On June 29, The Department of Health and Human Services Cybersecurity Program released a news article on vulnerabilities in PACS Systems. PACS systems are Picture Archiving Communication Systems. These are commonly used for the storage and sharing of medical images such as radiographs, CT scans, and MRI images.
Most hospital imaging departments and large radiology practices have PACS systems to allow medical professionals to view the studies on patients they have sent for imaging tests. Other practices may also have PACS systems installed. According to the article from HHS “These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible.”
This represents a huge cybersecurity risk and according to the report, there are 130 known health systems exposing about 8.5 million case studies.
When you have a PACS system installed at your office it is vital that proper security be set up around the computers hosting the PACS software. The manufacturer’s instructions on setup must always be followed.
It is also important to keep your PACS system up to date with all updates and security patches. We take the time to make sure we update our operating systems regularly with security patches, we need to follow the same process with the software systems that store vital medical data.
When configuring a PACS system please ensure that the following security is set up whenever possible:
- The system is behind your firewall.
- The systems require the use of a VPN.
- You have changed the default password for the system.
- You monitor the log files for the PACS.
- You have automatic lockout enabled for multiple failed login attempts.
- Subscribe to updated for your PACS and install all security patches.
It is important to remember that any and every system that you have in your office that is connected to the internet is potentially vulnerable to a cyberattack and can be exploited to expose patient data. If you experience such an event this will result in a HIPAA Breach at your office.
In addition to exploiting vulnerabilities in these systems to steal data, a hacker could insert malicious code into the PACS to:
- Manipulate medical diagnosis.
- Falsify scans.
- And install malware such as ransomware.
All three of these events would corrupt the data in your PACS. As we have mentioned in previous articles one of the best defenses against ransomware and other corruption of your data is a good backup plan. In addition to reviewing the security associated with your PACS, you also need to review your backup policies and procedures for your PACS, or if you are not currently backing up your PACS now is the time to start backing the data up.
Going beyond the cyber risks associated with PACS systems we have seen instances where medical offices were physically broken into and the physical servers that hosted the PACS. In many cases these devices were not encrypted or backed up. All devices that store medical information need to be encrypted, this way a device that is stolen can not be the source of a HIPAA breach.
Please use the following checklist to improve your data security in your office:
- Implement all manufacturers recommendations on securing your PACS data.
- Make sure the computers that store your PACS data are encrypted.
- Make sure that the PACS data has a back plan in place and that you are following the backup plan.
- Contact your PACS vendor to make sure you are on the most up to date version of the software with all security patches installed and make sure you are subscribing to security updates.
It is important to remember that cybersecurity extends beyond the EHR system and includes all system that manage and store patient data.
To view the HHS Article click here
Read Comments