Senator Demands Explanation for the Exposure of Medical Images Stored in Unprotected PACS

Sen. Mark Warner (D-Virginia) wrote a letter to TridentUSA asking for an explanation concerning a breach involving sensitive medical images at MobileXUSA, one of its affiliates.

Sen. Warner is one of the founders of the Senate Cybersecurity Caucus (SCC) that was created to be a bipartisan educational resource for the Senate to effectively engage on cybersecurity policy matters. In June, Sen. Warner took an initiative on behalf of SCC to enhance cybersecurity in healthcare. He did this by asking NIST to create a protected file sharing framework and requested healthcare stakeholder groups in February to share their knowledge about best practices and the strategies they adapted to minimize risk to cybersecurity and strengthen healthcare data security.

The most recent letter was sent a couple of days after the published report of ProPublica about an investigation of the unsecured Picture Archiving and Communications Systems (PACS). Hospitals and other healthcare companies use PACS to view, store, process, and transmit medical images including MRIs, X-rays and CT scans. The report showed over 303 medical images of roughly 5 million U.S. citizens were exposed online because of the failure of PACS to secure 187 U.S. servers, including MobileXUSA, which store the medical images.

Under HIPAA rules, sensitive data, such as medial images kept in PACS, must be protected using security controls. Both MobileXUSA and TridentUSA have the responsibility under HIPAA to make sure that their PACS are not freely accessible and that there are sufficient controls to avoid unauthorized data access and theft.

Sen. Warner gave the two companies until October 9, 2019 to answer questions regarding their cybersecurity practices to figure out how the exposure of the medical images in the PACS happened and why they did not detect the lack of security protections.

In particular, Sen Warner would like to know the following information:

  • the audit and monitoring tools the companies used to analyze their HIPAA audit trails
  • if the systems that access the PACS and DICOM images conform to present standards and utilize proper access management controls
  • what access management controls are used for IP-addresses and port filters
  • if a VPN or SSL is necessary for communication with the PACS,
  • the frequency of internal HIPAA compliance audits and vulnerability scans
  • what kind of server encryption processes are used
  • if there is an internal security team in the companies or security is outsourced to security providers

PACS and the DICOM image format were created to help organizations share medical images internally and with approved third parties. However, every organization is responsible to make sure that the systems are powerful enough to safeguard patient privacy.

Healthcare companies could face a lot of difficulties getting their PACS without adversely affecting workflows. To assist healthcare companies in securing their systems, NCCoE has lately introduced new NIST guidance to help healthcare providers protect the PACS ecosystem.