TLP:White — Picture Archiving Communication Systems (PACS) Vulnerability

Health Sector Cybersecurity Coordination Center (HC3)

Sector Alert

December 15, 2020

TLP: White

Report: 202012151600

Picture Archiving Communication Systems (PACS) Vulnerability

Executive Summary

Picture Archiving Communication Systems (PACS) are widely used by hospitals, research institutions, clinics and small healthcare practices for sharing patient data and medical images. In 2019, researchers disclosed a vulnerability in these systems that if exploited could potentially expose patient data. This is truly concerning due to the ability for Vulnerable PACS servers to easily be discovered via simple open source scanning tools. If left unpatched these systems can expose patient records to unauthorized access. There continues to be a number of unpatched PACs servers visible and HC3 is once again recommending that entities patch their systems immediately.


PACS was developed to assist the transition from analog to digital storage for medical images. PACS servers obtain images such as Ultrasound, CT, MRI and radiography and store them into the Digital Imaging and Communications in Medicine (DICOM) format. The use of the DICOM standard introduces an ability to insert malicious code into imaging files. In early September 2019, researchers identified thousands of vulnerable PACS servers within the US Healthcare sector.

Figure 1: DICOM Protocol/Format. Radiology produces Xrays, CTs, and MRIs. Through the DICOM protocol this go to Archiving system PACs. Then Archiving system Pacs then communicate with an Image viewer DICOM through DICOM protocol and TCP104/11112.


Vulnerable PACS servers face additional exposure when directly connected to the internet without a firewall, virtual private network (VPN) or secure password. These vulnerabilities range from known default passwords, hardcoded credentials and lack of authentication within third party software. Successful exploitation of these vulnerabilities can expose patients’ medical data, including patient names, examination dates, images, physician names, dates of birth, procedure types, procedure locations and social security numbers. Through exploitation of the DICOM protocol, installation of malicious code can be used to manipulate medical diagnosis, falsify scans, install malware, sabotage research, etc. Such threats could allow an attacker to compromise connected clinical devices and laterally spread malicious code to other parts of the network undetected.

Vulnerable Systems

The following systems/products are affected by these vulnerabilities per the Department of Homeland Security:

  • Optima 520, which are medical imaging systems, all versions,
  • Optima 540, which are medical imaging systems, all versions,
  • Optima 640, which are medical imaging systems, all versions,
  • Optima 680, which are medical imaging systems, all versions,
  • Discovery NM530c, which is a nuclear medical imaging system, versions prior to Version 1.003,
  • Discovery NM750b, which is a dedicated breast imaging system, versions prior to Version 2.003,
  • Discovery XR656 and Discovery XR656 Plus, which are digital radiographic imaging systems, all versions,
  • Revolution XQ/i, which is a medical imaging system, all versions,
  • THUNIS-800+, which is a stationary diagnostic radiographic and fluoroscopic X-ray system, all versions,
  • Centricity PACS Server, which is used to support a medical imaging archiving and communication system, all versions,
  • Centricity PACS RA1000, which is used for diagnostic image analysis, all versions,
  • Centricity PACS-IW, which is an integrated web-based system for medical imaging, all versions including Version and Version,
  • Centricity DMS, which is a data management software, all versions,
  • Discovery VH / Millenium VG, which are nuclear medical imaging systems, all versions,
  • eNTEGRA 2.0/2.5 Processing and Review Workstation, which is a nuclear medicine workstation for displaying, archiving, and communicating medical imaging, all versions,
  • CADstream, which is a medical imaging software, all versions,
  • Optima MR360, which is a medical imaging system, all versions,
  • GEMNet License server (EchoServer), all versions,
  • Image Vault 3.x medical imaging software, all versions
  • Infinia / Infinia with Hawkeye 4 / 1, which are medical imaging systems, all versions,
  • Millenium MG / Millenium NC / Millenium MyoSIGHT, which are nuclear medical imaging systems, all versions,
  • Precision MP/i, which is a medical imaging system, all versions, and
  • Xeleris 1.0 / 1.1 / 2.1 / 3.0 / 3.1, which are medical imaging workstations, all versions.

Patches, Mitigations & Workarounds:

The primary mechanism for protection against these vulnerabilities is to patch the impacted systems and ensure that patches are regularly applied. Due to the range of different patches available HC3 recommended that entities check their specific manufacture’s website for detailed patch information.

Updated patches for specified PACS products are the best option as a patched vulnerability can no longer be exploited. HC3 also recommend the following mitigation actions:

  • Implement a secure password on all PACS systems.
  • Close all unused ports on affected systems.
  • Enable encryption between the hosts in their PACS network using proper SSL certificates.
  • Where possible, discontinue or limit the use of non-product-related third-party software, such as email and web browser software on the affected system.
  • Ensure that affected systems have applied the most current vendor-issued patches available.
  • Restrict network access to affected systems and ensure they are not directly accessible from the Internet.
  • Implement network segmentation, and use DMZs with properly configured firewalls to selectively control, and monitor all traffic passed between zones and systems.
  • Utilize full disk encryption capabilities to protect data on medical devices.
  • When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.







Millions of Medical Images Exposed, as US Fails to Secure PACS Flaws

DICOM file security: How malware can hide behind HIPAA-protected images

Millions of Americans’ Medical Images and Data Are Available on the Internet. Anyone Can Take a Peek.

Confidential patient data freely accessible on the internet

Billions of images left vulnerable online due to unsecured PACS

Related Resources

AHA Center for Health Innovation Market Scan
Health care is under attack as never before from cybercriminals, and the stakes are rising for hospitals and patient safety. The latest potential threat: The…
Advancing Health Podcast
Over the past few years every leader of health care organization in the country has had to acknowledge the threat of a cyberattack that has the potential to…
Advancing Health Podcast
In this special Cybersecurity podcast we have the opportunity to talk to leaders of an AHA member hospital who was a victim of a major ransomware attack in the…
AHA letter to Senators Jack Rosen and Bill Cassidy, M.D. voicing support of the Healthcare Cybersecurity Act (S.3904).
President Biden today urged an immediate hardening of private-sector cyber defenses “based on evolving intelligence that the Russian Government is exploring…
Special Bulletin
The Senate last night passed a $1.5 trillion omnibus appropriations bill that would fund the federal government through the end of the current fiscal year.