A TLP:White Alert has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) regarding vulnerabilities identified in Picture Archiving Communication Systems (PACS) that hospitals and other healthcare providers and research institutions use for sharing medical images.
Vulnerabilities in PACS are exposing patients’ protected health information and since PACS servers are commonly exposed to the Internet, the vulnerabilities can easily be exploited by hackers to gain access to medical images and patient data. Attacks on vulnerable PACS servers also threaten other healthcare systems connected to those servers.
The main purpose of PACS was to assist with the transition from analog to digital storage of medical images. These systems include medical images from computed tomography (CT), radiography, magnetic resonance imaging (MRI), and ultrasound systems and store medical images digitally using the Digital Imaging and Communications in Medicine (DICOM) format.
DICOM has been in used for around 30 years and has recently been discovered to have easily exploitable vulnerabilities. These vulnerabilities were first identified in September 2019, when security researchers demonstrated how easy it is to gain access to medical images and acquire or alter protected health information. At the time, thousands of PACS around the world were found to be vulnerable, with a later study confirming the problem was even worse and many more PACS were exposing sensitive data.
ProPublica conducted a study and confirmed in June 2021 that millions of medical images have been exposed over the Internet via vulnerable PACS. That study confirmed 130 health systems had exposed 8.5 million case studies, which related to over 2 million patients. In total, more than 275 million medical images were identified that were easily accessible over the Internet. Those images contained ePHI such as patient names, images, examination dates, physician names, dates of birth, procedure types, procedure locations, and Social Security numbers.
In addition to accessing sensitive data, a hacker could also exploit vulnerabilities in the DICOM protocol to install malicious code, manipulate diagnoses, falsify scans, sabotage research, install malware, and conduct attacks on other parts of healthcare networks.
HC3 explained in the alert that several PACS servers are currently visible and vulnerable. Healthcare organizations have been told to review their inventories to determine if they are running any PACS servers and to implement mitigations to reduce the risk of the vulnerabilities being exploited.
The DHS’ Cybersecurity and Infrastructure Security Agency has published a security advisory about vulnerabilities in GE Healthcare PACS and has provided mitigations, although other PACS servers may also be vulnerable.
HIPAA and Vulnerability Management
The HIPAA Security Rule requires covered entities and business associates to perform an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” – See 45 C.F.R. § 164.308(a)(1)(ii)(A)) and also implement a risk management process “to reduce risks and vulnerabilities to a reasonable and appropriate level.” – See 45 C.F.R. § 164.308(a)(1)(ii)(B).
The failure to correct known vulnerabilities in operating systems, applications, and other software leaves those systems vulnerable to attack, which threatens the confidentiality, integrity, and availability to ePHI. When patches are released to fix known vulnerabilities, they should be applied promptly. Patching should be prioritized to deal with the most severe risks first.
If patches are not yet released, risk can be reduced by implementing workarounds and other mitigations. The failure to take any action to correct vulnerabilities places ePHI at risk, violates the HIPAA Security Rule, and can result in sanctions and financial penalties. There have been many cases where OCR has imposed financial penalties for the failure to conduct a risk analysis to identify risk and vulnerabilities to ePHI and for the failure to manage those risks and reduce them to a low and acceptable level.