systems that connect to the internet. It has been widely known that PACS are riddled with vulnerabilities that will allow for unauthorized access to the information."