NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem.

The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems.

PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis.

The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives.

With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without having a negative impact on user productivity and system performance.

Key challenges include controlling, monitoring, and auditing user accounts, identifying outliers in user behavior, enforcing the rule of least privilege, creating separation-of-duties policies for internal and external users, monitoring and securing internal and external connections to the system, and ensuring data integrity as images move across the enterprise.

The Healthcare PACS Project identifies the individuals who interact with the system, defines their interactions, performs a risk assessment, and identifies commercially available mitigating security technologies.

The guidance document explains the best approach and architecture to adopt, along with the characteristics of a secure PACS. Included are how-to-guides and an example implementation that uses commercially available technologies to implement stronger security controls to create a much more secure PACS ecosystem.

The guidance document was developed with assistance from several PACS system developers and cybersecurity companies, including Cisco, Digicert, Forescout, Philips, Hylans, Symantec, Tripwire, Virta Labs, Zingbox, and Clearwater Compliance.

NCCoE is seeking feedback from HDOs and healthcare industry stakeholders on the new guidance until November 18, 2019. The draft guidance can be downloaded from the NCCoE website on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.