Over the last quarter century, PACS (Picture Archiving and Communication System) has become the standard imaging infrastructure in most radiology departments today. PACS replaces film with digital storage, enabling radiologists to view, share, and archive images like X-rays and MRIs electronically, often from remote locations. It integrates with systems like radiology information systems (RIS) and electronic health records (EHRs) and uses the DICOM standard to ensure compatibility across devices, streamlining workflows and supporting long-term access.
Cloud (or cloud-based) PACS began to appear in the late 2000s as cloud technology advanced, offering off-site storage and remote access. By the early to mid-2010s, adoption picked up as healthcare providers sought more scalable, cost-effective imaging solutions. Today, cloud PACS is widely used, especially in multi-site practices and digital-first healthcare systems.
Why Cloud PACS?
In many cases today, healthcare providers prefer cloud-based PACS over their data center cousins because the cloud allows them to cut infrastructure costs, simplify updates, and enable remote access. Cloud systems scale more easily, support teleradiology, and offer built-in security and disaster recovery. Unlike data center PACS, they require less hardware and IT support, making them more efficient and flexible.
The two approaches have different business models. Data center PACS primarily use a capital expenditures (CapEx) model that requires large upfront investments in computer hardware and software, which is then amortized across a number of years of use. Cloud PACS move from CapEx to primarily operational expenses (OpEx), which requires fewer capital expenditures and instead generates most of its revenues using a subscription model. This approach makes budgeting more predictable, reduces financial risk, and frees up capital for other priorities. The OpEx model gives organizations more flexibility to scale services and adapt to changing imaging volumes without being locked into costly infrastructure.
Beware the Shadow
However, no approach is free of pitfalls, and cloud PACS one too: shadow PACS. This term mimics the more-familar “shadow IT,” which refers to the practice of individual users contracting for IT services like Dropbox, Google Drive, and WhatsApp without going through the IT department. Shadow IT involves less hassle to set up than going through the IT department – and therein lies the problems. If IT can’t see shadow IT, then the security team has no way to mitigate the associated risks, sometimes with significant – even catastrophic results. Shadow IT has been the proximate cause of data breaches, fragmented workflows, and violations of privacy regulations like HIPAA.
In an analogous way, shadow PACS refers to unofficial or unauthorized imaging systems that operate outside of a hospital’s approved IT or radiology infrastructure. These systems often arise when individual departments, physicians, or clinics set up their own image storage or viewing tools—sometimes using personal devices, consumer cloud apps, or third-party platforms—without formal approval or oversight.
While the shadow PACS approach may seem convenient for users, they pose significant risks to the organization as a whole. Shadow PACS often lack proper encryption, access controls, audit trails, and disaster recovery plans. This can lead to data breaches, fragmented patient records, and serious compliance violations, particularly under regulations like HIPAA. Without integration into the official PACS and electronic health record systems, shadow PACS also hinder collaboration and continuity of care. Ultimately, what begins as a workaround can undermine both patient safety and institutional security.
Hidden Costs Lurk in the Shadow PACS
Beyond those security risks, shadow PACS can lead to significant and unnecessary costs for healthcare organizations. For starters, they can create costly redundancies—images may be stored multiple times across disconnected platforms, driving up storage expenses, especially in cloud environments. Departments might also pay for separate licenses or services that duplicate existing enterprise contracts.
Shadow PACS can drain IT resources when staff are forced to support or troubleshoot systems they didn’t deploy. More critically, because these systems often lack proper security and audit controls, they pose serious compliance risks. A HIPAA violation resulting from unmonitored data storage or access could lead to fines or legal action. Additionally, if an organization later tries to unify its imaging data, reconciling and migrating data from shadow systems can require expensive normalization efforts. In short, shadow PACS not only undermine security—they can quietly bleed budgets.
Shadow PACS In Action
Consider this real-world example: A significant example of a breach linked to shadow PACS occurred in December 2023. Cybersecurity researchers from Aplite discovered over 3,800 improperly secured DICOM servers across more than 110 countries, exposing the personal health information of approximately 16 million patients. These servers, often set up without proper IT oversight, lacked basic security measures such as encryption and password protection. Notably, over 70% of these exposed servers were hosted on major cloud platforms like Amazon AWS and Microsoft Azure, indicating that even cloud-hosted systems can be vulnerable if not properly configured. The exposed data included patient names, addresses, phone numbers, and, in some cases, Social Security numbers. This incident underscores the critical risks associated with unauthorized or poorly managed PACS implementations.(TechCrunch)
“Can We Get a Little Help Here?”
It’s good business practice to work with a Managed Service Provider (MSP) for your cloud-based PACS implementation, and that’s especially true in the key areas of information security and compliance concerns. An MSP can streamline the transition to cloud PACS by handling both strategic planning and hands-on implementation. During planning, your MSP can assess technical needs, forecast costs, and ensure compliance with healthcare regulations. In implementation, the MSP can manage secure data migration, system integration with RIS/EHR, and performance validation.
MSPs also can provide continuous support, handling maintenance, updates, and security monitoring. Their extensive expertise in healthcare IT reduces the burden on internal IT teams and minimizes downtime, making the shift to cloud PACS more efficient, secure, and cost-effective.
How Cloudticity Can Help
Cloudticity can help organizations install and maintain cloud-based PACS systems by offering a combination of cloud-native expertise, compliance-focused infrastructure management, and 24/7 operational support tailored to the healthcare industry. Our healthcare-only focus makes us especially suited to helping organizations modernize legacy imaging systems with a secure, efficient cloud-native architecture.
Table: How MSPs Support Cloud-Based PACS
| PHASE | MSP ROLES | DETAILS |
|
Planning |
Needs Assessment |
Evaluate current imaging systems, storage, workflow, and integration requirements |
|
Cost Modeling |
Compare OpEx (cloud) vs CapEx (on-prem), assist in long-term budget planning | |
|
Compliance Strategy |
Ensure architecture meets HIPAA, HITECH, and other privacy/security regulations | |
|
Cloud Vendor Selection |
Help choose the right cloud PACS provider and architecture based on workload and scalability | |
|
Implementation |
Data Migration |
Secure, phased migration of image archives with minimal disruption to clinical operations |
|
System Integration |
Connect PACS to RIS, EHR, modalities, and ensure DICOM compatibility | |
|
Testing & Validation |
Perform functional, performance, and security testing | |
|
Security Hardening |
Configure firewalls, access controls, and data encryption protocols | |
|
Post Go-Live |
Monitoring & Maintenance |
Provide 24/7 uptime monitoring, patching, and performance tuning |
|
Backup & Disaster Recovery |
Ensure automated backups and rapid recovery capabilities | |
|
User Support |
Offer helpdesk, training, and issue resolution for clinicians and IT staff | |
|
Compliance Reporting |
Generate audit-ready logs and documentation for regulators |
