NIST Issues PACS Guidance for Healthcare Delivery Organizations
NIST's latest guidance is geared towards preventing healthcare organizations that oversee PACS software from exposing patient data.
The US Office for Civil Rights is encouraging hospitals and healthcare facilities to review recently published guidance around securing devices running certain types of medical imaging technology
The guidance is around the Picture Archiving and Communication System (PACS) a medical imaging technology that allows storage and access to images like X-rays in DICOM, or Digital Imaging and Communications in Medicine, format. PACs traditionally figure into healthcare delivery organizations, or HDOs, usually as a way to deliver clinical information and store healthcare data.
The National Institute of Standards and Technology (NIST) released a nearly 400-page document designed to assess the inherent risk in PACS ecosystems, "Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector," – the final version of NIST’s Cybersecurity Practice Guide SP 1800-24 - via NIST’s National Cybersecurity Center of Excellence (NCCoE) last month.
To produce the guidance, NIST claims it built a lab environment to mimic a medical imaging environment - like one that would normally interact with PACS - to perform a risk assessment. It used the NIST Cybersecurity Framework to identify controls necessary to secure the ecosystem.
Solving problems associated with PACS, like asset management, access control, user identification and authentication, data security, security continuous monitoring, response planning, and recovery and restoration was integral to NIST’s project.
“This project used picture archiving and communication system (PACS) and a vendor neutral archive (VNA) and implemented controls to safeguard medical images from cybersecurity and privacy threats,” the document reads.
The document walks administrators through setting up and fine tuning firewalls, cloud and virtualization tools, network visibility and analysis software, and access control policies that can help specify how traffic is managed within a network.
NIST also claims the document can improve an organization's resilience, limit unauthorized movement within an HDO environment - aka an "insider threat" scenario, help detect malware, and secure sensitive data.
The project assumes that HDOs have pervasive controls in place to help supplement their overall cybersecurity risk profile like governance, risk, and compliance systems. Having , incident response processes, IT disaster recovery and business continuity, and data loss prevention (DLP) solutions in place could help prevent data theft across an enterprise but not necessarily a PACS environment, NIST says.
Many healthcare networks these days are far from secure; environments that process PACS are generally less so.
When it comes to PACS, journalists with ProPublica and Germany's Bayerischer Rundfunk famously highlighted the dangers of PACS servers implementing DICOM in 2019, pointing out that medical images and data belonging to upwards of 5 million patients in the U.S. alone could be accessed online by anyone. That piece was based largely on research via Greenbone Networks which found 400 million medical radiological images located in 52 countries online.
Mark Warner, one of the United States government's more outspoken critics of cybersecurity issues affecting Americans, took umbrage with the issues affected PACS last year.
About this time last year, Senator Warner asked the Defense Health Agency to remove sensitive medical data belonging to servicemembers that was exposed online due to insecure PACS. Warner was following up on a letter to a mobile diagnostic services company, TridentUSA Health Services and its affiliate MobileXUSA, that was in charge of 187 computers that failed to secure PACs. Warner said after his initial letter, 16 systems, 31 million images, and 1.5 million exam records were removed from online access but that at the time, a “significant number of personally identifiable and sensitive medical information belonging to servicemembers remains online.”
If abused, PACS could severely hinder a healthcare organization's ability to do day to day work, not to mention infringe on a patient's privacy. Compromised PACS could prevent a timely diagnosis and treatment if altered and if exposed to a malicious actor, open the organization to data loss, malware, or ransomware too.