Your Insides Are Online: Government Capacity and Technology

On a fall afternoon in 2019 I stood at a desk in the U.S. Senate and watched on my computer screen, appalled as a researcher in Germany demonstrated how he could view medical images– XRays, MRI’s, mammograms– as they were uploaded onto the internet in real time. According to the researcher, Dirk Schrader, over 114 million images belonging to roughly 5 million Americans in 22 states were exposed on the internet.  

My concern at that moment was not solely that I was looking at the images of the insides of other people without their knowledge or consent, or that other personally identifiable information was clearly visible alongside the scans. My primary concern was also not my usual ones– that state actors or criminal networks could breach the system or steal the data for training artificial intelligence (AI) systems or to harm the network. I wasn’t thinking about how nefarious actors could handily exploit a long-standing flaw in the Digital Imaging and Communications in Medicine (DICOM) protocol by inserting a malicious polyglot file into the preamble of the file, and then re-upload the file into the picture and archiving communications system (PACS) where the malicious code could spread laterally across an organization. At that moment what was most troubling was how long the U.S. government knew the images of sick Americans were exposed and had not acted to have them removed.  

In late August 2019, the German researchers conducted a two-week inquiry into the PACS system vulnerabilities in their country and on September 9th they submitted their findings to the German Federal Office for Information Security (BSI). Eight days later, by September 17th, the affected systems and the corresponding images located on servers in Germany had been removed from the internet. In contrast to the German example, the researchers had submitted information about the vulnerable scans in the United States to US-CERT which acknowledged receipt on September 20th, 2019 and responded that the information would be transmitted to the United States Department of Health and Human Services (HHS). Yet throughout October and into November the images remained online. By January 2020, some of the scans in the US had been removed, but others remained. Unfortunately, according to Schrader, throughout the pandemic the problem has not improved and now the scans available online include the medical images of children and seniors. Additionally, he says, vulnerable PACS in the United States have increased by 28 percent in the last 24 months.  

Vulnerable PACS and a flawed DICOM protocol are two elements of a host of issues that include a lack of federal regulation for uniquely identifiable and irreplaceable biometric or personal data, a lack of capacity for executive enforcement and oversight, and a Congress that needs more support to conduct oversight. Insufficient impact assessments (the FDA spent three years approving the DICOM protocol as a cloud-based diagnostics tool but failed to consider its security issues) and coordination and communication are also consistent problems– HHS was put on notice about the PACS in November 2019, and 133 PACS with 4.2 million scans remain online today. Although the U.S. Department of Veterans Affairs addressed the issue on servers at its hospitals when pressed by Congress, had a U.S. Senator not flagged the issue, the images of servicemembers might still be online.  

Since the 104th Congress in 1970, Congress has introduced over 200 bills that mention the term “biometric data,” of which 10 have become law. None are a federal regulatory standard for the use of such sensitive data. Of those ten bills, biometric data is mentioned in three National Defense Authorization Acts (NDAA), in three bills related to economics and finance, and once each in bills related to crime and law enforcement, emergency management, immigration, and transportation and public works. Most are appropriations bills. None of the current federal laws cover biometric data specifically for healthcare, and the United States does not have a uniform federal biometric data privacy or security bill, although several have been introduced, including the National Biometric Information Privacy Act of 2020 proposal by Senators Merkley (D-Oregon) and Sanders (D-Vermont) in 2020.  

More significant changes have been made at the state level, however, beginning in 2008 when Illinois became the first state to pass a biometric privacy law, the Biometric Information Privacy Act (BIPA). The legislation does not apply to government entities, however. Four states (California, Texas, Arkansas and Washington) have adopted legislation similar to BIPA, and in 2021, twenty-seven other states had pending legislation related to biometric data. Despite the fact that the National Institutes of Science and Technology (NIST) has developed biometric standards for sixty years, there are still no federal regulations that protect consumer’s biometric data collection, even as a patchwork of companies produce apps that collect sensitive data for vaccine identification methods or build tools for other purposes, like identifying and boarding passengers. 

