Share this article on:
The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP:White Alert warning about vulnerabilities in the Picture Archiving Communication Systems (PACS) used by hospitals, clinics, small healthcare practices, and research institutions for sharing patient data and medical images.
The HC3 Sector Alert warns that PACS vulnerabilities are exposing sensitive patient data and placing systems at risk of compromise. Vulnerable Internet-exposed PACS servers can easily be identified and compromised by hackers, threatening not just the PACS servers but also any systems to which those servers connect.
PACS was initially developed to help with the transition from analog to digital storage of medical images. PACS servers receive medical images from medical imaging systems such as magnetic resonance imaging (MRI), computed tomography (CT), radiography, and ultrasound and store the images digitally using the Digital Imaging and Communications in Medicine (DICOM) format. DICOM is now three decades old and was discovered to have vulnerabilities that could easily be exploited.
The vulnerabilities were first described by security researchers in September 2019, who showed it is possible for the flaws to be exploited to gain access to medical images and patient data. Thousands of vulnerable PACS were identified worldwide, with a second study several months later uncovering even more PACS that were exposed to the Internet and vulnerable to attack.
In June 2021, a study by ProPublica revealed millions of medical images have been exposed via the Internet via vulnerable PACS. 130 health systems were found to have exposed around 8.5 million case studies involving more than 2 million patients, with more than 275 million medical images from their examinations placed at risk along with any associated protected health information. Exposed protected health information included patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations, and Social Security numbers.
Successful exploitation of the vulnerabilities could result in an attacker obtaining sensitive data, but it would also be possible to exploit vulnerabilities in the DICOM protocol to install malicious code, manipulate diagnoses, falsify scans, sabotage research, or install malware. Once access to PACS systems is gained, an attacker could move laterally and spread to other parts of the network undetected.
The main issue is PACS servers have been exposed to the Internet without applying basic security principles. These include:
- Checking and validating connections to ensure the systems can only be accessed by authorized individuals.
- Configuring the systems in accordance with manufacturer documentation.
- Restricting network access to vulnerable systems and ensuring, where possible, that they are not accessible over the Internet.
- Placing PACS systems behind firewalls, whenever possible.
- Ensuring a Virtual Private Network (VPN) must be used to access PACS systems remotely.
- Ensuring traffic between Internet connected systems and physicians/patients is encrypted by enabling HTTPS.
- Ensuring default passwords are changed to strong, unique passwords.
- Closing all unused ports on affected systems.
- Where possible, discontinuing or limiting the use of third-party software on affected systems to decrease the attack surface.
- Ensuring patches are applied promptly.
- Logging and monitoring all network traffic attempting to reach vulnerable systems.
HC3 says there are still several PACS servers that are currently visible and vulnerable. All healthcare organizations have been advised to review their inventory to determine if they are running any PACS servers and to take the steps outlined in the guidance to ensure those systems are secured.
The Department of Homeland Security has produced a list of GE Healthcare PACS that are known to have vulnerabilities that need to be addressed. The list is not all-inclusive so security measures should be assessed for all PACS servers, regardless of whether there are known vulnerabilities.