<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Subscribe to our Blog!
Show all

Challenges and methods for securing Picture Archiving and Communication Systems (PACS)

Medical data is a valuable commodity for identity theft. Despite HIPAA privacy rules being in effect for more than two decades, millions of health records, including images, have been stored on unsecured servers by healthcare provider officers across the United States. 

A ProPublica investigation revealed that 187 servers in the U.S. with medical records such as X-rays, MRIs, CT scans, for instance, are findable with a simple online search. One imaging system had open internet access to patients’ echocardiograms, which were minimally secured. 

While securing Picture Archiving and Communication Systems (PACS) can be challenging, in part, because of the need for multiple providers to access the same data, the images stored in PACS are Protected Health Information (PHI) and must be kept private in accordance to HIPAA rules. 

To address this issue, in September 2019 the National Institute of Standards and Technology (NIST) released new draft guidelines to secure PACS, Special Publication 1800-24C - Securing Picture Archiving and Communication Systems (PACS)

The Challenges of Securing PACS

Over the past decade, healthcare images have shifted from hard copy to mostly digital. These digital images are easier to share, speeding up the diagnosis time. Of course, the fact that healthcare images can now be uploaded, shared on personal mobile devices, such as smartphones and tablets, and stored digitally, also makes them a target for cybercriminals. 

PACS also interact with multiple other systems: electronic health records, regulatory registries hospital information systems, and even government, academic, and commercial archives. This creates plenty of potential security gaps for cybercriminals to lurk and steal this data. 

Here are the most common challenges in securing PACS:

  • Monitoring and controlling internal user accounts and identifying outliers in behavior (e.g., large number of downloads in a small period of time)
  • Controlling and monitoring access by external users
  • Enforcing least privilege and separation-of-duties policies for internal and external users
  • Ensuring data integrity of the images
  • Securing and monitoring connections to the system
  • Securing and monitoring connections to and from systems outside of the in-house system
  • Providing security, data protection, and access management without affecting productivity and system performance

As you can see, these are common cybersecurity challenges. The draft PACS security guidelines are adapted from the NIST Cybersecurity Framework. While the challenge of securing medical images is real, this is a framework that any HIPAA-covered entity can use to help secure their PACS.

A Security Architecture for PACS

Using commercially available products, NIST created a reference network architecture. It provides an example for healthcare providers to separate their networks into zones to decrease cross-network access and, thus, risk. 

The NIST SP 1800-24C guidelines are just that: guidelines. Information technology professionals need to adapt the architecture and framework guidance to their particular organization’s IT stack and security goals. 

To mitigate risks, the NIST practice guide’s reference architecture includes technical and process controls to implement. They are:

  • A defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business function
  • Access control mechanisms that include multi-factor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components  
  • A holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers

NIST Cybersecurity Guidance also recommends a thorough cybersecurity risk assessment to identify areas of weakness and to help determine how to optimize your network for cybersecurity.

Recommended capabilities for a secure PACS environment include:

  • Role-based access control
  • Authentication
  • Network access control
  • Endpoint protection
  • Network and communication protection
  • Micro segmentation
  • Behavioral analytics
  • Tools that use cyber threat intelligence
  • Anti-malware
  • Data security
  • Segregation of duties
  • Restoration and recoverability
  • Cloud storage

The Importance of User Training

While not included in this particular NIST publication, it is always good to remember that user training is critical to the success of any cybersecurity initiative. Many Digital Imaging and Communications in Medicine (DICOM) images are shared via mobile devices. 

Password protections are also important, as is understanding HIPAA compliance involving social media and basic HIPAA security procedures.

PACS do enable better patient outcomes, but they are a potential target for cybercriminals. Following the guidance from NIST, healthcare organizations can help ensure the continued privacy of their patients’ protected health information. 

nist guide assess cybersecurity risk

Rema Deo
Rema Deo

Rema Deo is the CEO and Managing Director at 24by7Security Inc. Rema is certified as a Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2. She holds a certificate in Cybersecurity: Technology, Application and Policy from the Massachusetts Institute of Technology. She also has a Master of Business Administration Degree from Symbiosis Institute of Business Management in Pune, India and a Bachelor of Commerce degree from the University of Bombay. Follow along the 24by7Security blog to learn valuable insights from Rema.

Related posts

December 10, 2019
November 13, 2019
October 21, 2019

Comments are closed.

Tech Leaders and Enthusiasts Unite at ITPalooza 2019
Mobile Devices: A look at security threats