This story has been going around since September 2019. Images exposed on the internet from PACS systems around the world available to anyone that wanted to see them. Images exposed included x-rays, MRI scans and more. It still hasn’t been locked down after all these months. That means it’s time to talk about it instead of keeping it quiet.
In this episode:
Images Exposed – Ep 243
2020 Spring Session Dates
March 24, 25, 26
2020 Fall Session Dates
Sept 15, 16, 17
Los Angeles, CA
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
I worked with radiology billing for many years in my career. I am aware of the security issues noted in many of the PACS systems out there. Over a billion images exposed accounted for and millions are apparently still available.
A little background on medical imaging solutions
First, let’s explain a few things for those who may not deal directly with healthcare imaging tech. These two terms are at the core of almost all medical imaging technology.
DICOM is the international standard for medical imaging information exchange. Way back in the 80s and early 90s this standard was developed to make it easier to move digital images around. Good news is when HIPAA was announced they did add options for encrypting the data and protecting the transmissions of it. They added the ability to take all the PHI already attached to the image and encrypt it. Good news is you can encrypt. Bad news, it isn’t required by default. Even more good and bad news is that free DICOM image viewing software is now widely available for both Windows and Mac. You can even view them with web browser extensions.
DICOM standards give us the ability to exchange this information quickly and with high quality resolutions allowing practitioners to diagnose patient conditions better and faster. Should be good, huh.
PACS is the picture archiving and communication system that lets you store and access those DICOM images from all the different devices that created DICOM images. The PACS system is where the radiologist does their work. You can attach patient notes in a PDF directly to the images which lets them keep track of all the information about the patient along with the images that are taken.
These PACS systems collect images from a long list of devices that makes it loaded with information. Of course, there are x-rays but there are also MRIs, PET and CT scans, mammograms, ophthalmology, endoscopy, nuclear medicine, all types of dental images, and many more. Any medical diagnostic tool that takes some sort of view of your body is almost certainly dumped into one PACS system used by everyone in the organization. Unfortunately, there are also little batches of standalone PACS systems that work with a specific device and that one hasn’t been converted over the a main PACS. That means many organizations may have more than one PACS to support.
If you think about all the different ways that have been and continue to be developed to allow clinical staff to peer into your body without opening it up, that is a lot of imaging.
Many of these PACS systems have been considered less than secure for some time. NIST did a test run working with the several imaging vendors that connect under PACS trying to secure everything. They are producing a guide for best practices to secure this stuff. The panel discussion of the engineers from the vendors at the NIST OCR security conference was informative. One of them said he knew that many of the devices themselves ship with protections turned off. You must secure them when you install them or they sit on your network open to anyone that wants to access the images and patient information. Clearly, there is a lot of work to do in this area.
This is a problem for both the vendors and the organizations who own them. The vendors say the customer is responsible for security but they also don’t make a big deal making sure the customer really understands that responsibility. Nor do the vendors go out of their way to bake security into the products so that the defaults are secure. Healthcare security issues is why this podcast exists. If you can plug-and-play anything that is how far the security goes too. Once it works the tech folks just move along. Especially when you deal with these types of devices and applications. IT vendors don’t support them or install them. Everyone assumes someone else handles security.
Images exposed for easy access found by researchers
The images exposed story was first published by ProPublica in Sept 2019 based on findings from research at a German company, Greenbone. In that first article they reported finding over 5 million patients with images exposed in the US plus millions more from around the world. Those images were on 187 servers in the US alone that were unprotected by passwords or any level of security.
Here is a great quote from that article that explains just how wide open these systems are:
She also added what we all say these days about it being a “shared responsibility” between the vendors and the organizations that buy and use the tools.
The researchers and ProPublica were trying to notify the offices that had the images exposed. Some took immediate action. Others never even return the call like a LA physician they found with all of his patients’ echocardiograms open for anyone that wants to see them.
Another company they notified Offsite Image had over 340,000 images from both vets and human doctors exposed. Their website proclaims “Your data is safe and secure with us”. When they contacted the company their tech consultant said that was no way they were exposed because it required passwords for access. He called by the next day and said my bad we did have images exposed. He added that they were “never aware that this was even a possibility.” Guess that was the IT person who didn’t even know they were supporting this PACS stuff that the vendor said was your problem. That loop right there is the key in almost all small environments.
Image security is not new news.
In 2016, a couple of really smart folk at Harvard Medical School published a paper in the American Journal of Roentgenology (all the imaging peoples research journal). The paper is titled: How Secure Is Your Radiology Department? Mapping Digital Radiology Adoption and Security Worldwide which said back then things with PACS and DICOM were a mess.
