ProPublica Investigation Reveals Massive Security Issue with PACS Systems – Make Sure Your Healthcare Organization Stays HIPAA-Compliant

John Deutsch

John Deutsch

Posted on September 23, 2019

A ProPublica investigation found that a number of commonly-used PACS (picture archiving and communications systems) software programs left the medical imaging results and health records of millions of people unprotected by passwords and easily available to the public.  In many cases, the records could be viewed with an ordinary web browser, without installing any special software.

Ransomware attacks and HIPAA breaches have made headlines the last few years, but this violation is somewhat different in how incredibly easy it was found to be to access these records.  No “hacking” was required to see medical records stored on servers from companies like MobilexUSA or OffsiteImage – anyone with the right URL could access them. There was shockingly little thought put into making sure the records were stored securely.  More so than any other PHI breach in recent years, this story makes healthcare organizations and medical software companies question who’s really responsible for making sure PHI is stored in a HIPAA-compliant way.

Who’s to Blame: Software Vendor, or Healthcare Organization?

Companies that create PACS or other medical software often assume that their customer – the clinic, hospital, or healthcare system – already has safeguards in place that will be applied to their software, as well as an IT team well-versed in HIPAA who’ll know how to properly implement the software.  Meanwhile, the healthcare organization assumes that the medical software they’re buying already meets HIPAA requirements. The result is a disconnect where each side assumes the other is “handling it,” without actually knowing anything about the other’s systems and processes.

When it comes to medical software and hosting, HIPAA compliance should be a shared responsibility between the vendor and the healthcare organization.  There are clearly factors that need to be handled by the organization, such as:

  • Strong access control and audit mechanism
  • Network segmentation and flow control in order to access software that stores PHI
  • Real-time threat and vulnerability management 
  • A holistic risk management policy

But the onus is also on medical software developers, website developers, and hosting companies to provide a HIPAA-compliant service, as well as to work with their clients to make sure the implementation of their products follows HIPAA guidelines.

Though a healthcare organization should expect HIPAA compliance from its software vendors, they should also be putting their own protections in place. Medical Web Experts offers a number of web-based solutions available to control, audit, and monitor access to PHI, such as:

To learn more about our HIPAA-compliant services, contact us online.

John Deutsch

John Deutsch

Founder and CCO of MWE, and business owner of 19 years with extensive experience in Healthcare IT. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.

Related Posts

Posted on April 05, 2023 by John Deutsch

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to protect patients’ privacy by limiting access to and governing acceptable use of their health data. When building a healthcare…Read more

emailing with hipaa compliancy

Posted on March 12, 2019 by John Deutsch

Know the difference between HIPAA and HIPPA and learn all about the US law that protects patients’ medical information. Whenever you’re doing an online search about HIPAA compliance, it’s easy…Read more

Subscribe to Our Newsletter

Get promotions and current business tips. Sign up for our newsletter today.