In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging, and ultrasounds.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), the vulnerable systems “can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Health care organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”

It is estimated that 130 health systems have not patched the PACS systems and are vulnerable.

HC3 recommended that “PACS security begins by checking and validating connections to ensure access is limited only to authorized users,” and that systems “should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.

“Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them.” According to HC3, “[T]he vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software.”

Keeping up to date on patching vulnerabilities is vital for the security of health information of patients, and health systems that have not attended to the patching of the PACS vulnerabilities may wish to follow the recommendation of HC3.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.