NIST SPECIAL PUBLICATION 1800-24
Securing Picture Archiving and Communication System (PACS):
Securing Picture Archiving and Communication System (PACS):¶
Cybersecurity for the Healthcare Sector
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra
Bronwyn Hodges
Jason Kuruvilla*
Kevin Littlefield
Bob Niemeyer
Chris Peloquin
Sue Wang
Ryan Williams
Kangmin Zheng
*Former employee; all work for this publication done while at employer.
FINAL
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-24
The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/library/securing-picture-archiving-and-communication-system-nist-sp-1800-24-practice-guide
NIST SPECIAL PUBLICATION 1800-24
Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra
National Cybersecurity Center of Excellence National Institute of Standards and Technology
Bronwyn Hodges
Jason Kuruvilla*
Kevin Littlefield
Bob Niemeyer
Chris Peloquin
Sue Wang
Ryan Williams
Kangmin Zheng
The MITRE Corporation McLean, Virginia
*Former employee; all work for this publication done while at employer.
FINAL
December 2020
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 4.1 Architecture Description
- 4.1.1 PACS Ecosystem Components
- 4.1.2 Data and Process Flow
- 4.1.3 Security Capabilities
- 4.1.4 Asset and Risk Management
- 4.1.5 Enterprise Domain and Identity Management
- 4.1.6 Network Control and Security
- 4.1.7 Endpoint Protection and Security
- 4.1.8 Device Hardening and Configuration
- 4.1.9 Data Security
- 4.1.10 Remote Access
- 4.2 Final Architecture
- 4.1 Architecture Description
- 5 Security Characteristic Analysis
- 5.1 Assumptions and Limitations
- 5.2 Scenarios and Findings
- 5.3 Analysis of the Reference Design’s Support for Cybersecurity Framework Subcategories
- 5.3.1 Asset Management (ID.AM)
- 5.3.2 Risk Assessment (ID.RA)
- 5.3.3 Identity Management and Access Control (PR.AC)
- 5.3.4 Data Security (PR.DS)
- 5.3.5 Information Protection and Procedures (PR.IP)
- 5.3.6 Protective Technology (PR.PT)
- 5.3.7 Anomalies and Events (DE.AE) and Security Continuous Monitoring (DE.CM)
- 5.4 Security Analysis Summary
- 6 Functional Evaluation
- 6.1 PACS Functional Test Plan
- 6.1.1 PACS Functional Evaluation Requirements
- 6.1.2 Test Case: PACS-1
- 6.1.3 Test Case: PACS-2
- 6.1.4 Test Case: PACS-3
- 6.1.5 Test Case: PACS-4
- 6.1.6 Test Case: PACS-5
- 6.1.7 Test Case: PACS-6
- 6.1.8 Test Case: PACS-7
- 6.1.9 Test Case: PACS-8
- 6.1.10 Test Case: PACS-9
- 6.1.11 Test Case: PACS-10
- 6.1.12 Test Case: PACS-11
- 6.1.13 Test Case: PACS-12
- 6.1 PACS Functional Test Plan
- 7 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B References
- Appendix C Pervasive Versus Contextual Controls
- Appendix D Aligning Controls Based on Threats
- 1 Introduction
- 2 Product Installation Guides
- 2.1 Picture Archiving and Communication System (PACS)
- 2.2 VNA
- 2.3 Secure DICOM Communication Between PACS and VNA
- 2.4 Modalities
- 2.5 Asset and Risk Management
- 2.6 Enterprise Domain Identity Management
- 2.7 Network Control and Security
- 2.8 Endpoint Protection and Security
- 2.9 Data Security
- 2.10 Secure Remote Access
- Appendix A List of Acronyms
- Appendix B References