Securing a PACS Network: Vulnerabilities and Challenges

Overview

Picture Archiving and Communication Systems (PACS) are essential in healthcare for managing and storing medical imaging data such as X-rays, MRIs, and CT scans. PACS relies heavily on the Digital Imaging and Communications in Medicine (DICOM) standard, which is a universal format for the storage, retrieval, and transmission of medical images. This standard allows for the integration of imaging modalities (e.g., MRI scanners), servers, and workstations regardless of manufacturer, facilitating interoperability across different systems.

A typical PACS architecture includes several key components: imaging modalities, a secure network for transmitting images, servers for processing and storing data, and workstations for viewing and analyzing images. It often involves integration with other health information systems, including electronic health records (EHRs) and Radiology Information Systems (RIS).

Data flows through PACS in a structured manner, adhering to the DICOM standard. Imaging modalities capture medical images and encode them in DICOM format before transmitting them over secure networks to PACS servers. These servers then process and store the DICOM files, making them available to healthcare professionals via workstations or through integrated healthcare systems. This flow of sensitive data, while necessary for efficient medical practice, presents multiple points vulnerable to cybersecurity threats.

Common Vulnerabilities in PACS

1.????? Weak Access Controls: Unauthorized access is a prevalent and severe vulnerability in PACS, primarily due to inadequate authentication processes throughout these systems. Common issues include:

• Weak Password Policies: Often, workstations utilize default or easily guessable passwords, significantly lowering the security threshold.
• Insufficient Multi-factor Authentication: Many systems lack layered security measures that multi-factor authentication provides, relying solely on passwords for access control.
• Default Credentials: The use of factory-set credentials, which are seldom changed by administrators, presents a significant security risk.
• Poorly Configured Server-Side Settings: Servers frequently lack stringent authentication requirements and do not adequately segment access based on user roles, leaving sensitive patient data inadequately protected.
• Application-Level Access Control Flaws: In the PACS environment, several critical applications handle sensitive data and require robust access control mechanisms. Weaknesses in these controls can lead to significant security vulnerabilities. For example, DICOM viewers and Radiology Information Systems (RIS), which manage and display sensitive medical images and patient information, can be prime targets for unauthorized access if not properly secured.

These weaknesses are exacerbated when servers are directly connected to the internet without adequate protective measures such as firewalls, virtual private networks (VPNs), or robust password protocols. Such configurations expose them to various security risks, including unauthorized access and potential data breaches.

2.????? Cloud Storage and Internet-Exposed PACS Servers: The security of connected DICOM devices is critical, highlighted by the widespread adoption of cloud storage and the presence of internet-facing PACS servers. Research by Noam Moshe of Team 82 [1] has identified several key issues:

• Unsecured Cloud Storage Buckets: Numerous cloud storage buckets on platforms like AWS and Azure are configured for public access. These buckets, which Team 82 found to number in the thousands, contain millions of sensitive, unencrypted DICOM files, often due to oversight or misconfiguration.
• Widespread Exposure of PACS Servers: Using Shodan.io, Team 82 discovered approximately 4,150 PACS servers globally exposed to the internet, making DICOM services potentially accessible to external parties. This exposure is primarily due to misconfigurations and inadequate security measures.
• Increased Attack Surface: The visibility of PACS servers on the internet, combined with the availability of unsecured cloud storage, significantly enlarges the attack surface, making these systems prime targets for cyberattacks.
• Lack of Awareness: Many organizations lack awareness regarding the state and security configuration of their cloud storage and PACS servers, contributing to ongoing security vulnerabilities.

These findings, supported by similar reports from other security researchers, underscores the critical need for healthcare organizations to rigorously assess and configure their cloud and internet-facing infrastructures to prevent unintended data exposure and enhance overall security postures.

3.????? Software and Network Deficiencies: The European Union Agency for Network and Information Security (ENISA) emphasizes in its 2016 Smart Hospitals report [2] the critical importance of regular software patching and updating. ENISA states that maintaining current software versions is essential to preventing the exploitation of known vulnerabilities and to detect attacks via known pathways. This practice is crucial not only for networked medical devices and clinical information systems in smart hospitals but also for securing ancillary protections such as firewalls and antivirus software. Vulnerabilities in PACS networks arise from various factors related to outdated or inadequate software and network infrastructure, which can significantly compromise data security:

• Outdated Software Components: Various components, including servers and imaging modalities such as CT scanners and MRI machines, within PACS networks may operate on outdated software. This includes both legacy equipment with prolonged operational lifespans and active devices that have not been timely updated. Frequently, these components do not receive the latest updates and might lack support from manufacturers, exposing them to known vulnerabilities and missing out on essential security patches. Moreover, older technology in these systems might not be compatible with current security measures, such as modern encryption protocols or advanced authentication methods. This vulnerability not only affects the devices with outdated software but also poses a risk to the entire PACS infrastructure, potentially allowing cyber attackers to access and exploit sensitive medical data.
• Legacy Protocols: PACS networks may also rely on outdated network protocols that do not support modern encryption standards. This reliance on legacy technology does not provide adequate protection against contemporary cyber threats, making data transmission particularly vulnerable to interception and unauthorized access.
• Insufficient Update Mechanisms: In some cases, the systems are set up without efficient mechanisms to regularly update critical software components. This includes the underlying operating systems and application layers, which are crucial for maintaining device security against emerging threats.
• Lack of Interoperable Security Updates: Often, there is a lack of coordination among vendors in the healthcare ecosystem regarding updates, leading to incompatible security measures across different devices within the same network. This misalignment can create gaps in the network’s defense, especially when older devices cannot support newer security protocols.

