Medical data is a valuable commodity for identity theft. Despite HIPAA privacy rules being in effect for more than two decades, millions of health records, including images, have been stored on unsecured servers by healthcare provider officers across the United States.
A ProPublica investigation revealed that 187 servers in the U.S. with medical records such as X-rays, MRIs, CT scans, for instance, are findable with a simple online search. One imaging system had open internet access to patients’ echocardiograms, which were minimally secured.
While securing Picture Archiving and Communication Systems (PACS) can be challenging, in part, because of the need for multiple providers to access the same data, the images stored in PACS are Protected Health Information (PHI) and must be kept private in accordance to HIPAA rules.
To address this issue, in September 2019 the National Institute of Standards and Technology (NIST) released new draft guidelines to secure PACS, Special Publication 1800-24C - Securing Picture Archiving and Communication Systems (PACS).
The Challenges of Securing PACS
Over the past decade, healthcare images have shifted from hard copy to mostly digital. These digital images are easier to share, speeding up the diagnosis time. Of course, the fact that healthcare images can now be uploaded, shared on personal mobile devices, such as smartphones and tablets, and stored digitally, also makes them a target for cybercriminals.
PACS also interact with multiple other systems: electronic health records, regulatory registries hospital information systems, and even government, academic, and commercial archives. This creates plenty of potential security gaps for cybercriminals to lurk and steal this data.
Here are the most common challenges in securing PACS:
- Monitoring and controlling internal user accounts and identifying outliers in behavior (e.g., large number of downloads in a small period of time)
- Controlling and monitoring access by external users
- Enforcing least privilege and separation-of-duties policies for internal and external users
- Ensuring data integrity of the images
- Securing and monitoring connections to the system
- Securing and monitoring connections to and from systems outside of the in-house system
- Providing security, data protection, and access management without affecting productivity and system performance
As you can see, these are common cybersecurity challenges. The draft PACS security guidelines are adapted from the NIST Cybersecurity Framework. While the challenge of securing medical images is real, this is a framework that any HIPAA-covered entity can use to help secure their PACS.
A Security Architecture for PACS
Using commercially available products, NIST created a reference network architecture. It provides an example for healthcare providers to separate their networks into zones to decrease cross-network access and, thus, risk.
The NIST SP 1800-24C guidelines are just that: guidelines. Information technology professionals need to adapt the architecture and framework guidance to their particular organization’s IT stack and security goals.
To mitigate risks, the NIST practice guide’s reference architecture includes technical and process controls to implement. They are:
- A defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business function
- Access control mechanisms that include multi-factor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components
- A holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers
Recommended capabilities for a secure PACS environment include:
- Role-based access control
- Network access control
- Endpoint protection
- Network and communication protection
- Micro segmentation
- Behavioral analytics
- Tools that use cyber threat intelligence
- Data security
- Segregation of duties
- Restoration and recoverability
- Cloud storage
The Importance of User Training
While not included in this particular NIST publication, it is always good to remember that user training is critical to the success of any cybersecurity initiative. Many Digital Imaging and Communications in Medicine (DICOM) images are shared via mobile devices.
PACS do enable better patient outcomes, but they are a potential target for cybercriminals. Following the guidance from NIST, healthcare organizations can help ensure the continued privacy of their patients’ protected health information.