Getty Images

HHS Warns Health PACS: Patient Data Vulnerable to Cyber Exploitation 

Health PACS are vulnerable to hackers according to a new alert from the Department of Health & Human Services (HHS.)

Health PACS are vulnerable to hackers that could expose millions of patients' private health information, according to a new alert from the Department of Health & Human Services (HHS.) 

The Picture Archiving Communication Systems (PACS) are widely used in healthcare facilities and could be exploited, according to the HHS Health Sector Cybersecurity Coordination Center’s alert published on June 29.  

Hospitals, clinics, research institutions and small healthcare practices use PACS to share patient data and medical images, including ultrasounds and other scans, the report states.  

“In 2019, researchers disclosed a vulnerability in these systems that demonstrated if the systems were exploited there could potentially be an issue with exposed patient data,” the report states. “These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records.” 

“There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately.”  

HC3 is recommending that healthcare organizations review their inventory, determine if PACS systems are running and “ensure the guidance in this alert is followed.”  

Through the transition from analog to digital storage for medical images, PACS servers “obtain images such as ultrasound, computed tomography (CT), magnetic resonance imaging (MRI) and radiography and stores them using the Digital Imaging and Communications in Medicine (DICOM) format. The use of the DICOM standard – which was developed three decades ago – is open to exploitation,” the alert states.  

“In September 2019, researchers identified thousands of vulnerable PACS servers within the US health sector. A second study conducted several months later found the problem to be increasing, with additional systems identified as both vulnerable and accessible via the Internet. As of June 2021, these vulnerable systems are still widely deployed and available for exploitation.” 

The report states that currently in the United States, there are “130 health systems exposing about 8.5 million case studies, representing over 2 million patients, with approximately 275 million images related to their exams. Vulnerable PACS servers face unnecessary exposure when directly connected to the Internet without applying basic security principles.” 

The alert advises healthcare institutions to check and validate their PACS connections, ensuring access is limited to authorized users.  

Facilities’ internet connected systems “should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS. Furthermore, whenever possible they should be placed behind a firewall and a virtual private network (VPN) should be required to access them.” 

A cyber attack could exploit these vulnerabilities and “expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations and social security numbers,” the alert advises.  

“Through exploitation of the DICOM protocol, installation of malicious code can be used to manipulate medical diagnosis, falsify scans, install malware, sabotage research, etc.,” the alert states. “Such threats could allow an attacker to compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected.”  

The HHS alert goes on to recommend to healthcare institutions that each facility review their PACS systems and make any needed cybersecurity changes.  

For a partial list of devices with known vulnerabilities, according to the Department of Homeland Security, click here.  

Next Steps

Dig Deeper on Cybersecurity strategies