SUMMARY
The medical images include X-rays and scans, while details such as patient history were also leaked
Mumbai's high-end Breach Candy Hospital and Utkarsh Scans were among the providers impacted
The leak is a result of bad password practices at these hospitals and medical service providers
As healthcare gets digitised in the Indian context and with millions of digital health records being produced every day, healthcare providers also have to look at cybersecurity seriously. In the latest data leak related to users in India, over a million medical records and 121 Mn medical images of Indian patients, including X-rays and scans, have been leaked online to be freely accessible by anyone. According to German cybersecurity company Greenbone Networks, the patient records and scans and images from India also include details such as the name of the patient, their date of birth, the national ID, name of the medical institution, their medical history, physician names and other details that are meant to be classified.
Among the leaked data are medical records belonging to Mumbai’s high-end Breach Candy Hospital as well as Utkarsh Scans, a relatively well-known medical imaging provider. Upon review, Inc42 found that the link where the data has uploaded also allows anyone to download medical images of patients.
As per Greenbone, the servers storing these records are vulnerable due to the system used by many healthcare providers. Overall, the company found 1.19 Bn images in its review in 2020, which is a 60% increase (up from 737 Mn) from what it saw last year.
According to the company, the security protocol to be followed in securing these servers had not been followed in this case. The images are directly available on the internet without any password protection, which is typically not the case with medical records. Totally, the research found 97 vulnerable systems in India. “It is a notable fact for the systems located in India, that almost 100% of the studies allow full access to related images.”
Greenbone security researcher Dirk Schrader reportedly told ET the vulnerability in India’s medical systems does not stem from any kind of software flaw or loophole, but rather is a result of bad security practices and a “configuration issue.”
The leak of the digital medical records brings to light how insecure Indian healthcare systems are. As India moves towards data protection with the Personal Data Protection bill, such healthcare institutions would be held liable for using unsecured servers and weak password practices. The PDP bill is also likely to govern all healthcare data as well.
The government’s National Digital Health Blueprint report has proposed the creation of district-level electronic databases of citizen’s health data and registries for all diseases of public importance and most importantly, proposed a National Health Information Architecture to roll-out and link systems across public and private health providers at state and national levels.
