Following up on a 2019 investigative report prepared by Pro Publica, and later confirmed by SC Media Report, which found that 275 million imaging studies from 2 million patients were being exposed through unsecured PACS, HHI issued an Alert in June 29th which identified the need to review the security measures for these systems in order to prevent these exploitations. The reports stated that 130 health systems were principally responsible for allowing these unauthorized disclosures. (See www.hhs.gov/sites/default/files/pacs-vulnerabilities.pdf).
Among the various steps which HHS stated should be taken to secure these images were:
- Checking and validating that connections and access are limited to authorized users
- Configuring PACS in accordance with manufacture specifications
- Encrypting imaging transmitted to and from hospitals and physicians
- Placing the images behind a firewall and a virtual private network before granting access
HHS also identified the devices which have "known vulnerabilities according to the Department of Homeland Security."
“Vulnerable PACS servers face unnecessary exposure when directly connected to the internet without applying basic security principles,” the alert reads. “The vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third-party software.” “Successful exploitation of these vulnerabilities can expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations and Social Security numbers,”