New guidance has been released by the National Cybersecurity Center of Excellence (NCCoE) on securing picture archiving and communications systems (PACS).
PACS are used by healthcare delivery organizations (HDOs) for accessing, storing, processing, and transmitting medical images such as digital X-Ray images, CT and MRI scans and they are ubiquitous in healthcare.
They allow medical images to be accessed from any device or location and support the rapid sharing of medical images with physicians and other members of the care team. Fast access to medical images hastens diagnosis and improves patient outcomes; however, there is a caveat. A system designed to allow easy access to data by multiple individuals, including external third parties, can be a challenge to secure, especially without having a major impact on system performance and usability.
Recent analyses of PACS systems have revealed they often contain many vulnerabilities, which leaves medical images and associated protected health information exposed and accessible by unauthorized individuals. Since many PACS link to electronic medical records and other hospital systems, an unaddressed vulnerability can have serious consequences.
The new NCCoE guidance – NIST Cybersecurity Practice Guide, SP 1800-24 – has been written to help HDOs secure their PACS while minimizing disruption to hospital systems and workflows. The guidance document provides detailed information on the entire process of securing the systems, including identifying the individuals that are allowed to access the PACS, user interactions with the system, conducting a risk assessment, and the characteristics of a secure PACS.
The guidance covers the best approach to adopt and the typical architecture of a secure system, and walks HDOs through implementing commercially available technologies to improve security and reduce the risk of a data breach, data loss, and image tampering. The guidance also includes several how-to-guides and an example implementation.
Healthcare industry stakeholders have been invited to download the draft guidance and comments are being accepted until November 18, 2019.