Senator Sends Letter to TridentUSA on PACS Server Security Lapses

By Fred Donovan

September 30, 2019 - Senator Mark Warner (D-VA) sent a letter Sept. 23 to TridentUSA seeking information about the storage of medical images on unsecured picture archiving and communication system (PACS) servers by its MobilexUSA subsidiary.

Warner cited a report about a data breach that left more than 16 million medical images exposed on PACS servers with no authentication requirements to access and download the images. These unprotected images, along with information on patients, were first discovered by ProPublica and German broadcaster Bayerischer Rundfunk.

One of the companies involved was MobilexUSA, which not only stored images on the unsecured servers but patient names, dates of birth, doctor, and procedures as well.

Dig Deeper

Healthcare Organizations Partner with Fujifilm for PACS, VNAs
Health System Consolidation, Mergers Impact PACS Vendor Selection

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices—no software vulnerabilities were involved, and no explicit hacking was required,” Warner wrote in his letter.

While it is not always clear from HIPAA rules who bears responsibility for securing medical image storage and transform, “it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible,” Warner added.

Warner requested that that TridentUSA answer the following questions regarding the medical imaging breach:

1) HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant?

2) PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices? Does your company require neighboring systems to comply with current standards and use access management controls?

3) What are your identity and access management controls for IP-addresses and/or port filters?

4) Do you require VPN or SSL to communicate with your PACS?

5) What is the frequency of your vulnerability scans and HIPAA-compliance audits?

6) What are your server encryption practices?

7) Do you have an internal security team or do you outsource it?

Warner gave TridentUSA until Oct. 9, 2019, to submit answers to those questions.

TridentUSA filed for Chapter 11 bankruptcy protection in February of this year. TridentUSA, which also owns American Diagnostic Services, Diagnostic Laboratories & Radiology, Schryver Medical, and US Laboratories, said its senior lender was providing $50 million in financing to maintain operations during the restructuring process.

“Our goal with this financial restructuring is to reduce the company's debt and provide the financial flexibility to invest in to enhance our competitive position. We are confident that the company will emerge from this process stronger than ever,” concluded CEO Andrei Soran

Security News

Senator Sends Letter to TridentUSA on PACS Server Security Lapses

Senator Mark Warner (D-VA) sent a letter Sept. 23 to TridentUSA seeking information about the storage of medical images on unsecured picture archiving and communication system (PACS) servers by its MobileXUSA subsidiary.

Next in Security