Appendix A List of Acronyms¶
2FA |
Two-Factor Authentication |
AES |
Advanced Encryption Standard |
AD |
Active Directory |
ARP |
Address Resolution Protocol |
AV |
Anti-Virus |
CIA |
Confidentiality, Integrity, and Availability |
CT |
Computed Tomography |
DHCP |
Dynamic Host Configuration Protocol |
DICOM |
Digital Imaging and Communications in Medicine |
DNS |
Domain Name System |
DoS |
Denial of Service |
EHR |
Electronic Health Record |
FDA |
Food and Drug Administration |
FIM |
File Integrity Monitoring |
FTD |
Firepower Threat Defense |
GRC |
Governance, Risk, and Compliance |
HDO |
Healthcare Delivery Organization |
HIP |
Host Identity Protocol |
HIPAA |
Health Insurance Portability and Accountability Act |
HIPS |
Host Intrusion Prevention System |
HIS |
Health Information System |
HL7 |
Health Level 7 |
HTM |
Healthcare Technology Management |
http |
Hypertext Transfer Protocol |
https |
Hypertext Transfer Protocol Secure |
IDN |
Identity Defined Networking |
IDS |
Intrusion Detection System |
IEC |
International Electrotechnical Commission |
IETF |
Internet Engineering Task Force |
IHE |
Integrating the Health Enterprise |
IoT |
Internet of Things |
IPSec |
Internet Protocol Security |
IT |
Information Technology |
MAC |
Media Access Control |
MFA |
Multifactor Authentication |
MRI |
Magnetic Resonance Imaging |
NCCoE |
National Cybersecurity Center of Excellence |
NGFW |
Next Generation Firewall |
NIST |
National Institute of Standards and Technology |
PaaS |
Platform as a Service |
PACS |
Picture Archiving and Communication System(s) |
PAM |
Privileged Access Management |
PCAP |
Packet Capture |
PET |
Positron Emission Tomography |
PHI |
Protected Health Information |
PKI |
Public Key Infrastructure |
RADIUS |
Remote Authentication Dial-In User Service |
RBAC |
Role Based Access Control |
RIS |
Radiology Information System |
RMF |
Risk Management Framework |
RSA |
Rivest-Shamir-Adleman |
SDN |
Software Defined Networking |
SP |
Special Publication |
SSE |
Systems Security Engineering |
SSL/TLS |
Secure Socket Layer/Transport Layer Security |
TCP/IP |
Transmission Control Protocol/Internet Protocol |
URL |
Uniform Resource Locator |
VIP |
Validation and ID Protection |
VLAN |
Virtual Local Area Network |
VNA |
Vendor Neutral Archive |
VPN |
Virtual Private Network |
Appendix B References¶
- B1
Food and Drug Administration, “Display Devices for Diagnostic Radiology, Guidance for Industry and Food and Drug Administration Staff,” Oct. 2, 2017. Available: https://www.fda.gov/media/95527/download.
- B2
National Electrical Manufacturers Association, PS3.1: DICOM PS3.1 2020c Introduction and Overview, 2018. Available: http:/dicom.nema.org/medical/dicom/current/output/pdf/part01.pdf.
- B3
DICOM. Digital Imaging and Communications in Medicine. Available: https://dicomstandard.org.
- B4
Radiology Technical Framework. Integrating the Healthcare Enterprise. Available: http://www.ihe.net/Technical_Frameworks/#radiology.
- B5
R. Ross et al., Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-160 Volume 1, NIST, Gaithersburg, Md., Nov. 2016. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1.pdf.
- B6
R. Ross et al., Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, NIST SP 800-171 Revision 2, NIST, Gaithersburg, Md., Feb. 2020. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.
- B7
R. Petersen et al., Workforce Framework for Cybersecurity (NICE Framework), NIST SP 800-181 Revision 1, NIST, Gaithersburg, Md., Nov. 2020. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181r1.pdf.
- B8
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, NIST, Gaithersburg, Md., Apr. 16, 2018. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
- B9
NIST. Risk Management Framework: Quick Start Guides. Available: https://csrc.nist.gov/projects/risk-management/risk-management-framework-quick-start-guides.
