The U.S. Department of Health and Human Services (HHS) announced on June 29, 2021 that there are potential security vulnerabilities in certain Picture Archiving Communication Systems (PACS) used by health care providers for sharing and storing patient data and medical images. The Sector Alert from the HHS Office of Information Security: Health Sector Cybersecurity Coordination Center says there are 130 health systems exposing about 8.5 million case studies along with approximately 275 million patient exam images; this represents more than 2 million patients.

According to the alert, PACS servers that obtain digital images such as ultrasound, computed tomography (CT), magnetic resonance imaging (MRI), and radiography and store them using the Digital Imaging and Communications in Medicine (DICOM) standard are open to exploitation. 

The Sector Alert describes the vulnerabilities associated with certain PACS systems arising from default passwords, hardcoded credentials, and lack of authentication within third-party software. Successful exploitation of these vulnerabilities can expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations, and social security numbers. Through exploitation of the DICOM protocol, installation of malicious code can be used to manipulate medical diagnoses, falsify scans, install malware, sabotage research, etc. The vulnerabilities also could allow an attacker to compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected. 

HHS has provided a listing of potentially vulnerable devices, but HHS states that the list is not all-inclusive. The cyber alert recommends that the overall security posture for all PACS systems should be reviewed, updated, and maintained according to basic cybersecurity hygiene guidelines.

HHS recommends that PACS systems should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet-connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS. Additionally, PACS should be placed behind a firewall and a virtual private network (VPN) should be required to access them.