NIST Issues Final Guidance on Safeguarding the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has issued a final guidance for healthcare delivery businesses on safeguarding the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging solution that is utilized to safely hold and electronically send medical pictures, for example, CT scans, X-rays And MRIs and connected clinical reports, and is common in healthcare. These systems do away with the requirement to save, send out, and get medical images manually, and aid healthcare delivery companies by enabling the secure and inexpensive storage of images offsite online. PACS enables easy retrieval of medical images making use of PACS application anywhere.

By design, PACS cannot function on its own. In healthcare delivery businesses, PACS is normally incorporated into highly complicated settings and interfaces with numerous interconnected systems. The sophistication of those settings means that protecting the PACS ecosystem will be a serious process and it is very easy for cybersecurity threats to be brought in that can readily damage the confidentiality, integrity, and availability of protected health information (PHI), the PACS ecosystem, and any devices linked to PACS.

In September 2019, a ProPublica document discovered 187 unsecured servers that were employed to hold and get medical photos. Those servers saved the medical images and PHI of over 5 million people in the U.S.A. In many cases, the images are accessible by utilizing a regular web browser and read employing a free software program.

This 2020, the analyst group at CyberAngel inspected around 4.3 billion IP addresses across the world and discovered 2,140 unprotected servers in 67 countries. Those servers consist of about 45 million medical photos. The images included as many as 200 lines of metadata that enclosed personally identifiable information and PHI. In the CyberAngel “Full Body Exposure” report, those images may be viewed on the web via a typical web browser. In several cases, there were login pages but they authorized blank username and password fields.

NIST published draft guidance on safeguarding the PACS ecosystem soon after the release of the ProPublica report to aid healthcare delivery companies discover cybersecurity problems linked with PACS and employ better security controls as well as reducing the impact and access to PACS and other elements.

The final version of the guidance consists of a detailed set of cybersecurity specifications and best practices to undertake to better the PACS ecosystem safety, with the guidance dealing with access control, asset management, user recognition and verification, data security, security uninterrupted checking, and response planning, and restoration.

The final practice guide included responses from the people and other stakeholders and put in remote storage functions into the PACS design. This effort provides a more thorough security alternative that showcases real-world HDO networking conditions.

HIPAA covered entities and their business associates can use this practice guide to use existing cybersecurity criteria and best practices to lessen their cybersecurity risk, at the same time retaining the overall efficiency and functionality of PACS.

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is accessible on this page.

NIST/NCCoE created the guidance in cooperation with DigiCert, Cisco, Forescout, Clearwater Compliance, Hyland, Microsoft, Philips, Symantec, Tempered Networks, TDI Technologies, Tripwire, Virtua Labs, and Zingbox.