- B10
Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, NIST SP 800-30 Revision 1, NIST, Gaithersburg, Md., Sept. 2012. Available: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
- B11
Joint Task Force Transformation Initiative, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Revision 2, NIST, Gaithersburg, Md., Dec. 2018. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf.
- B12
NIST. Computer Security Resource Center. Available: https://csrc.nist.gov/glossary/term/confidentiality_integrity_availability.
- B13
National Cybersecurity Center of Excellence, Securing Picture Archiving and Communication System (PACS) Project Description, NIST, Gaithersburg, Md., Jan. 2018. Available: https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/hit-pacs-project-description-final.pdf.
- B14
Health Level 7 International. Introduction to HL7 Standards. Available: http://www.hl7.org/implement/standards/index.cfm?ref=nav.
- B15
Joint Task Force Transformation Initiative, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53 Revision 4, NIST, Gaithersburg, Md., Apr. 2013. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
- B16
International Electrotechnical Commission (IEC) Technical Report (TR) 80001-2-2, Edition 1.0 2012-07, “Application of risk management for IT networks incorporating medical devices–Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls.”
- B17
U.S. Department of Health and Human Services Office for Civil Rights, HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, Feb. 2016. Available: https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf.
- B18
International Organization for Standardization/International Electrotechnical Commission, “Information technology–Security techniques–Information security management systems–Requirements,” ISO/IEC 27001:2013, 2013.
- B19
Picture archiving and communications system, §892.2050, July 2020. Available: https://www.ecfr.gov/cgi-bin/text-idx?SID=126d1713c9a312989c2173a5bdd4aaae&mc=true&node=se21.8.892_12050&rgn=div8.
- B20
Health Level 7 International. Clinical Document Architecture (CDA®) Release 2. Available: https://www.hl7.org/implement/standards/product_brief.cfm?product_id=7.
- B21
G. O’Brien et al., Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, NIST SP 1800-8, NIST, Gaithersburg, Md., Aug. 2018. Available: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-wip-nist-sp1800-8.pdf.
- B22
American National Standards Institute /Association for the Advancement of Medical Instrumentation /IEC 80001-1:2010, “Application of risk management for IT networks incorporating medical devices–Part 1: Roles, responsibilities and activities.”
- B23
IEC TR 80001-2-1, Edition 1.0 2012-07, “Application of risk management for IT-networks incorporating medical devices–Part 2-1: Step-by-step risk management of medical IT-networks–Practical applications and examples.”
- B24
K. Waltermire et al., Privileged Account Management for the Financial Services Sector, NIST SP 1800-18, NIST, Gaithersburg, Md., Sept. 2018. Available: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs-pam-nist-sp1800-18-draft.pdf.
- B25
NIST. “Easy Ways to Build a Better P@$5w0rd. Available: https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-p5w0rd.
- B26
M. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., June 2017. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.
- B27
R. Moskowitz and P. Nikander, Host Identity Protocol (HIP) Architecture, Request for Comments 4423, May 2006. Available: https://tools.ietf.org/html/rfc4423.
- B28
E. Barker et al., Recommendation for Key-Derivation Methods in Key-Establishment Schemes, NIST SP 800-56C Revision 1, NIST, Gaithersburg, Md., Apr. 2018. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr1.pdf.
- B29
U.S. Department of Commerce, Advanced Encryption Standard (AES), NIST Federal Information Processing Standard Publication 197, Nov. 26, 2001. Available: https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf.
- B30
K. Scarfone and P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS) (Draft), NIST SP 800-94 Revision 1 (Draft), NIST, Gaithersburg, Md., July 2012. Available: https://csrc.nist.gov/CSRC/media/Publications/sp/800-94/rev-1/draft/documents/draft_sp800-94-rev1.pdf.
- B31
Microsoft, Azure Data Encryption-at-Rest, Apr. 2020. Available: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest.
- B32
T. McBride et al., Data Integrity: Recovering from Ransomware and Other Destructive Events, NIST SP 1800-11, NIST, Gaithersburg, Md., Sept. 2017. Available: https://www.nccoe.nist.gov/publication/1800-11/index.html.
- B33
U.S. Department of Homeland Security, Cybersecurity & Infrastructure Security Agency. SMB Security Best Practices. Available: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices.
