NIST Recommends PACS Cybersecurity Practices

Sept. 18, 2019
Draft Practice Guide using commercially available tools to demonstrate how health systems can securely configure and deploy PACS

Noting the vulnerability of picture archiving and communication systems (PACS), the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has identified some best practices to help secure the medical imaging ecosystem and released a draft guideline document.

NCCoE built a laboratory to emulate a medical imaging environment, performed a risk assessment and identified controls from the NIST Cybersecurity Framework to secure the medical imaging ecosystem.

 NIST notes that securing PACS presents several challenges. PACS fits within a highly complex healthcare delivery organization environment that includes back-office systems, electronic health record systems, and pharmacy and laboratory systems, as well as an array of electronic medical devices. Various departments have unique medical imaging needs and may operate their own PACS or other medical imaging archiving systems. In addition, health systems may use external medical imaging specialists when reviewing patient medical data. “The PACS ecosystem, therefore, may include multiple systems for managing medical imaging data, along with a diverse clinical user community, accessing PACS from different locations. This complexity leads to cybersecurity challenges,” according to ta NIST report.

 PACS’ vulnerabilities could impede the timely diagnosis and treatment of patients, if medical images are altered or misdirected. These vulnerabilities could also expose a health system to risks of significant data loss, malware and ransomware attacks, and unauthorized access to other parts of an enterprise network.

 The NIST Cybersecurity Practice Guide features a reference architecture using commercially available, standards-based tools and technologies demonstrating how patient-care organizations can securely configure and deploy PACS. The reference architecture includes technical and process controls to implement:

• a defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business function;

•  access control mechanisms that include multifactor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components; and

•  a holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers.

In building the reference architecture, the NCCoE sought existing technologies that provided the following capabilities:

•  role-based access control

•  authentication

•  network access control

•  endpoint protection

•  network and communication protection

•  micro segmentation

•  behavioral analytics

•  tools that use cyber threat intelligence

•  anti-malware

•  data security

•  segregation of duties

•  restoration and recoverability

•  cloud storage

 The NCCoE said its practice guide can help an organization:

•  improve resilience in the network infrastructure, including limiting a threat actor’s ability to leverage components as pivot points to attack other parts of the health system environment;

•  limit unauthorized movement within the environment by authorized system users to address the “insider threat” as well as unauthorized actors once they gain network access;

•  analyze behavior and detect malware throughout the ecosystem to enable health systems to determine when components evidence compromise and to enable those organizations to limit the effects of a potential advanced persistent threat such as ransomware;

•  secure sensitive data (e.g., personally identifiable information or protected health information) at rest and in transit, limiting adversarial ability to exfiltrate or expose that data;

•  consider and address risks that may be identified as health systems examine cloud solutions as part of managing their medical imaging infrastructure.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?