PACS Flaws Put Data at Risk for 18 MonthsCalifornia Medical Imaging Group Describes Data Exposure
A California medical imaging group practice says vulnerabilities in its picture archiving and communications system left patient data at risk of unauthorized access for more than a year.
Sutter Buttes Imaging Medical Group, based in Yuba City, California, recently disclosed that in December 2020, it learned that the PACS system had been vulnerable to hacking from July 2019 to December 2020.
"After thorough investigation, SBI determined that, due to these IT vulnerabilities, certain SBI patient information may have been accessed by unauthorized parties," the imaging group says in a statement.
The practice's administrator tells Information Security Media Group that the vulnerabilities left accessible "names of about 100,000 patients on a worklist." The German security firm Greenbone Networks discovered the flaws while it was conducting its own research, the administrator says.
The vulnerabilities in the PACS included open ports and authentication issues, the administrator says. The practice did not reveal the brand of the PACS system.
The practice learned about the potential data exposure when it was alerted by the Department of Health and Human Services' Office for Civil Rights, the administrator says.
The information potentially accessed includes patient name, date of birth, type of imaging procedure, and the internal patient and study numbers created by the practice, Sutter Buttes Imaging Medical Group says.
"We conducted a thorough investigation and took several critical steps to address the identified IT vulnerabilities and to prevent a similar incident from happening again," the imaging group says.
The organization closed certain firewall ports to prevent access. And it hired IT consultants to help bolster SBI's security controls, according to a sample breach notification letter submitted to the California attorney general's office on Feb. 9
Security weaknesses in PACS and other medical imaging gear are relatively common, some security experts say.
"Lots of organizations lack the proper security strategy on how to handle anything that is not a 'standard' IT asset," says Benjamin Denkers of security and privacy consultancy CynergisTek. "Often these types of devices can require additional technology and specialized security knowledge to properly assess, build and maintain."
Elad Luz, head of research at healthcare security firm CyberMDX, offers a similar perspective.
"Generally, radiology practices have an ecosystem inside their network and utilize a network protocol, Dicom, which supports the typical workflows required - machines transmitting their studies to a server, workstations pulling and querying for studies from servers, and studies scheduled for patients," Luz says.
"It is also common for the infrastructure to support teleradiology, which usually means that remote facilities or personnel can pull studies from the server for diagnosing purposes. When teleradiology is misconfigured, servers containing the medical studies might be left exposed to the public internet instead of remaining private to the facility."
Dicom often does not require user authentication, he says.
"The information related to this incident - study date, patient name, date of birth, type of imaging procedure, and patient and study number - is what would typically be attached to a Dicom study," he adds.
In September 2019, the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology released draft guidance aiming to help healthcare organizations improve the security of PACS (see: NIST Issues Draft Guidance for Securing PACS).
Among other technical and process controls the guidance suggests to improve PACS security is a defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business functions.
"Certain imaging devices can be utilized in medical centers for upwards of two decades. And after a few years, you can end up with a device running on older, possibly deprecated, software, which can lead to security issues," Luz says.