The Health Sector Cybersecurity Coordination Center (HC3) warns that many Picture Archiving Communication Systems (PACS) continue to have unpatched cybersecurity vulnerabilities, even though researchers identified vulnerabilities in these systems in 2019. PACS systems use the Digital Imaging and Communications in Medicine (DICOM) format, which was developed three decades ago. PACS systems can include security vulnerabilities such as known default passwords, hardcoded credentials and lack of authentication within third party software. Vulnerable PACS servers can cause patient information to be exposed and malware to be introduced into connected clinical networks. The HC3 report lists 23 vulnerable PACS devices, noting that the list is not all-inclusive.
To mitigate PACS vulnerabilities, HC3 suggests the following:
- validate connections to ensure access is limited to only authorized users
- enable secure connections (HTTPS) for internet connected systems
- place PACS systems behind a firewall and require access via a virtual private network (VPN).