These vulnerabilities underscore the critical need for continuous monitoring and updating of software and protocols in PACS networks to protect sensitive medical data from cyber threats.

4.????? Inadequate Anti-malware Protection: Traditional antivirus and other anti-malware solutions often fail to offer sufficient protection for medical imaging systems within healthcare environments. The unique characteristics and operational demands of DICOM files used in PACS necessitate specifically tailored anti-malware measures. Without these specialized protections, PACS and other network components that utilize DICOM files become vulnerable to advanced threats. These threats can exploit vulnerabilities, manipulating files to serve as vectors for cyber threats.

Addressing these vulnerabilities requires the implementation of several focused strategies:

• Tailored Threat Detection: Anti-malware tools equipped with algorithms designed specifically for the complexities of DICOM file structures provide enhanced capabilities to identify and mitigate threats that conventional antivirus software may overlook.
• Enhanced Software and Signature Updates: Regular updates to anti-malware software and signatures are critical to effectively detect and neutralize sophisticated and emerging threats targeting medical imaging data.
• Configurable Scanning Options: Anti-malware configurations for PACS should include adaptable scanning options—on-access, on-demand, and scheduled—that are tailored to meet the operational demands of medical imaging environments. This customization ensures that DICOM files are effectively protected without disrupting essential healthcare operations.

Implementing these specialized anti-malware strategies is crucial for enhancing the defense of medical imaging systems and securing PACS against increasingly sophisticated cyber threats. Such measures are essential in addressing vulnerabilities that traditional security solutions may fail to cover.

5.????? Inadequate Encryption: Proper encryption of medical images and associated metadata, both in storage and during transmission, is crucial for protecting patient data. Systems using outdated encryption standards or inadequate encryption practices can leave PACS data vulnerable to interception and unauthorized access. DICOM addresses data security through several mechanisms as outlined in DICOM Part 15, which covers security and system management profiles. Encryption is typically applied during the transmission of files or to entire files, as these practices ensure the protection of sensitive information while maintaining the functionality necessary for clinical or operational purposes.

To enhance the security of data during transmission, DICOM incorporates several network commands and protocols:

• DICOM Network Commands (C-MOVE, C-GET, C-STORE): These commands are essential for transferring DICOM data across networked systems. They are designed to transmit data as stored, relying on encryption mechanisms like TLS for security.
• Transport Layer Security (TLS): DICOM recommends using TLS to secure data transmissions, ensuring that all data sent between DICOM applications is protected against interception and tampering.

By focusing on these encryption practices, healthcare organizations can address the key vulnerabilities and ensure the protection of sensitive medical data across its entire lifecycle, from acquisition to storage and transmission.

Vulnerabilities and Challenges Related to Encryption in PACS:

• Partial Encryption: Selective encryption of specific data elements within DICOM files, while supported, is less commonly implemented due to its complexity and potential impact on interoperability and accessibility. This can leave parts of the DICOM file unprotected, underscoring the importance of more comprehensive encryption approaches.
• Management of Encryption Keys: Effective key management is critical in maintaining the security of encrypted data. Poor practices, such as using weak keys or inappropriate sharing of keys, can severely compromise encryption safeguards.
• End-to-End Security: Ensuring that the entire transmission path is secured is vital. Misconfiguration or improper implementation of secure transmission protocols, like TLS, can expose data to risks, including Man-in-the-Middle (MITM) attacks, where unauthorized entities could intercept or alter the data.
• Compatibility and Standard Implementation: Variations in how different PACS vendors implement encryption standards can lead to inconsistencies and potential security loopholes. Ensuring compatibility and adherence to DICOM standards across systems is essential.

Encryption-Related Vulnerabilities Across the DICOM Lifecycle:

• Vulnerability During Decryption: Although encryption effectively shields DICOM files during transmission and storage, these files become susceptible to manipulation once decrypted for use, such as on potentially compromised workstations or within vulnerable viewing applications. Secure environments are needed for handling decrypted data.
• Risks on Malware-Infected Workstations: Workstations used to view or process DICOM files are potential weak points. If compromised with malware, these systems can manipulate DICOM files when decrypted.
• Vulnerabilities in Viewing Applications: Software vulnerabilities in DICOM viewers and other medical imaging applications can be exploited by malicious actors to alter DICOM files. Regular updates and security patches are crucial.
• Insider Threats: Security measures like encryption do not guard against threats posed by insiders with legitimate access. Malicious insiders could manipulate DICOM files, embedding malware or altering data, particularly at points where files are decrypted.

