Winter 2020 Newsletter - Developing a More Secure PACS Ecosystem

By Jon Moore, Senior Vice President & Chief Risk Officer, Clearwater

The security of medical images took center stage recently as Senator Mark Warner of Virginia demanded that TridentUSA and its affiliate MobileXUSA outline their cybersecurity practices after ProPublica reported the imaging firms left millions of medical records and patient data exposed online.

The ProPublica report unveiled one of the biggest data security failings in healthcare this year. The companies failed to protect with passwords and other basic security controls 187 computers that store X-Rays, MRIs, and other health data. As a result, anyone could use a web browser or free software to view the information.

The breach, which included data from five million U.S. patients and millions more across the globe, makes the NIST National Cybersecurity Center of Excellence (NCCoE) proposed guidance to help healthcare delivery organizations secure the picture archiving and communication system (PACS) environment all the more important.

Clearwater had the honor of partnering with the NCCoE on this project which involved the use of Clearwater’s IRM|Analysis™ software to analyze the risks that are common in a PACS ecosystem and to identify potential security controls to manage that risk. Here we share some insights that may be helpful to understanding the complex threat landscape that surrounds PACS.

Consider This Scenario…

A physician orders an MRI using a computerized physician order entry (CPOE) system. The order is transmitted using  a variety of electronic methods or maybe a paper copy, it's recorded in an electronic medical record (EMR) system, and it makes its way to a radiology information system (RIS) and over to the modality so that when that technician gets ready to do the MRI, he’s got all of the patient’s demographic information. Once they've taken the image and the modality controls the image-making process, the technician may do an initial review of the image and it is then sent to the PACS. Creation, transmission and storage of the image is done using the Digital Imaging and Communications in Medicine (DICOM) standard. That image can be stored on a DICOM server, a web server, a database or there might be a vendor-neutral archive storage.

Most health systems have thousands of DICOM records so archiving is a big deal. They're almost larger than some of the electronic medical systems for some organizations – tons and tons and tons of DICOM files. Once the picture is done, someone on the clinical side of the house needs to read it. We might see a DICOM viewer station or a PACS workstation or an administrative workstation used to conduct this work. Organizations commonly subcontract or have business associate agreements with radiology companies that do the reading for them and then send that resulting analysis back through the archive process and then out to the EMR system. So it's a two-way flow of communications from the time the image is taken, stored, read, and analyzed, going back through an HL7 interface and then over to the clinical information system. A lot of moving parts.

Analyzing the Risk of Data Exposure

Clearwater’s role in the NCCoE project was to analyze the data flow and storage from a risk perspective. Starting with a general PACS architecture, our team used Clearwater’s IRM|Analysis™ to identify the reasonably anticipated threats and vulnerabilities associated with the components identified in the architecture. Evaluating the components and the flow of information helped to understand the risks to both data at rest and in transit.

In order to capture risk effectively, you need to understand at how PACS manifest themselves within a health system. That means looking at where these systems live – radiology departments, cardiology departments, oncology, pathology. Some may live in small orthopedic centers, small surgery centers. Larger urgent care centers often have some type of PACS equipment. It can be quite a distributed system if you have a health system that has multiple locations with multiple types of care delivery systems that it provides to patients.

There are number of roles that interact with PACS. There are clinicians, of course, but many organizations have technicians that capture the images themselves. There are information technology staff that support them. And when we look at the actors that interact with PACS, we're talking about the modalities, the hospital information systems and healthcare records. All of these things interconnect.

When evaluating PACS systems, controls like role-based access and intrusion prevention systems should be considered. Digging deeper and look at anomalies and event management is also important. How are those being reported? How do we know when something is unusual and we need to investigate? Is network segmentation and end-point protection employed? If we have a system that isn't as current, we might want to put that on a separate layer of the network so that we can better secure it. These are some of the control considerations we identified in thinking about how to better secure PACS. 

The NCCoE project produced three guides that are out for public review and comment right now. You can access them on the NCCoE website here. There is an executive guide that gives an overview of PACS; an Approach, Architecture and Security Characteristics guide, which goes a little bit deeper talking about the different configurations of PACS – what those touchpoints are and the things that you might want to look at in terms of security; and How-To Guides that take those different touchpoints where the information passes through all of these different systems and talks about how to protect them.

We encourage you to review the guides and reach out with your comments and questions. Contact Jeff Powell, who takes point on our with organizations in Southern California, at

PACS play an important role in care delivery, and it is our hope that by contributing our expertise and software tools to the NCCoE project, healthcare organizations can maintain timely access to imaging with data less vulnerable to being altered or misdirected and patient privacy protected.