- B34
P. Grassi et al., Digital Identity Guidelines, NIST SP 800-63-3, NIST, Gaithersburg, Md., Jun. 2017. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf.
- B35
K. McKay and D. Cooper, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Revision 2, NIST, Gaithersburg, Md., Aug. 2019. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf.
- B36
E. Barker et al., Guide to IPsec VPNs, NIST SP 800-77 Revision 1, NIST, Gaithersburg, Md., June 2020. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf.
- B37
Securities and Exchange Commission, Public Company Accounting Oversight Board; Notice of Filing of Proposed Rule on Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, and Related Independence Rule and Conforming Amendments. June 7, 2007. Available: https://www.sec.gov/rules/pcaob/2007/34-55876.pdf.
Appendix C Pervasive Versus Contextual Controls¶
This practice guide limits its scope to a defined boundary regarding scheduling, acquiring, using, and storing medical imaging and associated information for those images. Conceptually, this is bound in a medical imaging ecosystem and applies contextual controls to that ecosystem. Healthcare delivery organization (HDO) environments, however, feature greater complexity than this practice guide may address. That is, the medical imaging ecosystem resides within an enterprise infrastructure that should implement a pervasive set of controls. The project assumes that an HDO implements pervasive controls that may have material impact on mitigating the HDO’s overall cybersecurity risk profile, but the project did not implement in the lab build. Pervasive controls may be inherited by systems that operate within the HDO infrastructure, but coverage may not be absolute. Therefore, practitioners may implement contextual controls to address gaps or to augment pervasive control capabilities. Pervasive controls tend to be organizational in scope, although they may also apply to specific systems and network components within the organization. Pervasive controls may be technical or procedural in nature. The pervasive control concept is borrowed from auditing frameworks that discuss the use of entity controls that have varying degrees of effects that are pervasive or have a widespread effect across an entity or organization [B37].
An analogy can help explain the pervasive control concept. An individual may live in a house or apartment, which exists in a neighborhood. That neighborhood may then be part of a town or a city. The town or city may include a number of services, such as police, fire, and rescue. The town or city (or through a third-party service) may also provide utilities, such as water and electricity, to its residents. Pervasive controls are those that, while available to the house or apartment, the occupant has not implemented or have direct control over. The house or apartment may have locks, alarms, or fire-suppressant devices that the occupant installed or has direct control over. Those controls are contextual to the house or apartment. In this analogy, the medical imaging ecosystem is the house that resides in an HDO town or city.
Pervasive control examples within HDOs include governance, risk, and compliance (GRC) systems that address a diverse range of functions needed to operate a cybersecurity strategy, including performance and management of enterprise risk, tracking information technology (IT) assets, incident response processes, IT disaster recovery and business continuity, and data loss prevention (DLP), which would prevent data exfiltration by using tools that are outside the picture archiving and communication system (PACS) and medical imaging ecosystem. This project implemented contextual controls pertinent to the medical imaging ecosystem and assumes implementation of pervasive controls across the enterprise. For purposes of this project, pervasive controls that we feel are material but are not implemented in the medical imaging ecosystem context pertinent to the immediate control environment of the laboratory’s PACS environment are noted in Table C-1 below.
