Noting the vulnerability of picture archiving and communication systems (PACS), the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has identified some best practices to help secure the medical imaging ecosystem and released a draft guideline document.
NCCoE built a laboratory to emulate a medical imaging environment, performed a risk assessment and identified controls from the NIST Cybersecurity Framework to secure the medical imaging ecosystem.
NIST notes that securing PACS presents several challenges. PACS fits within a highly complex healthcare delivery organization environment that includes back-office systems, electronic health record systems, and pharmacy and laboratory systems, as well as an array of electronic medical devices. Various departments have unique medical imaging needs and may operate their own PACS or other medical imaging archiving systems. In addition, health systems may use external medical imaging specialists when reviewing patient medical data. “The PACS ecosystem, therefore, may include multiple systems for managing medical imaging data, along with a diverse clinical user community, accessing PACS from different locations. This complexity leads to cybersecurity challenges,” according to ta NIST report.
PACS’ vulnerabilities could impede the timely diagnosis and treatment of patients, if medical images are altered or misdirected. These vulnerabilities could also expose a health system to risks of significant data loss, malware and ransomware attacks, and unauthorized access to other parts of an enterprise network.
The NIST Cybersecurity Practice Guide features a reference architecture using commercially available, standards-based tools and technologies demonstrating how patient-care organizations can securely configure and deploy PACS. The reference architecture includes technical and process controls to implement:
• a defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business function;
• access control mechanisms that include multifactor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components; and
• a holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers.
In building the reference architecture, the NCCoE sought existing technologies that provided the following capabilities:
• role-based access control
• authentication
• network access control
• endpoint protection
• network and communication protection
• micro segmentation
• behavioral analytics
• tools that use cyber threat intelligence
• anti-malware
• data security
• segregation of duties
• restoration and recoverability
• cloud storage
The NCCoE said its practice guide can help an organization:
• improve resilience in the network infrastructure, including limiting a threat actor’s ability to leverage components as pivot points to attack other parts of the health system environment;
• limit unauthorized movement within the environment by authorized system users to address the “insider threat” as well as unauthorized actors once they gain network access;
• analyze behavior and detect malware throughout the ecosystem to enable health systems to determine when components evidence compromise and to enable those organizations to limit the effects of a potential advanced persistent threat such as ransomware;
• secure sensitive data (e.g., personally identifiable information or protected health information) at rest and in transit, limiting adversarial ability to exfiltrate or expose that data;
• consider and address risks that may be identified as health systems examine cloud solutions as part of managing their medical imaging infrastructure.