The gist of the paper was summed up in one quote though; “Suddenly, medical security has become a do-it-yourself project”. Remember that paper it was published in early 2016. It is clear nothing substantial has changed.
After the first story broke we have seen more and more notices that more images have been found. The number exploded – we see 400 million, then 737 million and up to eventually over a billion by November. It was getting worse by making the announcement, not better.
In total, 2,000 providers from 800 US institutions, including clinics, hospitals, and radiology service providers are exposing PACS images. And the US is largely missing proper controls on these databases, such as those mandated by HIPAA.
The map of the US published by GreenBone was pretty telling as to the extent of the issues:
Go figure, Georgia is a hotspot according to the little yellow triangle.
Senator Sees Images Exposed For Himself
In November, OCR Director Severino received a letter from the Senate Cybersecurity Caucus founder Sen Mark Warner asking for an explanation for their “failure to act”. The letter pointed out there had been many reports about problems with DICOM security prior to detection of this long list of images exposed. It is a pretty, ummm, serious letter asking why OCR isn’t enforcing HIPAA to prevent this kind of exposure.
The reason the Senator is asking specifically about OCR enforcement is not just rhetorical. Warner’s office had reached out to one of the companies with images exposed, TridentUSA Health Services, asking them what the what. They replied in what seems to me to be a little unclear if it was stated exactly like this letter says.
When I read that statement I can infer a few things that may make that sound differently than it initial sounds.
We know from experience that OCR doesn’t usually tell anyone they are compliant with HIPAA.
- OCR hasn’t been doing audits that we know about publicly anyway. They have been doing investigations all over the place, though. Those are two very different things to me.
- Assuming it was in investigation they were looking into something specific and not specifically the PACS system.
- If the company says they secure the PACS and include it on their SRA, OCR doesn’t have the resources to go look themselves. They could be providing scans showing everything is fine because they ignore alerts about the PACS system.
Here are some other points from the letter that were very clear about why these images exposed out there should be a major concern not just a little blip.
The questions he wants answered.
Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:
- Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?
- If so, what actions were taken to address the issue?
- What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?
- Does OCR have information security experts on staff or does it rely on external consultants as part of these audits?
- What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?
- Please describe your information security audit process.
- Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?
In this business we all know that OCR would never have the manpower to dig through actual access audit logs themselves. Other than item 1 we have a good idea what most of the answers are just from experience. Here is our simple stab at them.
2 – OCR asks them to produce policies, procedures, and proof they are being followed in investigations. The audits have been much different than that, however. OCR staff review the documentation provided which can be all over the place. Sometimes it is even provided in such a manner that one may think they are trying to throw a smoke screen.
2a – They have a few tech folks on staff but not a log of them.
3 – They wouldn’t necessarily see the log files themselves. They would get assurances from the organization that the log files are being reviewed. Every organization can’t just block IP addresses from outside the US because we have people traveling all over the world who need access to information. If the organization is security conscience they would have controls in place for monitoring and responding to such accesses to confirm they are ok, though. The follow-up doesn’t really exist at all. A problem discussed a few years ago a good bit but not recently.
4 – The last audit was desktop and asked for SRA and Risk Management documentation. That is it. Investigations are a good bit different but they are not looking at the entire Security Rule as implied by the TridentUSA reference in the letter.
5 – I don’t think OCR has the legal mandate to cover DICOM and PACS specifics. HIPAA doesn’t hit on those specific technologies. Wait, didn’t we just talk about ambiguity in HIPAA recently. Access controls are required under HIPAA and these cases are clearly violating HIPAA security rule reasonable and appropriate standards. Until they find the problem they can’t address it though. They can’t look at protocols and these other things questioned based on HIPAA requirements or with their budgeted manpower.
Here we are in Feb 2020 and there are still images exposed that haven’t been addressed. As you would guess the biggest problem from the beginning and still is the US.
Do you have images exposed?
If you have any relation to PACS systems in your own business or with your BAs start asking questions right now. I know some ortho groups have their own MRI and x-ray devices but a remote radiologist does the reads for them. The rads are using PACS somewhere.
Are they securing your images if you send them over to that PACS system?
Is someone making sure the security measures are being implemented and monitored?
If they say yes, then get them to prove it. Because… listen to any number of other episodes.
When you are asking for all this stuff and you get any push back or responses that don’t sound like they are aware of the issue and have taken multiple steps to make sure they are secured. Well, then PANIC! Remember about the injecting malware thing, criminals already know that stuff and they have probably known for some time now who is open for further attacks.
This is such a huge issue with so many systems and providers involved it will take a while to address the majority of them and who knows if all of them will be secured before more join the list. I seriously doubt this will be the end of this issue nor will it be the last one like this level of exposed information.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!