NIST Issues Draft Guidance for Securing PACSTips on Keeping Picture Archiving and Communications Systems Secure
New draft guidance from the National Institute of Standards and Technology aims to help healthcare organizations improve the security of picture archiving and communications systems, or PACS.
NIST's National Cybersecurity Center of Excellence, or NCCoE, on Monday issued the preliminary guidance for PACS - systems that centrally manage medical imaging data.
NIST says the practice guide "demonstrates how an organization may implement a solution to mitigate identified risks." The reference architecture includes technical and process controls to implement:
- A defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business functions;
- Access control mechanisms that include multifactor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components;
- A holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers.
NIST notes that the draft guide builds upon "the network zoning concept" described in an earlier NCCoE guidance for securing wireless infusion pumps (see: NIST Issues Draft Guidance for Wireless Infusion Pumps).
NIST is accepting comments on the draft guidance until Nov. 18.
Some security experts say that PACS can potentially present substantial security risks.
"PACS systems generally contain a significant amount of protected health information," says Keith Fricke, principal consultant at tw-Security. "These systems also provide important information in the delivery of patient care. Improperly secured PACS can lead to compromise, possibly leading to downtime for investigation/forensics purposes."
To develop its guidance, NCCoE built a laboratory to emulate a medical imaging environment, performed a risk assessment and identified controls from the NIST Cybersecurity Framework to secure the medical imaging ecosystem.
Securing PACS presents several challenges, NIST writes. "Various departments operating in the health delivery organization have unique medical imaging needs and may operate their own PACS or other medical imaging archiving systems. Further, HDOs may use external medical imaging specialists when reviewing patient medical data," NIST notes.
"Anything that is designed to help the healthcare industry protect medical devices is a good thing, and a reference architecture is a very good starting point."
—Mark Johnson of LBMC Information Security
The PACS ecosystem, therefore, may include multiple systems managing medical imaging data. Plus, a diverse clinical user community may access a PACS from different locations. "This complexity leads to cybersecurity challenges," NIST writes.
"PACS may have vulnerabilities that, given its central nature, may impact a [healthcare organization's] ability to render patient care or to preserve patient privacy," the draft guidance notes.
"These vulnerabilities could impede the timely diagnosis and treatment of patients if medical images are altered or misdirected. These vulnerabilities could also expose a [healthcare organization] to risks of significant data loss, malware and ransomware attacks and unauthorized access to other parts of a healthcare delivery organization's enterprise network."
NIST notes the challenges in securing PACS can involve:
- Asset management;
- Access control, user identification, and authentication;
- Data security;
- Security continuous monitoring;
- Response planning, recovery and restoration.
A Lot to Balance?
A PACS requires controls that provide significant integrity, availability and confidentiality assurances because the system ties into doctor-patient workflow management, NIST writes.
"This project focuses on providing increased security benefits while minimizing the impact and availability to PACS and other components," NIST writes. "Improved control and management of PACS can limit exposures to a threat vector that could act as a point where an attack may be performed or serve as a pivot point into an integrated healthcare information system, thereby improving a [healthcare organization's] cybersecurity posture."
The final guidance will be released as a NIST Cybersecurity Practice Guide outlining "the practical steps required to implement a cybersecurity reference design that addresses this challenge."
Medical Device Risks
NIST's development of guidance materials for securing medical devices such as PACS is welcome move, security experts say.
"Anything that is designed to help the healthcare industry protect medical devices is a good thing, and a reference architecture is a very good starting point," says former healthcare CISO Mark Johnson of the consulting firm LBMC Information Security.
"Drawing one up for PACS has some natural advantages. For the most part, PACS don't move around a hospital environment, unlike other medical devices," he notes. "Secondly, these images are very large and typically stored on on-site systems. Therefore, a reference architecture is a very good step forward, a little easier to design and hopefully, for most of the healthcare industry, easier to implement."
Tapping the Guidance
NIST says the guidance includes sections directed at individuals with various roles within healthcare organizations. That includes an executive summary to help an organization's leadership team understand the importance of adopting standards-based, commercially available technologies that can help secure the PACS ecosystem, as well as more detailed instructions for IT professionals who would implement NCCoE's approach for securing PACS.
Fricke notes that the draft guidance provides "a reasonable roadmap" for securing PACS systems. "It also likely offers some insights into aspects of securing these systems that may not be familiar or top-of-mind to everyone," he adds.
Ensuring the security of medical imaging systems and related data is an ongoing challenge.
For instance, in a report issued earlier this year, researchers at security firm Cylera Labs found weaknesses in the DICOM image file format that, if exploited, could enable malware to infect patient data by directly inserting itself into medical imaging files (see: Researchers: Malware Can Be Hidden in Medical Images).
Also, media site ProPublica reported on Tuesday that a joint investigation with German broadcaster Bayerischer Rundfunk found that "hundreds of computer servers worldwide that store patient X-rays and MRIs are so insecure that anyone with a web browser or a few lines of computer code can view patient records."
Digital Shadow's Photon Research Team found similar discoveries earlier this year (see: 2.3 Billion Files Exposed Online: The Root Causes).