Advancements in medical imaging technology are helping patients get diagnosed and treated more quickly and effectively. But unsecured systems can open the door to breaches of patient data and could potentially risk patient safety. Our Securing Picture Archiving and Communication System guidance shows how healthcare delivery organization can take advantage of these technologies while also ensuring patient data is protected.
Jennifer Cawthra, NIST NCCoE Healthcare Sector Lead
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) is proud to release a new practice guide – NIST Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS) – to help healthcare delivery organizations (HDOs) protect patient images and other pertinent medical data. The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. This practice guide represents the NCCoE’s dedication to the public interest and the critical cybersecurity matters within the healthcare sector.
The guide can be used by any organization that is deploying PACS and medical imaging systems, and that is willing to perform its own risk assessment and implement controls based on its risk posture. Both standards and best practices were used to develop two reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.
TDi’s flagship product, ConsoleWorks Cybersecurity & Operations Platform, is one of the solutions along with others in the NIST cybersecurity framework for this project.
To complete this guide, the NCCoE collaborated with other technology vendors, including Cisco, Clearwater Compliance, Digicert, Forescout, Hyland, Philips, Symantec, Tempered Networks, Tripwire, Virta Labs, and Zingbox.
The NCCoE believes the guide helps meet critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on November 18, 2019.
FAQ’s related to PACS
Why did the National Cybersecurity Center of Excellence (NCCoE) create this guide?
Healthcare is a part of the nation’s critical infrastructure and vulnerabilities within this sector have the potential to result in breaches inpatient data or risks to patient safety. These vulnerabilities could also expose an HDO to risks of significant data loss, malware and ransomware attacks, and unauthorized access to other parts of an HDO enterprise network. The NCCoE’s mission is to accelerate the adoption of secure technologies to address critical cybersecurity challenges in key industry sectors. To learn more about the NCCoE’s cybersecurity efforts in healthcare, visit nccoe.nist.gov/healthcare.
What is this practice guide about?
This guide provides practical, real-world guidance to healthcare providers interested in implementing an example solution to securely configure and deploy PACS ecosystem. The guide also contains several risk-based scenarios detailing the approach with risk assessment and analysis; logical design; example build development, functional test and evaluation; and security control mapping.
What is the scope of this project?
The NCCoE project focused on securing the environment of the PACS ecosystem, but not on reengineering medical devices or altering medical imaging processes themselves. This project has led to a standards-based practice guide that is applicable to the wider healthcare ecosystem. This practice guide has been derived from the implementation of a secure PACS in a laboratory environment at the NCCoE that seeks to replicate parts of a typical HDO environment. The project considers PACS users internal to the HDO as well as external users and partners needing access to certain components of the HDO environment.
Will healthcare executives find value in this practice guide?
Yes! The NCCoE’s Securing Picture Archiving and Communication System (PACS) Practice Guide can help an organization:
- Improve resilience in its network infrastructure, including limiting a threat actor’s ability to leverage components as pivot points to attack other parts of the HDO’s environment.
- Limit unauthorized movement within the HDO environment by authorized system users to address the “insider threat” as well as unauthorized actors once they gain network access.
- Analyze behavior and detect malware throughout the ecosystem to enable HDOs to determine when components have been compromised and enable those organizations to limit the effects of a potential advanced persistent threat such as ransomware.
- Secure sensitive data (e.g., personally identifiable information or protected health information) at rest and in transit, limiting adversarial ability to exfiltrate or expose that data.
- Consider and address risks that may be identified as HDOs examine cloud solutions as part of managing their medical imaging infrastructure.
Will healthcare information technology (IT) professionals find value in this practice guide?
- Clear instructions—The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than re-creating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to re-create the example implementations.
- The technology is commercially available and adaptable—A suite of commercial products was used to build the example implementations (this guide does not endorse these products) in our lab. An organization can replicate the example implementation(s) in its environment or can use this guide as a starting point for tailoring and implementing parts NCCoE’s risk assessment and the deployment of a defense-in-depth strategy. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
- The guide maps to both NIST cybersecurity and industry standards—IT professionals can use our step-by-step guide to implement the example solution. Volume B, Section 3, lists the standards and guidance that influenced the development of the example implementation. Section 3.6 in Volume B lists the products and technology used in this project and the Cybersecurity Framework security control(s) Subcategory that the product provides for the example implementations.
- Expert-vetted architecture and reference designs—The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the healthcare sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing healthcare delivery organizations and other enterprises with the detailed information they need to replicate securing PACS example implementations.
*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.