To safeguard sensitive medical data within PACS effectively, healthcare organizations should implement comprehensive encryption strategies that adhere to the latest standards and best practices. This includes regular updates to encryption algorithms, secure management of encryption keys, continuous monitoring and configuration of encryption protocols, and robust security training for staff. These measures are critical for protecting patient data across its entire lifecycle—from acquisition through storage to transmission.

The Crucial Role of Advanced Anti-Malware Solutions in Securing DICOM Files

Despite applying robust security measures to protect PACS networks, DICOM files remain vulnerable to sophisticated cyber threats at various stages of their lifecycle. These files, essential for medical diagnostics and patient care, can unfortunately be manipulated with malicious intent, turning them into vectors for cyber threats. This manipulation can occur prior to encryption, during the decryption process, or when security controls are circumvented.

Given the complexity of DICOM files, which include not only medical imagery but also detailed metadata, conventional anti-malware solutions may not suffice. These files require a specialized approach to cybersecurity, one that can understand and protect the intricate structure of DICOM data. It is here that advanced anti-malware solutions become indispensable. An ideal solution is specifically designed to detect and neutralize threats that exploit the unique aspects of DICOM files, ensuring that these files are safeguarded throughout their entire processing and storage cycle.

To address this need, WetStone Labs has developed SecureDICOM, an advanced cybersecurity solution tailored for the medical imaging domain. SecureDICOM leverages cutting-edge technology to provide comprehensive protection for DICOM files. It incorporates enhanced signature updates, configurable scanning options, and tailored threat detection algorithms that are specifically designed to navigate the complexities of DICOM files. This ensures that every component of a DICOM file is protected from emerging cyber threats, making SecureDICOM an essential tool for healthcare institutions seeking to strengthen their cybersecurity defenses.

By integrating SecureDICOM into their security infrastructure, healthcare providers can significantly enhance their ability to detect and respond to threats specifically targeting medical imaging systems. This proactive approach is critical, as it not only helps to protect sensitive patient data but also maintains the integrity and availability of crucial medical information.

Conclusion

The inherent complexities and critical role of Picture Archiving and Communication Systems (PACS) in healthcare make securing these networks a priority for ensuring patient safety and confidentiality. As discussed, vulnerabilities in PACS can stem from a variety of sources, ranging from weak access controls and outdated software components to the challenges posed by integrating with cloud storage and other health information systems. These vulnerabilities not only threaten the integrity of medical data but also expose healthcare institutions to potential cyberattacks with severe consequences such as data breaches, loss of patient trust, and significant financial penalties.

To effectively mitigate these risks, healthcare organizations must adopt a multi-faceted approach to cybersecurity. This includes implementing strong authentication measures, ensuring regular updates to both software and hardware components, and adopting robust encryption practices to safeguard data both at rest and in transit. Additionally, the deployment of specialized anti-malware solutions such as SecureDICOM by WetStone Labs is crucial. These tools are designed to understand and protect the unique structures of DICOM files, providing an essential layer of security that traditional anti-malware solutions may miss.

While the challenges of securing PACS networks are significant, they are manageable with the right strategies. By implementing a combination of preventive measures and responsive solutions, healthcare providers can strengthen their defenses. This proactive security posture not only protects sensitive medical data but also maintains the trust that patients place in their healthcare providers. By remaining vigilant and continually adapting to new security challenges, the healthcare industry can safeguard its critical infrastructure and ensure the continuity and safety of its services.

?If you liked this article, you may also be interested in:

"Enhancing Healthcare Cybersecurity: Aligning SecureDICOM with the NIST Cybersecurity> Framework" at: https://www.dhirubhai.net/posts/wetstone-technologies_nist-csf-cybersecurityframework-activity-7191942720020492290-bECg/, and

“Adapting to New Cybersecurity Challenges in Healthcare with SecureDICOM” at https://linkedin.com/pulse/adapting-new-cybersecurity-challenges-healthcare-873ee/

References:

[1] Moshe, N., DICOM Demystified: Exploring the Underbelly of Medical Imaging, Claroty Team 82, 2023, https://claroty.com/team82/research/dicom-demystified-exploring-the-underbelly-of-medical-imaging, Accessed May 5, 2024.

[2] European Union Agency for Cybersecurity,?Smart hospitals – Security and resilience for smart health service and infrastructures, European Network and Information Security Agency, 2016,?https://data.europa.eu/doi/10.2824/28801, Accessed May 5, 2024.

Contact WetStone Labs:

For more information about Wetstone Labs, SecureDICOM, and our other cybersecurity and digital forensics solutions, please contact us at [email protected]. Visit our website at www.wetstonelabs.com and follow our LinkedIn page at www.dhirubhai.net/company/wetstone-technologies.

WetStone Labs, WetStone Technologies, and SecureDICOM are trademarks of WetStone Labs, Inc. All other product names mentioned herein are used for identification purposes only and may be the trademarks of their respective manufacturers or publishers.