par John R. Fischer
, Senior Reporter | July 12, 2021
Vulnerabilities in unsecured PACS have left more than 275 million medical images exposed, according to the Department of Health and Human Services.
The HHS’ Health Sector Cybersecurity Coordination Center (HC3) made the news public in an alert last Tuesday and said that nearly two million patients are at risk as a result of 130 healthcare organizations running vulnerable systems.
“Through exploitation of the DICOM protocol, installation of malicious code can be used to manipulate medical diagnosis, falsify scans, install malware, sabotage research,” according to the June 29 report. “Such threats could allow an attacker to compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected.”
Among the affected images are ultrasound, CT, MR and radiography scans stored using the Digital Imaging and Communications in Medicine (DICOM) format, which can be exploited.
Researchers in September 2019 reported finding thousands of vulnerable PACS servers in the U.S. and worldwide healthcare sectors, with a second study months later showing additional systems that are both vulnerable and accessible through the internet. The systems are still deployed as of June 2021, with about 8.5 million case studies exposed. Exposed protected health information includes patient names, exam dates, images, physician names, dates of birth, procedure types and locations, and social security numbers.
Specific systems affected include but are not limited to Optima 520, Optima 540, Optima 640, Optima 680, Discovery NM530c, Discovery NM750b, Discovery XR656, and Discovery XR656 Plus.
Among HHS’ recommendations for addressing these issues is to validate internet connections, set mandatory passwords to access information and create firewalls.
“There continue to be several unpatched PACS servers visible, and the Health Sector Cybersecurity Coordination Center is recommending entities patch their systems immediately,” said HC3 in the news alert. “Healthcare organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”