A recent investigation by ProPublica, Greenbone Networks, and the German public broadcaster Bayerischer Rundfunk, has revealed many picture archiving and communications systems (PACS) lack even basic security controls to prevent unauthorized data access.
PACS are used by healthcare delivery organizations to store, view, process, and transmit medical images such as X-Rays and MRI scans. These systems often link to electronic medical record systems and other hospital systems. They are also connected to the Internet to allow remote workers and third parties access medical images.
While HIPAA demand security controls be implemented to limit access to PACS and protect against cyberattacks and data tampering, many healthcare organizations have left their systems wide open and require no authentication whatsoever to access huge volumes of medical images.
The investigation uncovered 590 servers hosting PACS that could be accessed over the Internet without the need for authentication. Those servers contained 399.5 million viewable and downloadable medical images and associated protected health information.
Greenbone Networks scanned 2,300 Internet-connected PACS and used a RadiAnt DICOM viewer to view medical images on unsecured PACS servers, although in some cases the images could be viewed with a standard web browser with no need for any authentication.
The medical images, which included CT scans, X-rays, and MRI scans were found to contain sensitive patient information such as names, dates of birth, scan dates, scope of the investigations, types of imaging procedure performed, institute names, attending physicians’ names, and the number of generated images, and in some cases, Social Security numbers.
Unsecured PACS were found in 52 countries, with the United States having the highest concentration of unsecured servers (187). Those U.S servers were found to house 303.1 million medical images in 13.7 million data sets relating to around 5 million U.S patients.
Overall, more than 10,000 security vulnerabilities were identified, including some dating back several years. 20% of the identified vulnerabilities were categorized as high-severity and 500 were critical with a CVSS score of 10 out of 10.
The investigation did not uncover any evidence of unauthorized data access, but that does not mean that the records had not been viewed by unauthorized individuals. If cybercriminals were to obtain the images, the information contained therein could be used for identity theft, insurance fraud, medical identity theft, or to construct highly convincing spear phishing emails.
Since conducting the study, several healthcare organizations have improved security and added authentication controls but many PACS servers remain freely accessible by anyone with a basic understanding of computing. Gaining access to the images and PHI does not require any hacking skills.
Organizations that need help securing their PACS should download the new NCCoE/NIST guidance document on securing PACS, which is available on this link.