New NIST guide helps healthcare orgs securely deploy PACS

Every so often, security researchers discover confidential medical images left exposed online. To help healthcare organizations prevent this from happening in the future, NIST has published NIST SP 1800-24: Securing Picture Archiving and Communication System (PACS).

The cybersecurity challenges of securing PACS

Medical imaging is a critical component in providing patient care and PACS is where these images and accompanying clinical information are stored and delivered from when needed.

Needless to say, the integrity, availability, and confidentiality of this information is crucial to providing care and keeping patients’ trust.

PACS is part of a highly complex healthcare delivery organization (HDO) environment that includes back-office systems, electronic health record systems, pharmacy and laboratory systems, an array of electronic medical devices, and often cloud storage for medical images.

“Securing PACS presents several challenges,” NIST explains. “Various departments operating in the HDO have unique medical imaging needs and may operate their own PACS or other medical imaging archiving systems. Further, HDOs may use external medical imaging specialists when reviewing patient medical data. The PACS ecosystem, therefore, may include multiple systems for managing medical imaging data, along with a diverse clinical user community, accessing PACS from different locations. This complexity leads to cybersecurity challenges.”

In addition to this, vulnerabilities in PACS may impact both patients and HDOs.

The National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to emulate a medical imaging environment, performed a risk assessment, and identified controls from the NIST Cybersecurity Framework to secure a medical imaging ecosystem. It also developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the PACS ecosystem.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” NIST added.