PAC(S) of Trust: A Glimpse into Healthcare Security

From autonomous driving to your TV screen, the most direct connection between man and machine is in the field of healthcare. The sacred bond between the artificial intelligence and the countless arrays of patient data fed into it is one that is commonly overlooked (think about it: how many times have you explicitly looked for AI during your yearly physical?) and, unfortunately, needs to be secured better. With the cryptic way that AI spits out results after hours of analyzing pages of data, it’s easy to lull into a false sense of security: that your data and information is stashed safely away in the webs of the Internet. In the mad rush of a doctor’s appointment, it’s even easier to assume that your physician will protect your information in that one manila folder they always seem to use. However, your information does go places. It eventually becomes part of a larger dataset that feeds into medical advancements. That’s why it’s important to understand how it’s protected, used, and transported across the globe.

In radiology--a medical field dedicated to generating images for diagnosis and treatment--the standard image storage systems developed decades ago are still insecure. The most common system is the Digital Imaging and Communications in Medicine (DICOM), which was first developed in the mid-1980s and has since been widely adopted by hospitals and smaller applications, like the dentists’. Put simply, DICOM is a standard file format used to transfer medical images--MRIs, CT scans, ultrasounds, and so on--between health care professionals. DICOM images can then be stored on Picture Archiving and Communication Systems (PACS) for machine learning processes and future access.

Yet in spite of DICOM’s popularity and standard usage across the globe, its data is still highly vulnerable. Anyone who knows the IP address, password, or ports associated with a PACS system can access and download the hundreds of photos stored on it. With over 1.19 billion DICOM images on PACS servers across the world (see Figure 1 below), the healthcare data of 114.5 million patients are publicly available. Additionally, 75% of DICOM images include Social Security numbers, adding an extra layer of danger if any of these files fall into malicious hands.

A global threat, DICOM security is especially an issue in the United States. The US alone hosts most of the 2,774 unprotected servers along the East Coast and California. As PACS continues to grow, so do the number of vulnerabilities.

Figure 1. Map of Exposed Medical Images on PACS Servers. Recently generated by researchers who submitted to the HIPAA Journal, this map shows the number of exposedPACS servers in the United States.

As technology continues to advance and automize healthcare, it will be vital for encryption and tailored cybersecurity to be added to protect DICOM and PACS to prevent a flood of alien attacks. Even now, there is a whole discussion surrounding what more can be done to regulate and govern the development of artificial intelligence in healthcare:

• Why must we govern AI in the first place if it will be used globally?

• How do we ensure AI can fit into in-person interactions?

• Who would be liable for AI malfunctions? What legal consequences should be in place?

• Are doctors, professionals, and patients even aware of what could go wrong? Are we entitled to this information?

• Can AI prioritize the livelihood of patients in the same way doctors can?

• Will we need an additional layer of insurance for AI healthcare?

• In what way can we ensure standard systems, like DICOM and PACS, do not become obsolete? Can they co-exist with AI?

It is this list of questions, amongst an endless galaxy of others, that DICOM and PACS bring to light. It is this list of questions that continues the fight for securing AI in healthcare and beyond. And it is this list of questions that will continue to be addressed in our eternal blog: That’s What You Want Me to Think.

- Clarise Liu