Guidance Issued on Securing Picture Archiving and Communications Systems


New guidance has been released by the National Cybersecurity Center of Excellence (NCCoE) on securing picture archiving and communications systems (PACS).

PACS are used by healthcare delivery organizations (HDOs) for accessing, storing, processing, and transmitting medical images such as digital X-Ray images, CT and MRI scans and they are ubiquitous in healthcare.

They allow medical images to be accessed from any device or location and support the rapid sharing of medical images with physicians and other members of the care team. Fast access to medical images hastens diagnosis and improves patient outcomes; however, there is a caveat. A system designed to allow easy access to data by multiple individuals, including external third parties, can be a challenge to secure, especially without having a major impact on system performance and usability.

Recent analyses of PACS systems have revealed they often contain many vulnerabilities, which leaves medical images and associated protected health information exposed and accessible by unauthorized individuals. Since many PACS link to electronic medical records and other hospital systems, an unaddressed vulnerability can have serious consequences.

The new NCCoE guidance – NIST Cybersecurity Practice Guide, SP 1800-24 – has been written to help HDOs secure their PACS while minimizing disruption to hospital systems and workflows. The guidance document provides detailed information on the entire process of securing the systems, including identifying the individuals that are allowed to access the PACS, user interactions with the system, conducting a risk assessment, and the characteristics of a secure PACS.

The guidance covers the best approach to adopt and the typical architecture of a secure system, and walks HDOs through implementing commercially available technologies to improve security and reduce the risk of a data breach, data loss, and image tampering. The guidance also includes several how-to-guides and an example implementation.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Healthcare industry stakeholders have been invited to download the draft guidance and comments are being accepted until November 18, 2019.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: