In a rare move, the Department of Health and Human Services (HHS) has issued a warning to hospitals and health systems to prioritize the patching of a two-year-old vulnerability in picture archive communication systems (PACs). PACs are used for the exchange and storage of health scans and images, such as MRIs, CT Scans, breast imaging, and ultrasounds.

According to HHS’s Health Sector Cybersecurity Coordination Center (HC3), the vulnerable systems “can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible and HC3 is recommending entities patch their systems immediately. Health care organizations are advised to review their inventory to determine if they are running any PACS systems and if so, ensure the guidance in this alert is followed.”

It is estimated that 130 health systems have not patched the PACS systems and are vulnerable.

HC3 recommended that “PACS security begins by checking and validating connections to ensure access is limited only to authorized users,” and that systems “should be configured in accordance with the documentation that accompanies them from their manufacturer. Internet connected systems should ensure traffic between them and physicians/patients is encrypted by enabling HTTPS.

“Furthermore, whenever possible they should be placed behind a firewall and a virtual private network should be required to access them.” According to HC3, “[T]he vulnerabilities associated with PACS systems range from known default passwords, hardcoded credentials and lack of authentication within third party software.”

Keeping up to date on patching vulnerabilities is vital for the security of health information of patients, and health systems that have not attended to the patching of the PACS vulnerabilities may wish to follow the recommendation of HC3.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.