Cybersecurity report finds PACS highly vulnerable to attack

Health imaging data such as ultrasounds, mammograms, MRIs and PACS information is highly vulnerable to cybersecurity criminals, according to a recent McAfee security report.

The Labs 2018 Threats Report from the cybersecurity company tallied 267 publicly reported targeted healthcare incidents in 2016 and 2017.

Authors attributed the dramatic uptick to facilities’ failure to comply with security best practices or address vulnerabilities in outdated medical software.

A simple search from the group found more than 1,100 PACS servers directly connected to the internet, with no layer of network security or virtual private networks (VPNs) protection. This occurs even in the face of the Health Insurance Portability and Accountability Act (HIPAA), which requires a secure medical imaging workflow

“Because much of the imaging equipment in use by medical facilities does not align with security best practices, acquisition gateways are placed in the network to enable the digital exchange of the images. The amount of old software used in implementations of PACS servers and the amount of vulnerabilities discovered within the software itself are concerning,” wrote Christian Beek, lead scientist and senior principal engineer at McAfee’s Office of the CTO and colleagues.

According to the report, artificial intelligence (AI) pictures could be studied to determine how long a person will live. Experts suggested criminals may target this information and use it for extortion purposes.

“We understand the need for quickly sharing medical data for diagnosis and treatment and for storing medical images. We advise health care organizations to be careful when sharing images on open directories for research purposes and to at least scrape the [personally identifiable information] PII data from the images,” Beek et al. wrote.

Authors suggested working with vendors to implement security features. “Employ a proper network design in which the sharing systems are properly secured. Think not only about internal security but also about the use of VPNs and two-factor authentication when connecting with external systems,” according to the report.