Securing Picture Archiving and Communication System

The overall Picture Archiving and Communication System (PACS) ecosystem consists of diverse technologies that include medical imaging devices, patient registry systems, and worklist management systems. The PACS threat landscape is broad and allows for a large attack surface. PACS may have vulnerabilities that, given its central nature, may impact a health delivery organization (HDO)’s ability to render patient care or to preserve patient privacy. It is crucial to secure designated PACS ecosystems so geographically and organizationally diverse teams of healthcare professionals can review medical images and provide quality and timely patient care.

A solution for mitigating cybersecurity and privacy risks identified within a health delivery organization’s picture archiving communication system.

PACS is nearly ubiquitous in hospitals, prompting the Healthcare Sector to identify its security as a critical need. This project focuses on providing increased security benefits while minimizing the impact and availability to PACS and other components. Improved control and management of PACS can limit exposures to a threat vector that could act as a point where an attack may be performed or serve as a pivot point into an integrated healthcare information system, thereby improving an HDOs cybersecurity posture. The scope of the project includes the PACS ecosystem to allow storage, retrieval, management, distribution, and presentation of medical images.
Status: Finalized Practice Guide

The NCCoE released the NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System. For ease of use, the final guide is available to download or read in volumes.

Project Abstract

Medical imaging plays an important role in diagnosing and treating patients. The system that manages medical images is known as the picture archiving communication system (PACS) and is nearly ubiquitous in healthcare environments. PACS is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images.” PACS centralizes functions surrounding medical imaging workflows and serves as an authoritative repository of medical image information.

PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems. PACS may connect with clinical information systems and medical devices and engage with HDO-internal and affiliated health professionals. Complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of a PACS ecosystem.

The NCCoE analyzed risk factors regarding a PACS ecosystem by using a risk assessment based on the NIST Risk Management Framework. The NCCoE also leveraged the NIST Cybersecurity Framework and other relevant standards to identify measures to safeguard the ecosystem. The NCCoE developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect a PACS ecosystem. This practice guide helps HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk and protect patient privacy while maintaining the performance and usability of PACS.

PACS may connect with clinical information systems and medical devices and engage with HDO-internal and affiliated health professionals. Complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of a PACS ecosystem.

 

View the Interactive Practice Guide

The NCCoE has released an interactive practice guide to accommodate the NIST Cybersecurity Practice Guide, Securing Picture Archiving and Communication System. This interactive practice guide provides a quick and visual reference to the key security controls discussed in the project. Use the button below to view this resource.

Access Resource
Visualization homepage

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to join
Employee speaking on video call with colleagues on online briefing with laptop at home