HHS urges providers to secure PACS vulnerabilities exposing medical images

  • Seen here, a Naval Medical Center San Diego’s Radiology Department. Radiology departments commonly leverage PACS to share medical images with other providers, but the tech holds inherent flaws that could enable the exposure of medical images. (Mass Communication Specialist Seaman Luke Cunningham/U.S. Navy)

    Health care entities should review system inventories to find Picture Archiving Communication Systems (PACS) and ensure all vulnerabilities are patched or protected from public access, according to a recent Department of Health and Human Services alert.

    HHS provided a non-exhaustive list of impacted PACS, which includes some of the most commonly used systems in health care, such as Optima 520, 540, 640, and 680 medical imaging systems; Discovery NM530c, NM750b, and XR656 systems; RevolutionXQ/i; Centricity PACS and DMS servers; eNTEGRA; CADstream; GEMNet; and a host of others.

    The advisory follows the recent SC Media report, which confirmed millions of medical images are being exposed through unsecured PACS. The U.S. is the largest culprit with 130 health systems actively exposing 8.5 million case studies.

    The compromised data represents more than 2 million patients from approximately 275 million images related to their exams. The research shows many of these health systems are continuing to upload new data in real-time, which in turn, is exposed through vulnerable PACS.

    PACS are a necessary tool in the health care space, widely used by hospitals, researchers, clinics, and even small-sized providers to share patient data and medical images. The systems obtain ultrasounds, CT scans, MRI data, and radiography, which is then stored in the Digital Imaging and Communications (DICOM) format.

    DICOM is the communication and management tool used to store and send medical imaging and related data between providers. The legacy standard is 30 years old and highly vulnerable and open for exploitation, however.

    The massive exposures were first brought to light by ProPublica in September 2019. The report showed the ease in which an attacker could find and identify backdoors into these systems, enabling system exploits.

    The researcher behind these reports, Dirk Schrader, global vice president at New Net Technologies (NNT), explained that it’s likely that the health systems leveraging exposed PACS are also operating systems with other critical vulnerabilities.

    Further, the subsequent reports detailing ongoing PACS exposures consistently showed no lasting improvements for U.S. health providers and demonstrated an overlying critical health care issue. The severity of the issue is confirmed by the latest HHS advisory.

    “Vulnerable PACS servers face unnecessary exposure when directly connected to the internet without applying basic security principles,” the alert reads. “The vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third-party software.”

    “Successful exploitation of these vulnerabilities can expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations and Social Security numbers,” it continues.

    In addition, if an attacker exploits the DICOM protocol, they could manipulate medical diagnoses, falsify scans, install malware, tamper with research, and perform other nefarious activities.

    And once an attacker gains access to an entity’s network through PACS, they can then compromise any connected medical devices and proliferate undetected across the network through connected, unsecured systems.

    To ensure PACS are secure, entities must begin by checking and validating connections to verify that access is limited to only authorized users. Systems should also be configured in accordance with documentation provided by the manufacturer.

    Further, admins must also ensure the internet-connected traffic between the entity and providers or patients is encrypted through the use of HTTPS and placed behind a firewall. These entities should also require the use of a virtual private network (VPN) to access the system.

    HHS urges all covered entities to immediately review, update, and maintain the attack surface and overall security posture of all PACS systems, in accordance with industry standards.

    Schrader, who previously notified the impacted entities, recommends the use of network visibility tools to map devices and how they communicate. The tool can reveal existing security gaps that may be inadvertently enabling enterprise risks.

    PACS and other vulnerable systems, such as unsupported tech or devices in need of a patch, should be segmented from the main network to reduce the impact of a successful exploit. Audit and monitoring tools can also support risk reduction efforts.

    “Any system connected to the internet, based on current standards or not, will be scanned for by attackers,” said Schrader. “And when there’s no matter of protection for these systems, it opens the playing field.”