Securing Picture and Archiving Communication System for Healthcare Delivery Organizations

Image depicts cover of NIST Special Publication 1800-24 practice guide, Securing Picture and Archive Communication System

This interactive practice guide is a graphic supplement to the National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide, Securing Picture Archiving and Communication System (PACS), providing a quick and visual reference to the key security controls discussed in the guide.

Bullseye icon

Targeted attacks: Medical imaging ecosystems interconnect a variety of devices, systems, and networks that malicious actors may compromise.

Tools icon

Service disruption: An effective medical imaging ecosystem supports clinical workflow that could be negatively impacted should services not be available.

Open door icon

Lack of access control: Unprotected systems may allow unauthorized individuals to access systems and information.

Unlocked pad lock icon

Unprotected data-in-transit: Medical imaging ecosystems rely on intersystem communication, and data in transit may expose clinical information to unauthorized individuals.

Broken chain icon

Vulnerability (as a “weak link”): Components may have flaws or deficiencies that may be leveraged adversely, compromising data or subsystems.

Malware icon

Malware: Unauthorized software may be introduced within the medical imaging ecosystem that could compromise subsystems, data, and the healthcare provider’s ability to interact with patients.

The PACS environment consists of diverse technologies that include medical device images, patient registry systems, and worklist management systems.

A medical imaging infrastructure offers a broad attack surface due to varying vulnerabilities, configurations, and control implementations.

Explore the PACS practice guide security controls in any order you prefer using the tabs on the left. Once you have explored the controls, continue onto the final section of the IPG.

Background of PACS architecture graphic
Role Based Access Control Map of 3 administrators with different access types

Control: When a user has privileged access, they maintain credentials that have greater permissions to systems than standard users.
Implementation: One measure that this guide implements is segregating privileged access accounts.

World Map with icons connected by lines to demonstrate remote access networks

Control: Healthcare and information technology systems require vendor-support technicians for remote configuration, patching, and updates to software and firmware.
Implementation: The remote access network segment in this guide provides remote vendor-support engineers with access to specified clinical systems.

Collage of CAT scan image results, locked pad lock, and computer coding

Control: Medical imaging ecosystems may be subject to evolving threats that result in unanticipated risk.
Implementation: This guide examines data flows between the medical imaging components and identifies a need to secure data in transit and data at rest.

A collage of photographs of computer servers and workstations.

Control: The protected end points, both workstations and servers, are potential targets for malicious actors.
Implementation: Throughout this guide, end-point protection and security are implemented through device hardening and configuration controls.

Artistic rendering of an enterprise network with traffic anomalies highlighted.

Control: Network flow baselines must be established to compare normal and abnormal traffic patterns.
Implementation: The guide identifies network flows, primarily among PACS, vendor neutral archive, and modalities, where it is important to monitor for abnormal behavior.

Artistic Rendering of running computer processes with malicious code and a vulnerable service highlighted.

Control: A healthcare delivery organization (HDO) may manage control mechanisms that perform malware detection, vulnerability scanning, and remediation.
Implementation: This guide deploys host-based agents to permit an HDO to perform regular vulnerability scanning for server components, exclusive of medical image device equipment.

Diagram of an Organization of multiple virtual local area networks to implement segmentation

Control: Microsegmentation uses software-defined networking to create a virtual overlay network over the existing network infrastructure.
Implementation: This guide demonstrates a microsegmentation approach, reducing virtual local area network (VLAN) management complexity and providing medical device isolation.

Firewall filtering network traffic.

Control: A comprehensive approach to network security is vital as network and application attacks become more advanced.
Implementation: The guide demonstrates network zoning by grouping components into functional categories and implementing virtual local area networks (VLANs) and network traffic filtering customized to communications requirements.

Hexagonal icons depicting trusted and non-trusted network components.

Control: Different components with independent requirements make up the PACS environment.
Implementation: This practice guide implements a network zoning approach that does not assume inherent trust between network structures. The guide implements trust between components as required.

Cover of Picture and Archiving Communication System guide

Want to learn more?
The National Cybersecurity Center of Excellence (NCCoE) has developed a free, comprehensive guide demonstrating how to secure a picture archiving and communication system within a healthcare delivery organization.

Open the web version.

This resource is a graphic supplement to the NIST Cybersecurity Practice Guide, Securing Picture Archiving and Communication System (PACS).

Cover of Picture and Archiving Communication System Guide

The guide consists of three volumes:

  • Volume A: Executive Summary
  • Volume B: Approach, Architecture, and Security Characteristics
  • Volume C: How-To Guides

Cover of Picture and Archiving Communication System Guide, Volume A

Volume A is why we wrote this guide, the challenge we address, why it could be important to your organization, and our approach to solving this challenge.

Cover of Picture and Archiving Communication System Guide, Volume B

Volume B is what we built and why, including the risk analysis performed and the security/privacy control map.

Cover of Picture and Archiving Communication System Guide, Volume C

Volume C provides instructions for building the example implementation, including all the details that would allow one to replicate all or parts of this project.

Connect with Us

Internet icon

Visit the PACS project page.

Email icon

E-mail us at

Lightbulb icon depicting an idea

Submit a project idea to the NCCoE.

People icon to join a community of interest

Join the Community of Interest for updates.

View and Share

Cloud icon to depict the action of downloading the guide

Download the PDF version PACS Practice Guide.

Twitter logo

Share this via Twitter.

LinkedIn logo

Share this via LinkedIn.

National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology, is a solution-driven, collaborative hub where experts from industry, government, and academia work together to address complex cybersecurity issues.

Twitter logo follow us @NISTcyber #NCCoE

This concludes the PACS Interactive Practice Guide. If you have any questions or comments, feel free to email the NCCoE Healthcare team at If you are done reviewing the information in this IPG, you can close this tab.

Cloud icon to depict the action of downloading the guide Twitter logo LinkedIn logo

NIST logo NCCoE logo