The Medical Imaging & Technology Alliance (MITA) issued the following statement in response to the U.S. Department of Health and Human Services’ (HHS) report regarding health delivery organizations’ (HDO) unsecured picture archiving and communication systems (PACS). MITA is the Secretariat for the Digital Imaging and Communications in Medicine (DICOM), the international Standard to transmit, store, retrieve, print, process and display medical imaging information.
“It’s important that all health delivery organizations take the necessary steps to mitigate exposure to cybersecurity threats,” said Patrick Hope, MITA executive director. “We encourage them to evaluate the security documentation provided with their PACS system ─ such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2) ─ to determine how best to deploy their equipment in a safe and secure way. PACS systems are just one component that should be considered within an overall organizational cybersecurity strategy.”
The MDS2 supports security risk management within healthcare delivery organizations by providing standardized information on security control features integrated within medical devices. Manufacturers provide MDS2 on their product at the time of sale. The blank MDS2 may be found here.
Remote access to PACS systems requires consideration of protections, risk assessment and mitigation strategies by an HDO. HDO should also take insider threats and the benefits of a zero-trust policy into account when evaluating cybersecurity protections. Finally, programs processing DICOM media files should continue to take precautions such as scanning the files with anti-virus software and not assuming they are safe. Import systems should disable file execution when reading CDs or DVDs.
An HDO that suspects its PACS systems may be vulnerable should contact their original equipment manufacturer’s service department, even if the system has been re-manufactured in the aftermarket. “The original equipment manufacturer is best positioned to evaluate the risks posed by any potential vulnerability and offer validated remediation or mitigations where appropriate,” added Hope.