Security weaknesses in PACS and other medical imaging gear are relatively common, some security experts say.
"Lots of organizations lack the proper security strategy on how to handle anything that is not a 'standard' IT asset," says Benjamin Denkers of security and privacy consultancy CynergisTek. "Often these types of devices can require additional technology and specialized security knowledge to properly assess, build and maintain."
Elad Luz, head of research at healthcare security firm CyberMDX, offers a similar perspective.
"Generally, radiology practices have an ecosystem inside their network and utilize a network protocol, Dicom, which supports the typical workflows required - machines transmitting their studies to a server, workstations pulling and querying for studies from servers, and studies scheduled for patients," Luz says.
"It is also common for the infrastructure to support teleradiology, which usually means that remote facilities or personnel can pull studies from the server for diagnosing purposes. When teleradiology is misconfigured, servers containing the medical studies might be left exposed to the public internet instead of remaining private to the facility."
Dicom often does not require user authentication, he says.
"The information related to this incident - study date, patient name, date of birth, type of imaging procedure, and patient and study number - is what would typically be attached to a Dicom study," he adds.
In September 2019, the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology released draft guidance aiming to help healthcare organizations improve the security of PACS.
Among other technical and process controls the guidance suggests to improve PACS security is a defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business functions.
"Certain imaging devices can be utilized in medical centers for upwards of two decades. And after a few years, you can end up with a device running on older, possibly deprecated, software, which can lead to security issues," Luz says.