Table C‑1 Pervasive Security Controls
Cybersecurity Framework Subcategory |
Description |
Potential Implementation |
|---|---|---|
ID.AM-1,
ID.AM-2
|
ID.AM-1: Physical devices and systems within the organization are inventoried. ID.AM-2: Software platforms and applications within the organization are inventoried. |
GRC suite that includes an asset management module. A potential tool that may address may be Clearwater Compliance IRM Analysis tool. The application of such tools would address IT general assets such as servers, workstations, and other components that may interact with the PACS environment but do not fall within the control environment established for this project. IT general assets may be managed by a centralized IT organization that is not directly involved in supporting or maintaining the PACS environment or medical imaging devices. |
ID.RA-4,
ID.RA-6
|
ID.RA-4: Potential business impacts and likelihoods are identified. ID-RA6: Risk responses are identified and periodized. |
These two controls address enterprise risk management. ID.RA-4 may be addressed through implementing business impact assessments or enterprise risk assessments. ID.RA-6 considers the case where enterprise risk has been identified or where the HDO has determined that existing controls need to be enhanced or added. Those determinations are often documented in a Plan of Action and Milestones that describes tasks needing to be addressed, resources required, and milestone dates for realizing tasks. Typical control implementation to address ID.RA-4 and ID.RA-6 would include a GRC suite with an enterprise risk management module. The Clearwater Compliance IRM Analysis tool may be relevant as well. |
PR.AC-2 |
PR.AC-2: Physical access to assets is managed and protected. |
Server assets may be hosted in a data center with appropriate physical security and environmental controls. |
PR.DS-5 |
PR.DS-5: Protections against data leaks are implemented. |
This control addresses the possibility of data exfiltration and may consider options wherein clinical or other sensitive data are migrated outside the HDO perimeter by using email or web services. Typical controls to be deployed at the internet border may include DLP tools. An example tool may be the Symantec DLP solution. |
PR.IP-6 |
PR.IP-6: Data is destroyed according to policy. |
This control addresses the need to destroy data as appropriate should that data reach its end of life. PACS and VNA control mechanisms would address objects within their purview, but HDOs should look at pervasive mechanisms to address when data may reside on workstations, endpoint devices, or removable media. In addressing appropriate data destruction measures, HDOs should consult National Institute of Standards and Technology Special Publication 800-88 Rev. 1, Guidelines for Media Sanitation. |
PR.IP-9
PR.IP-10
|
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. PR.IP-10: Response and recovery plans are tested. |
These controls pertain to enterprise response and recovery planning, including disaster recovery, and assurance that the plans are regularly tested. Incident response planning may be addressed in several different ways that include establishing an incident response team, capturing data regarding reported or detected security events, and remediating. Inclusive of establishing incident response procedures, organizations may consider developing “play books” that could consist of established procedures based on determining certain threat types that may require courses of action different from standard incident handling. Recovery plans, which may consist of business continuity plans, and disaster recovery plans should be established. Organizations may consider maintaining these plans, including establishing play books, as maintained out of band, e.g., in physical format or in mechanisms that provide assurance that the plans themselves are inaccessible in case of a security event. Management of such plans may be maintained in GRC suites that include modules designed to house such plans and establish regular testing schedules. |
RS.RP-1 |
Response plan is executed during or after an event. |
Response plans may be managed through a GRC solution. Physical copies of response plans should be maintained to allow for potential system outages. |
RC.RP-1 |
Recovery plan is executed during or after a cybersecurity incident. |
Recovery plans may be managed through a GRC solution. Physical copies of recovery plans should be maintained to allow for potential system outages. |
Appendix D Aligning Controls Based on Threats¶
C/I/A |
Threat Event |
National Institute of Standards and Technology Cybersecurity Framework Mitigating Control |
|---|---|---|
C |
Abuse of credentials or insider threat |
PROTECT (PR) Access Control User Identification and Authentication DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
C |
Credential compromise |
PROTECT (PR) Access Control User Identification and Authentication DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
C |
Data exfiltration |
PROTECT (PR) Data Security and Privacy Information Protection Processes and Procedures Protective Technology DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
I |
Data-in-transit disruption |
PROTECT (PR) Data Security and Privacy Communications and Network Security DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
I |
Data alteration |
PROTECT (PR) Access Control Data Security and Privacy DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
I |
Time synchronization |
PROTECT (PR) Data Security and Privacy Maintenance Communications and Network Security DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
I |
Introduction of malicious software |
PROTECT (PR) Protective Technology DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
I |
Unintended use of service |
IDENTIFY (ID) ID.AM-2: Software platforms and applications within the organization are inventoried. PROTECT (PR) PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities. DETECT (DE) Security Continuous Monitoring |
A |
Data storage disruption |
IDENTIFY (ID) ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, during normal operations). PROTECT (PR) Data Security and Privacy Information Protection Processes and Procedures Communications and Network Security PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations. |
A |
Network disruption |
PROTECT (PR) Data Security and Privacy Communications and Network Security DETECT (DE) Anomalies and Events Detection Security Continuous Monitoring |
A |
Backup/recovery disruption |
PROTECT (PR) Information Protection Processes and Procedures RECOVER (RC) Recovery and Restoration |
A |
Supply chain compromise |
IDENTIFY (ID) ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers. |