NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location.

PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for cybersecurity risks to be introduced that could easily compromise the confidentiality, integrity, and availability of the PACS ecosystem, protected health information (PHI), and any systems to which PACS connects.

In September 2019, a ProPublica report found 187 unprotected servers that were used to store and retrieve medical images. Those servers stored the medical images and associated PHI of more than 5 million patients in the United States. In some cases, the images could be accessed using a standard web browser and viewed using free-to-download software.

This year, the analyst team at CyberAngel scanned approximately 4.3 billion IP addresses worldwide and found 2,140 unprotected servers across 67 countries. Those servers were found to contain more than 45 million medical images. The images had up to 200 lines of metadata that included personally identifiable information and protected health information. According to the CyberAngel “Full Body Exposure” report, those images could be accessed via the Internet with a standard web browser. In some instances, login portals were present, but accepted blank username and password fields.

NIST released draft guidance on securing the PACS ecosystem shortly after the ProPublica report was published to help healthcare delivery organizations identify cybersecurity risks associated with PACS and implement stronger security controls while minimizing the impact and availability to PACS and other components.

The final version of the guidance includes a comprehensive set of cybersecurity standards and best practices to adopt to improve the security of the PACS ecosystem, with the guidance covering asset management, access control, user identification and authentication, data security, security continuous monitoring, and response planning, recovery, and restoration.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” explained NIST.

This practice guide can be used by HIPAA covered entities and their business associates to implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is available on this link.

The guidance was developed by NIST/NCCoE in collaboration with Cisco, Clearwater Compliance, DigiCert, Forescout, Hyland, Microsoft, Philips, Symantec, TDI Technologies, Tempered Networks, Tripwire, Virtua Labs, and Zingbox.

Image Source: J. Stoughton/NIST

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.