Content Assessment: NIST on Cybersecurity for the Healthcare Sector - Picture Archiving and Communication System Security
Information - 95%
Insight - 95%
Relevance - 90%
Objectivity - 100%
Authority - 100%
A short percentage-based assessment of the qualitative benefit of the recent publication from NIST highlighting cybersecurity in the health sector regarding picture and communication system security.
Editor’s Note: Taken directly from the National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCOE), the following information is provided to highlight considerations for Securing Picture Archiving and Communication Systems (PACS) in the healthcare sector. This new cybersecurity-centric practice guide defines and demonstrates how organizations may implement solutions to mitigate cybersecurity and privacy risks and presents reference architecture that features technical and process controls to implement including a defense-in-depth solution, access control mechanisms, and a holistic management approach.
According to the new practice guide, PACS cannot operate in isolation and the overall PACS ecosystem consists of diverse technologies that include medical imaging devices, patient registry systems, and worklist management systems. PACS also rely on systems to manage and maintain medical image archives, which may include cloud storage capabilities. The primary role of PACS is interaction with disparate medical imaging devices, interconnectivity with other clinical systems, and allowing a geographically and organizationally diverse team of healthcare professionals to review medical images to provide quality and timely patient care. Therefore, the threat landscape is broad and allows for a large attack surface.
Extract from NIST Special Publication 1800-24A
Securing Picture Archiving and Communication Systems (PACS): Cybersecurity in the Healthcare Sector
Medical imaging plays an important role in diagnosing and treating patients. The system that manages medical images is known as the picture archiving communication system (PACS) and is nearly ubiquitous in healthcare environments. PACS is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images.” PACS centralizes functions surrounding medical imaging workflows and serves as an authoritative repository of medical image information.
PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems. PACS may connect with clinical information systems and medical devices and engage with HDO-internal and affiliated health professionals. Complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of a PACS ecosystem.
The NCCoE at NIST analyzed risk factors regarding a PACS ecosystem by using a risk assessment based on the NIST Risk Management Framework. The NCCoE also leveraged the NIST Cybersecurity Framework and other relevant standards to identify measures to safeguard the ecosystem. The NCCoE developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect a PACS ecosystem. This practice guide helps HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk and protect patient privacy while maintaining the performance and usability of PACS.
- Only a Matter of Time? HaystackID Launches New Service for Data Breach Discovery and Review
- Playing NICE? A Workforce Framework for Cybersecurity from NIST