The Medical Imaging & Technology Alliance (MITA)—a trade association representing the manufacturers of medical imaging equipment, radiopharmaceuticals, contrast media, and focused ultrasound therapeutic devices—issued the following statement in response to the U.S. Department of Health and Human Services’ (HHS) report regarding health delivery organizations’ (HDO) unsecured picture archiving and communication systems (PACS). MITA is the secretariat for the Digital Imaging and Communications in Medicine (DICOM), the international standard to transmit, store, retrieve, print, process, and display medical imaging information.

Read HHS Warns Health PACS: Patient Data Vulnerable to Cyber Exploitation

“It’s important that all health delivery organizations take the necessary steps to mitigate exposure to cybersecurity threats,” says Patrick Hope, MITA executive director. “We encourage them to evaluate the security documentation provided with their PACS system—such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2)—to determine how best to deploy their equipment in a safe and secure way. PACS systems are just one component that should be considered within an overall organizational cybersecurity strategy.”

The MDS2 supports security risk management within healthcare delivery organizations by providing standardized information on security control features integrated within medical devices. Manufacturers provide MDS2 on their product at the time of sale. 

Remote access to PACS technologies requires consideration of protections, risk assessment, and mitigation strategies by an HDO. HDOs should also take insider threats and the benefits of a zero-trust policy into account when evaluating cybersecurity protections. Finally, programs processing DICOM media files should continue to take precautions such as scanning the files with anti-virus software and not assuming they are safe. Import systems should disable file execution when reading CDs or DVDs. 

An HDO that suspects its PACS technologies may be vulnerable should contact their original equipment manufacturer’s service department, even if the system has been refurbished, advises Hope.