Tips for ensuring the cybersecurity of PACS
June 02, 2020
By Ido Geffen
In hospitals, cyber risks tend to be most prevalent in the radiology department. Radiology departments largely integrated their devices into networks 30 years ago, long before the boom in cybersecurity risks and despite being early adopters, they often struggle to keep up with the pace of security. The reality is that today over 55% of imaging devices run deprecated or otherwise unpatched versions of Windows, ostensibly vulnerable to exploits such as BlueKeep or DejaBlue. But the problem goes beyond a wide attack surface for known vulnerabilities and includes easily preventable risks around poor, outdated IT design and security practices.
Designed long before modern cybersecurity risks arose, data centers and systems serving medical imaging and file management needs are rarely installed and configured with even a modicum of security in mind. The issue is further exacerbated by the fact that most hospitals only have a few PACS servers receiving and storing all their imaging data — jeopardizing an enormous swath of their exploitable attack surface with only a few points of failure.
In late 2019 Greenbone Networks conducted some research around imaging server practices and their data privacy impact. Greenbone’s investigation revealed the staggering amount of medical images and associated personal information (like medical records, social security numbers, and financial details) that is openly accessible from the internet.
According to the Greenbone report, the number of private medical images currently online stands at 1.19 billion. Of those, 370 million images (over 30% of those images) can be accessed from the internet without requiring any type of password protection or authentication. Not all those images belong to different patients or different records, however. When grouping those images and associated data into contained, individualized data sets, Greenbone estimated that there around 9 million separate patients all over the world whose private data is available for public consumption. Six million of those patients are believed to be U.S. citizens.
The unsecured data infrastructure at the heart of this problem is the Picture Archiving and Communication System (PACS). PACS servers are used to store images taken by devices such as Ultrasound, X-ray, CT, and MR machines. After one of these devices takes a picture, it is sent to the PACS server, where it is stored and — if configured properly — only accessed thereafter for legitimate medical purposes and by authorized individuals.
Based on findings from Shodan, a free scanner for internet-connected devices, over 55% of the PACS servers are accessible through port 104 — the default port used for Digital Imaging and Communications in Medicine (DICOM).
DICOM is an unencrypted network protocol used for transferring medical images that is well-known and thoroughly documented. As a result, a malicious actor with even a low level of skill can structure their communications to match the protocol and, using the correct conventions, make requests over the network that DICOM machines are designed to oblige. In this manner, hackers can poke around a network and gather information, looking for exploitable weaknesses to launch an attack or move to exfiltrate data.
So how can hospitals and medical networks minimize this risk? As with so many other issues of information security, the first step is taking stock and developing a thorough index and inventory of your networked devices; here, that would mean all connected DICOM and PACS devices. Using that information, you’ll want to check the connectivity configurations for those devices and identify which machines are open to the wider internet.
If you enlist a scanning tool to accelerate the process, it’s important that the scanning be passive so as not to interfere with or crash medical technologies incompatible with aggressive scanning techniques.
From there, the process boils down to five relatively simple steps:
1. If there are any servers that do not require remote access, apply firewall rules to block access to those servers from any external endpoints.
2. Close all operational unnecessary ports — especially ports used for the transfer of medical information. Necessary ports can be identified based on MDS2 documentation and, if needed, consultation with the vendor.
● In many cases, there will be multiple ports left open on the device by default — even as the device is configured to communicate through a specific port. For example, the primary port for DICOM traffic is port 104. This port will typically be open by default. At the same time, some devices may be configured to use other ports for DICOM. In such a case, leaving port 104 open would constitute a completely unnecessary risk to your device, network, and data security.
3. Wherever possible, restrict out-of-network communications to those managed and secured through (properly patched and encrypted) virtual private networks.
4. If out-of-network communications cannot be restricted to VPN-managed sessions, limit the access to these servers to only necessary connections: use role-based authentication and allow only preapproved IP address ranges to access the servers.
5. If out-of-network communications cannot be restricted to VPN-managed sessions, wherever possible, use TLS encryption to send DICOM information.
● This will require some set up on both the server and client ends and may involve a port switch, but in lieu of VPNs and access restrictions, it’s vital that data in transit be encrypted.
