Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
On June 29, 2021, the U.S. Department of Health and Human Services (HHS) Cybersecurity Program released a news article on vulnerabilities in PACS, picture archiving and communication systems. PACS are commonly used for the storage and sharing of medical images, such as radiographs, CT scans, and MRI images.
Many healthcare practices, including most hospital imaging departments and large radiology practices, use PACS systems to provide medical professionals with a view of the studies on patients they have sent for imaging tests. According to the article from HHS, “These systems, which can be easily identified and compromised by hackers over the Internet, can provide unauthorized access and expose patient records. There continues to be several unpatched PACS servers visible.” This represents a huge cybersecurity risk as there are 130 known health systems with about 8.5 million case studies.
If you have a PACS system installed in your office, it is vital that proper security be set up around the computers hosting the PACS software to minimize risk and avoid a HIPAA breach. In fact, any and every system in a provider’s office connected to the internet is potentially vulnerable to a cyberattack and can be exploited to expose patient data.
When configuring a PACS system, there are steps you can take to support system security. It starts with following all manufacturer’s instructions on setup. Next, keep your PACS system up to date with all security patches. Additionally, ensure operating systems and other software systems that store vital medical data are updated regularly with security patches. Other tips to optimizing security measures include the following:
- Place the system behind your firewall.
- Require the use of a VPN to access.
- Change the default password for the system.
- Monitor log files for the PACS.
- Enable automatic lockout for multiple failed login attempts.
- Subscribe to system updates and install all security patches.
In addition to accessing personal patient data, a hacker could insert malicious code into the PACS to manipulate medical diagnoses, falsify scans, and install malware, such as ransomware. Any of these events would corrupt the data in your PACS. One of the best defenses against ransomware and other data corruption is having a good backup plan. So besides reviewing the security associated with your PACS, your office should also review backup policies and procedures. If you are not currently backing up your PACS, now is the time to start.
Going beyond the cyber risks associated with PACS systems, medical offices and their servers hosting PACS can also be physically broken into. So it’s critical that servers and hosting devices are encrypted as well as backed up.
As a recap, the following checklist can be used to improve your data security in your office:
- Implement all manufacturers recommendations on securing your PACS data.
- Ensure the computers storing your PACS data are encrypted.
- Have an effective data backup plan in place and make sure you are following the plan guidelines.
- Contact your PACS vendor to ensure you’re using the most up-to-date version of the software, have all security patches installed, and are subscribed to security updates.
As the HHS article reminds healthcare providers, cybersecurity measures need to extend well beyond the EHR system. Implementing such measures to protect patient data across all systems is essential to minimizing risk and maintaining HIPAA compliance.
For assistance in getting your practice compliant with HIPAA regulations, you can contact AdvancedMD’s partner TLD Systems.