ProPublica Investigation Reveals Massive Security Issue with PACS Systems – Make Sure Your Healthcare Organization Stays HIPAA-Compliant

A ProPublica investigation found that a number of commonly-used PACS (picture archiving and communications systems) software programs left the medical imaging results and health records of millions of people unprotected by passwords and easily available to the public.  In many cases, the records could be viewed with an ordinary web browser, without installing any special software.

Ransomware attacks and HIPAA breaches have made headlines the last few years, but this violation is somewhat different in how incredibly easy it was found to be to access these records.  No “hacking” was required to see medical records stored on servers from companies like MobilexUSA or OffsiteImage – anyone with the right URL could access them. There was shockingly little thought put into making sure the records were stored securely.  More so than any other PHI breach in recent years, this story makes healthcare organizations and medical software companies question who’s really responsible for making sure PHI is stored in a HIPAA-compliant way.

Who’s to Blame: Software Vendor, or Healthcare Organization?

Companies that create PACS or other medical software often assume that their customer – the clinic, hospital, or healthcare system – already has safeguards in place that will be applied to their software, as well as an IT team well-versed in HIPAA who’ll know how to properly implement the software.  Meanwhile, the healthcare organization assumes that the medical software they’re buying already meets HIPAA requirements. The result is a disconnect where each side assumes the other is “handling it,” without actually knowing anything about the other’s systems and processes.

When it comes to medical software and hosting, HIPAA compliance should be a shared responsibility between the vendor and the healthcare organization.  There are clearly factors that need to be handled by the organization, such as:

  • Strong access control and audit mechanism
  • Network segmentation and flow control in order to access software that stores PHI
  • Real-time threat and vulnerability management 
  • A holistic risk management policy

But the onus is also on medical software developers, website developers, and hosting companies to provide a HIPAA-compliant service, as well as to work with their clients to make sure the implementation of their products follows HIPAA guidelines.

Though a healthcare organization should expect HIPAA compliance from its software vendors, they should also be putting their own protections in place. Medical Web Experts offers a number of web-based solutions available to control, audit, and monitor access to PHI, such as:

To learn more about our HIPAA-compliant services, contact us online.

John Deutsch is the founder and Chief Compliance Officer at Medical Web Experts. He is a seasoned executive with 18 years of healthcare IT business ownership experience specializing in HIPAA compliance, patient engagement, marketing, and software/web development. John was the product owner for the implementation of a mobile app, which was awarded the eHealthcare Leadership Award for Best Patient Access & Convenience in a Medical Practice/Outpatient Facility. He has also appeared in podcasts like Outcomes Rocket and the Hospital Finance Podcast in addition to publications like Digital Health Buzz and Health Innovation Matters. John is also the founder and CEO of Bridge Patient Portal and Universe mHealth.

Questions? Let our experts help!

Complete the form below or Call 866-932-9944 Monday through Friday from 9am to 5pm EST.

  • Connect With Us

  • Contact Us

  • Newsletter

    Get promotions and current business tips. Sign up for our newsletter today.