The issue is not unique to domestic U.S. data governance. Biometric and other data are used to identify individuals for national security, immigration and refugee purposes. Access to, and security of that information becomes particularly challenging but essential in conflict zones or in a crisis. A recent tragic example of the failure to adequately protect the biometric data of some of the most vulnerable individuals is Afghanistan, where several biometric databases built by the United States and its international partners were left in the custody of the Taliban. These sources of identifying data are potential tools for reprisals against U.S. allies and partners still in the country and other vulnerable populations including the extremely impoverished, the LGBTQIA+ community, Hazaras, children, and women, especially educated women in previous positions of power. 

To address issues related to U.S. government data and technology capacity, oversight, and enforcement, policymakers have attempted to expand executive branch capacity through the creation of new entities and funding mechanisms. Recently the U.S. Congress has proposed several new offices within Executive Branch agencies that would be tasked with addressing various gaps in the existing system. These range from an Office of Technology for Peace within an agency for Peacemaking proposed by Representative Lee, to a new Technology Partnership Office within the Department of State included initially in the Democracy Technology Partnership Act and later in the United States Innovation and Competition Act of 2021, to the establishment of an Office of Technologists within the Federal Trade Commission Technologist Act of 2021. This list does not include the new funding within the Department of Commerce and NTIA related to broadband technologies, or the proposals for funding already directed toward the Department of Energy’s new Office of Clean Energy Demonstrations, or the various proposals for how the executive branch should deal with emerging technologies like AI, including within the new National Artificial Intelligence Initiative Office, established in January 2021 within the White House Office of Science and Technology Policy.  
Speed and innovation remain two important challenges to regulatory interventions that address the public harms created by a wide swath of technologies and unprotected data. The U.S. government, and the offices entrusted with protecting data should be organized in a way that reflects these modern challenges and that can respond with appropriate speed and flexibility. Currently, the United States does not have a singular agency for technology which makes up roughly 8 percent of US GDP, even though it does have one dedicated to Agriculture, which constitutes roughly .6 percent of US GDP.  

The current organization of the executive branch agencies and offices that deal with data, privacy, and emerging technologies has a responsiveness problem, among other issues. To address it and other problems, the U.S. government could create a Department of Technology and Innovation (formal proposal forthcoming) or a similar entity that could subsume the many other offices (or at least provide liaisons for them) that are being established within other agencies. Centralizing responsibility for the efforts of the various offices and entities within the federal government that deal with data and technology may not be preferable to a federated system, but it is not clear that creating a number of new offices is better than the current state.  

Other approaches might include creating another Solarium Commission modeled after the Project Solarium and dedicated to assessing the threat technologies and their harms to society, the misuse of those technologies, and government inefficiencies and failures related to technology regulation. The U.S. government could create an advisory Technology Innovation Board, under the Federal Advisory Committee Act, like the Defense Innovation Board, to oversee emerging technologies and other technology issues. It could create a technology security council modeled after the national security council created in 1947, with a focus on privacy and securing data in a way that could support the efforts of various agencies tasked with data and information security. Whatever the preferred approach, the first branch can ensure better accountability of both the private sector and the U.S. government. At the very least, executive branch offices and agencies should adopt and expand the use of technology risk and impact models that prioritize the most vulnerable and those most likely to be harmed by government or private sector failures, like it failed to do in the case of the PACs security systems.   

As of last month, more than two years after HHS was allegedly alerted to the problem of the scans, there are 1,000 connected PACs in the United States that, according to the researchers, continue to use unsecured ports. Over 30 of the systems were previously reported to authorities in the United States and have not been removed. Some of the data include the names of nursing homes with social security numbers next to the patient’s name, date of birth, and medical imagery. All the information is easily accessible on the internet, ripe for identity theft or other harms.  
 
Many thanks to Dirk Schrader for his research and updates, and continued commitment to addressing this problem.