This interactive practice guide is a graphic supplement to the National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide, Securing Picture Archiving and Communication System (PACS), providing a quick and visual reference to the key security controls discussed in the guide.
Targeted attacks: Medical imaging ecosystems interconnect a variety of devices, systems, and networks that malicious actors may compromise.
Service disruption: An effective medical imaging ecosystem supports clinical workflow that could be negatively impacted should services not be available.
Lack of access control: Unprotected systems may allow unauthorized individuals to access systems and information.
Unprotected data-in-transit: Medical imaging ecosystems rely on intersystem communication, and data in transit may expose clinical information to unauthorized individuals.
Vulnerability (as a “weak link”): Components may have flaws or deficiencies that may be leveraged adversely, compromising data or subsystems.
Malware: Unauthorized software may be introduced within the medical imaging ecosystem that could compromise subsystems, data, and the healthcare provider’s ability to interact with patients.
The PACS environment consists of diverse technologies that include medical device images, patient registry systems, and worklist management systems.
A medical imaging infrastructure offers a broad attack surface due to varying vulnerabilities, configurations, and control implementations.
Explore the PACS practice guide security controls in any order you prefer using the tabs on the left. Once you have explored the controls, continue onto the final section of the IPG.
Control: When a user has privileged access, they maintain credentials that have greater permissions to systems than standard users.
Implementation: One measure that this guide implements is segregating privileged access accounts.
Control: Healthcare and information technology systems require vendor-support technicians for remote configuration, patching, and updates to software and firmware.
Implementation: The remote access network segment in this guide provides remote vendor-support engineers with access to specified
clinical systems.
Control: Medical imaging ecosystems may be subject to evolving threats that result in unanticipated risk.
Implementation: This guide examines data flows between the medical imaging components and identifies a need to secure data in transit
and data at rest.
Control: The protected end points, both workstations and servers, are potential targets for malicious actors.
Implementation: Throughout this guide, end-point protection and security are implemented through device hardening and configuration
controls.
Control: Network flow baselines must be established to compare normal and abnormal traffic patterns.
Implementation: The guide identifies network flows, primarily among PACS, vendor neutral archive, and modalities, where it is important
to monitor for abnormal behavior.
Control: A healthcare delivery organization (HDO) may manage control mechanisms that perform malware detection, vulnerability scanning, and remediation.
Implementation: This guide deploys host-based agents to permit an HDO to perform regular vulnerability scanning for server components, exclusive of medical image device equipment.
Control: Microsegmentation uses software-defined networking to create a virtual overlay network over the existing network infrastructure.
Implementation: This guide demonstrates a microsegmentation approach, reducing virtual local area network (VLAN) management complexity and providing medical device isolation.
Control: A comprehensive approach to network security is vital as network and application attacks become more advanced.
Implementation: The guide demonstrates network zoning by grouping components into functional categories and implementing virtual local area networks (VLANs) and network traffic filtering customized to communications requirements.
Control: Different components with independent requirements make up the PACS environment.
Implementation: This practice guide implements a network zoning approach that does not assume inherent trust between network structures. The guide implements trust between components as required.
Want to learn more?
The National Cybersecurity Center of Excellence (NCCoE) has developed a free, comprehensive guide demonstrating how to secure a picture archiving and communication system within a healthcare delivery organization.
This resource is a graphic supplement to the NIST Cybersecurity Practice Guide, Securing Picture Archiving and Communication System (PACS).
The guide consists of three volumes:
Volume A is why we wrote this guide, the challenge we address, why it could be important to your organization, and our approach to solving this challenge.
Volume B is what we built and why, including the risk analysis performed and the security/privacy control map.
Volume C provides instructions for building the example implementation, including all the details that would allow one to replicate all or parts of this project.
Visit the PACS project page.
E-mail us at hit_nccoe@nist.gov.
Submit a project idea to the NCCoE.
Join the Community of Interest for updates.
National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology, is a solution-driven, collaborative hub where experts from industry, government, and academia work together to address complex cybersecurity issues.
follow us @NISTcyber #NCCoE
This concludes the PACS Interactive Practice Guide. If you have any questions or comments, feel free to email the NCCoE Healthcare team at hit_nccoe@nist.gov. If you are done reviewing the information in this IPG, you can close this tab.