About the author: Ido Geffen is VP, product at CyberMDX. Combining technological acumen with strong business skills, and a soft personal touch, Geffen designs and oversees CyberMDX's product roadmap, while ensuring the solution's successful deployment in hospitals worldwide. Geffen is an esteemed CSA 405(d) Task Group member.
In hospitals, cyber risks tend to be most prevalent in the radiology department. Radiology departments largely integrated their devices into networks 30 years ago, long before the boom in cybersecurity risks and despite being early adopters, they often struggle to keep up with the pace of security. The reality is that today over 55% of imaging devices run deprecated or otherwise unpatched versions of Windows, ostensibly vulnerable to exploits such as BlueKeep or DejaBlue. But the problem goes beyond a wide attack surface for known vulnerabilities and includes easily preventable risks around poor, outdated IT design and security practices.
Designed long before modern cybersecurity risks arose, data centers and systems serving medical imaging and file management needs are rarely installed and configured with even a modicum of security in mind. The issue is further exacerbated by the fact that most hospitals only have a few PACS servers receiving and storing all their imaging data — jeopardizing an enormous swath of their exploitable attack surface with only a few points of failure.
In late 2019 Greenbone Networks conducted some research around imaging server practices and their data privacy impact. Greenbone’s investigation revealed the staggering amount of medical images and associated personal information (like medical records, social security numbers, and financial details) that is openly accessible from the internet.
According to the Greenbone report, the number of private medical images currently online stands at 1.19 billion. Of those, 370 million images (over 30% of those images) can be accessed from the internet without requiring any type of password protection or authentication. Not all those images belong to different patients or different records, however. When grouping those images and associated data into contained, individualized data sets, Greenbone estimated that there around 9 million separate patients all over the world whose private data is available for public consumption. Six million of those patients are believed to be U.S. citizens.
The unsecured data infrastructure at the heart of this problem is the Picture Archiving and Communication System (PACS). PACS servers are used to store images taken by devices such as Ultrasound, X-ray, CT, and MR machines. After one of these devices takes a picture, it is sent to the PACS server, where it is stored and — if configured properly — only accessed thereafter for legitimate medical purposes and by authorized individuals.
Based on findings from Shodan, a free scanner for internet-connected devices, over 55% of the PACS servers are accessible through port 104 — the default port used for Digital Imaging and Communications in Medicine (DICOM).
DICOM is an unencrypted network protocol used for transferring medical images that is well-known and thoroughly documented. As a result, a malicious actor with even a low level of skill can structure their communications to match the protocol and, using the correct conventions, make requests over the network that DICOM machines are designed to oblige. In this manner, hackers can poke around a network and gather information, looking for exploitable weaknesses to launch an attack or move to exfiltrate data.
So how can hospitals and medical networks minimize this risk? As with so many other issues of information security, the first step is taking stock and developing a thorough index and inventory of your networked devices; here, that would mean all connected DICOM and PACS devices. Using that information, you’ll want to check the connectivity configurations for those devices and identify which machines are open to the wider internet.
If you enlist a scanning tool to accelerate the process, it’s important that the scanning be passive so as not to interfere with or crash medical technologies incompatible with aggressive scanning techniques.
From there, the process boils down to five relatively simple steps:
1. If there are any servers that do not require remote access, apply firewall rules to block access to those servers from any external endpoints.
2. Close all operational unnecessary ports — especially ports used for the transfer of medical information. Necessary ports can be identified based on MDS2 documentation and, if needed, consultation with the vendor.
● In many cases, there will be multiple ports left open on the device by default — even as the device is configured to communicate through a specific port. For example, the primary port for DICOM traffic is port 104. This port will typically be open by default. At the same time, some devices may be configured to use other ports for DICOM. In such a case, leaving port 104 open would constitute a completely unnecessary risk to your device, network, and data security.
3. Wherever possible, restrict out-of-network communications to those managed and secured through (properly patched and encrypted) virtual private networks.
4. If out-of-network communications cannot be restricted to VPN-managed sessions, limit the access to these servers to only necessary connections: use role-based authentication and allow only preapproved IP address ranges to access the servers.
5. If out-of-network communications cannot be restricted to VPN-managed sessions, wherever possible, use TLS encryption to send DICOM information.
● This will require some set up on both the server and client ends and may involve a port switch, but in lieu of VPNs and access restrictions, it’s vital that data in transit be encrypted.
Ido Geffen