This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Welcome to Reed Smith's viewpoints — timely commentary from our lawyers on topics relevant to your business and wider industry. Browse to see the latest news and subscribe to receive updates on topics that matter to you, directly to your mailbox.
| 1 minute read

HHS warns that millions of diagnostic images, patient data are vulnerable on certain PACS

The U.S. Department of Health and Human Services (HHS) announced on June 29, 2021 that there are potential security vulnerabilities in certain Picture Archiving Communication Systems (PACS) used by health care providers for sharing and storing patient data and medical images. The Sector Alert from the HHS Office of Information Security: Health Sector Cybersecurity Coordination Center says there are 130 health systems exposing about 8.5 million case studies along with approximately 275 million patient exam images; this represents more than 2 million patients.

According to the alert, PACS servers that obtain digital images such as ultrasound, computed tomography (CT), magnetic resonance imaging (MRI), and radiography and store them using the Digital Imaging and Communications in Medicine (DICOM) standard are open to exploitation. 

The Sector Alert describes the vulnerabilities associated with certain PACS systems arising from default passwords, hardcoded credentials, and lack of authentication within third-party software. Successful exploitation of these vulnerabilities can expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations, and social security numbers. Through exploitation of the DICOM protocol, installation of malicious code can be used to manipulate medical diagnoses, falsify scans, install malware, sabotage research, etc. The vulnerabilities also could allow an attacker to compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected. 

HHS has provided a listing of potentially vulnerable devices, but HHS states that the list is not all-inclusive. The cyber alert recommends that the overall security posture for all PACS systems should be reviewed, updated, and maintained according to basic cybersecurity hygiene guidelines.

HHS recommends that PACS systems should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet-connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS. Additionally, PACS should be placed behind a firewall and a virtual private network (VPN) should be required to access them.

In September 2019, researchers identified thousands of vulnerable PACS servers within the US health sector. A second study conducted several months later found the problem to be increasing, with additional systems identified as both vulnerable and accessible via the Internet.


health care & life sciences, diagnostic imaging, pacs, cybersecurity