{"id":7903,"date":"2017-06-09T07:10:05","date_gmt":"2017-06-09T15:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/06\/09\/news-1684\/"},"modified":"2017-06-09T07:10:05","modified_gmt":"2017-06-09T15:10:05","slug":"news-1684","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/06\/09\/news-1684\/","title":{"rendered":"Please stop posting your X-rays to social media"},"content":{"rendered":"

Credit to Author: William Tsing| Date: Fri, 09 Jun 2017 14:00:36 +0000<\/strong><\/p>\n

Social media is fun. Posting pictures and sharing them with friends is a great technology. But please, we beg you, stop posting your medical imaging results to Instagram, Twitter, and Facebook. Why? What if you get a gnarly fracture from a really awesome snowboarding stunt and you want to share your battle wounds? Let’s start small and see where an X-ray or MRI can take us.<\/p>\n

 <\/p>\n

Personally Identifiable Information<\/h3>\n

Click to view slideshow.<\/a> <\/p>\n

Depending on the facility, your X-ray or MRI might have your full name, date of birth, social security number, name, and the name\u00a0of the facility in question. This much information is good when your doctor needs to know with 100% certainty that you are you and are tied to your medical records. It’s bad when it’s on Twitter.<\/p>\n

 <\/p>\n

Doxxing<\/h3>\n

Click to view slideshow.<\/a> <\/p>\n

Disclosure of one piece of personal information feels inconsequential. But multiple, low-value pieces of information disclosed on multiple platforms can yield an analytic chain that can uncover more serious data. For an X-ray, your name, and the name of a hospital seem fairly trivial and non-threatening. But the hospital name provides your probable city of residence, which in conjunction with your name, often provide property, tax, and voting records. Public data brokers often organize their best guess matching name and phone number by the city.<\/p>\n

Meaning: a bad guy holding his target’s X-ray can have hard validation on the city of residence, which in turn allows him to validate anything else of yours he steals to exclude other people with the same name. It’s a neat trick, with the only real defense being to not post personal information online if its something you can’t change easily. (Your fingerprint, city of residence, name, etc.)<\/p>\n

Endangering your hospital\/doctor’s entire network<\/h3>\n

And sometimes the machines taking the pictures can be networked. (Yes, there is an absolute landslide of issues surrounding why and how an X-ray machine should be\u00a0connected to a network, but that is a series of blogs for another time.) Take a look at this X-ray:<\/p>\n

\"\"<\/p>\n

Public facing server redacted<\/p>\n<\/div>\n

This person has wisely cropped out their own name, but if you check out the bottom right corner, you’ll see the active user account in the program. Not extremely alarming, but further is “Server: [redacted].” Very, very alarming! Perhaps the server receiving the image is a local machine that’s aair-gapped from the Internet but needs to receive images from multiple machines in an office or hospital. (If you are a security professional reading this, we know that this is extremely unlikely.) So, taking the server name and plugging it into a public metadata search tool, we find:<\/p>\n