Getty Images

Sen. Warner Digs into DHA Over Exposed Army Medical Center Images

Millions of medical images are being exposed online through unsecured PACS; Sen. Warner is demanding action from DHA as sensitive health data is still being leaked through Army PACS.

Sen. Mark Warner, D-Virginia is scrutinizing the Defense Health Agency’s cybersecurity practices, as the sensitive medical data of servicemembers continues to be exposed online due to unsecured Army Picture Archiving and Communication Servers.

In September, a ProPublica investigation revealed that millions of medical records and patient data are being exposed online due to unsecured PACS. Specifically, TridentUSA and its affiliate MobileXUSA, failed to secure 187 computers that store X-Rays, MRIs, and other health data with password or other effective security.

After the reports, Warner sent a letter to the vendor demanding answers, as well as the Department of Health and Human Services for what he called a failure to respond to the reports.

Germany’s Green Bone Networks has been assessing the security of these platforms used by the majority of healthcare. In November, the number of unsecured PACS has increased the number of exposed medical images to about 1.19 billion.

Following those reports, Warner said that 16 systems, 31 million images, and 1.5 million exam records were removed from online access. However, medical data of servicemembers are still exposed.

Specifically, Ft. Belvoir Medical Center, Ireland Army Health Clinic, and the Womack Army Medical Center has what Warner called “insecure data practices.” DHA is being urged to remove the sensitive data from online access.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” Warner wrote.

“This information was discovered by the German researchers at Greenbone Networks, who accessed the information using German IP addresses,” he added. “This itself should have triggered alarms by the hospital information security systems.”

Data shared between providers should be protected with encryption, proper hashing, segmentation, vulnerability management, and identity and access controls, Warner stressed. DHA should also be diligently monitoring, auditing, and logging access and activity.

Warner is asking DHA Assistant Secretary Thomas McCafferty to explain the steps taken to address the issue and when those systems were removed from the internet.

McCafferty must also outline the information security management practices used at military medical hospitals and whether network segmentation, micro-segmentation, multi-factor authentication, logging, monitoring, or access controls are required at those facilities.

If so, DHA must describe the measures used and whether its security teams audit and monitor logs. Warner also wants to know whether full-disk encryption and authentication is implemented on PACS, along with whether hospitals are required to have a chief information security officer.

“The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others,” Warner wrote. “We owe an enormous debt to our armed forces, and at the very least, we ought to ensure that their private medical information is protected from being viewed by anyone without their express consent.”

“Given the gravity of this issue, I would appreciate a response within two weeks,” he added.

Warner is a leader of the Senate Cybersecurity Caucus and a champion of healthcare cybersecurity. The senator calls out federal agencies when reports of negative cybersecurity practices arise and has worked with industry stakeholders to determine the best cybersecurity practices for the sector through collaboration and a proactive approach.

The senator has also led and co-sponsored a number of cybersecurity bills designed to shore up vulnerabilities in infrastructure.

Dig Deeper on HIPAA compliance and regulation