HHS warns health systems of PACS security vulnerabilities
Photo: Jose Luis Pelaez Inc/Getty Images
The U.S. Department of Health and Human Services is warning hospitals and health systems that a security vulnerability in picture-archive communication systems, first discovered two years ago, is a problem that needs fixing now.
WHY IT MATTERS
In 2019, cyber researchers found a flaw in some PACS that, if exploited, could expose patient data or put networks at risk of malware according to the alert from HHS' Health Sector Cybersecurity Coordination Center, or HC3.
"These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records," officials warned. "There [continue] to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Healthcare organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed."
Because ultrasound, CT, MRI and other radiology files are stored and exchanged on PACS servers, they rely on the Digital Imaging and Communications in Medicine formatting standard.
But DICOM, developed 30 years ago, is very vulnerable to exploitation, say HC3 officials – noting that researchers "identified thousands of vulnerable PACS servers" in September 2019 and that another subsequent study "found the problem to be increasing, with additional systems identified as both vulnerable and accessible via the Internet."
Cybercriminals who decide to exploit those vulnerabilities could expose medical data such as "patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations and social security numbers," said HC3 officials.
A DICOM-based exploit could even allow for manipulation of medical diagnoses, scan falsifications, malware deployment or sabotage, they said – enabling bad actors to "compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected."
As of this past month, far too many of these PACS are still left vulnerable to exploitation, HC3 warns – estimating some 130 health systems nationwide, with "8.5 million case studies, representing over 2 million patients [and] approximately 275 million images related to their exams" left open to exposure.
HC3 listed some potentially vulnerable PACS devices – which it said "is not all-inclusive" – as identified by the Department of Homeland Security:
-
Optima 520, medical imaging systems, all versions.
-
Optima 540, medical imaging systems, all versions.
-
Optima 640, medical imaging systems, all versions.
-
Optima 680, medical imaging systems, all versions.
-
Discovery NM530c, nuclear medical imaging system, versions prior to version 1.003.
-
Discovery NM750b, dedicated breast imaging system, versions prior to version 2.003.
-
Discovery XR656 and Discovery XR656 Plus, digital radiographic imaging systems, all versions.
-
Revolution XQ/i, medical imaging system, all versions.
-
THUNIS-800+, stationary diagnostic radiographic and fluoroscopic X-ray system, all versions.
-
Centricity PACS Server, used to support a medical imaging archiving and communication system, all versions.
-
Centricity PACS RA1000, used for diagnostic image analysis, all versions.
-
Centricity PACS-IW, an integrated web-based system for medical imaging, all versions including version 3.7.3.7 and version 3.7.3.8.
-
Centricity DMS, data management software, all versions.
-
Discovery VH/Millenium VG, nuclear medical imaging systems, all versions.
-
eNTEGRA 2.0/2.5 Processing and Review Workstation, nuclear medicine workstation for displaying, archiving and communicating medical imaging, all versions.
-
CADstream, medical imaging software, all versions.
-
Optima MR360, medical imaging system, all versions.
-
GEMNet License server (EchoServer), all versions.
-
Image Vault 3.x, medical imaging software, all versions.
-
Infinia/Infinia with Hawkeye 4 / 1, medical imaging systems, all versions.
-
Millenium MG/Millenium NC/Millenium MyoSIGHT, nuclear medical imaging systems, all versions.
-
Precision MP/i, medical imaging system, all versions.
-
Xeleris 1.0 / 1.1 / 2.1 / 3.0 / 3.1, medical imaging workstations, all versions.
THE LARGER TREND
PACS can be hugely useful for image management, of course, leading to benefits for quality of care and, as Healthcare IT News case studies have shown, cost savings. But imaging systems need to be properly configured to work optimally, safely and securely for the health systems that deploy them.
Like other species of health IT, imaging technology is routinely found to be vulnerable to security risks – this isn't the first time federal agencies have warned about connected imaging devices in recent months – and needs to be regularly monitored and assessed for the need of new threat mitigations.
ON THE RECORD
"PACS security begins by checking and validating connections to ensure access is limited only to authorized users," said HC3 officials, noting that systems "should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.
"Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them," they added. "The vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.