Developed with industry leaders like Clearwater Compliance, Symantec, and others, new NIST guidance and a proposed project could help health delivery organizations secure the PACS ecosystem.
The NIST National Cybersecurity Center of Excellence released both proposed guidance to help healthcare delivery organizations secure the picture archiving and communication system (PACS) ecosystem and a project to develop an example solution to build stronger security controls.
Released Monday, the draft guidance, Securing Picture Archiving and Communication System, contains elements to help health organizations create an approach, architecture, and security characteristics for the PACS ecosystem, as well as how-to guidance.
Imaging technologies have undergone significant changes during the last decade and are now easily uploaded into a digital format to be stored or shared. These systems are commonly located in image-intensive areas like the radiology department and often connect to the EHR.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
While the ease of accessibility can reduce the amount of time it takes to make a diagnosis, the technology has also expanded the threat landscape. Many providers struggle with controlling, monitoring, and auditing user accounts and identifying abnormal behavior.
Enforcing the least privilege and separation of duties policies for both internal and external users is also a challenge, as well ensuring data integrity as data moves across the network and securing, protecting, and monitoring access without impacting system performance.
The project and guide are designed to identify the users that interact with PACS systems, define interactions between actors and the system, perform a risk assessment, identify applicable mitigating security tools, and create an example solution, officials explained.
In the end, NIST officials will create a PACS cybersecurity practice guide, freely accessible materials, and instructions on how to implement the solution into their environments.
The goal is to help provider organizations reduce the likelihood of a breach or significant data loss, along with minimizing disruption to their systems. Further, these organizations should be enabled to maintain timely access to imaging with data less vulnerable to being altered or misdirected, while shoring up patient privacy.
To NIST, the PACS connectivity of the ecosystem is both its benefit and downfall, as it works with diverse technologies including medical imaging devices and other systems used to manage and maintain medical image archives.
“PACS, by its nature, is a system that cannot operate in isolation,” NIST authors wrote. “The primary role of PACS is interaction with disparate medical imaging devices, interconnectivity with other clinical systems, and allowing a geographically and organizationally diverse team of healthcare professionals to review medical images to provide quality and timely patient care.”
“Therefore, the threat landscape is broad,” they added. “If not properly secured, vulnerabilities may be introduced into the PACS ecosystem, either affecting clinical information stored in the PACS environment or allowing malicious actors to leverage components within the ecosystem as pivot points into the integrated healthcare information system.”
The proposal comes on the heels of a ProPublica report that showed millions of patient records are being exposed online through nearly 200 unprotected servers. In April, a Cylera report showed how a flaw in DICOM, a 30-year-old standard used to exchange and store medical images, could let a hacker insert malicious code into medical device image files.
The latest NIST draft guidance and project were created in collaboration with a long list of industry leaders including, Symantec, Hyland, ForeScout, Clearwater Compliance, Zingbox, Cisco, and a host of others. Stakeholders interested in contributing can also submit comments to NIST until November 18.
Date: September 23, 2019
Source: Health IT Security