NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS)

Securing the Picture Archiving and Communication System (PACS)

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has published final guidance for healthcare organizations on securing the Picture Archiving and Communication System (PACS).

PACS is used in healthcare for receiving, storing, and transmitting medical images. The nature of the system means it must be easily accessible and must interact with many other healthcare IT systems. While PACS has been designed to be secure, it is easy for cybersecurity risks to be introduced when implementing the system.

If cybersecurity risks are present a system that interfaces with many other systems and contains potentially large amounts of protected health information, a breach can have severe consequences. If vulnerabilities are exploited, the confidentiality, integrity, and availability of the PACS ecosystem could be compromised.

Recent studies have shown that vulnerabilities exist in the PACS ecosystem in many hospitals which have exposed sensitive patient data and left the PACS system open to attack. A ProPublica investigation in 2019 identified 187 unprotected PACS servers in the United States that contained the ePHI of approximately 5 million patients. The images and associated ePHI could be accessed using a standard web browser and freely available software. A much broader investigation conducted by CyberAngel in 2020 identified 2,140 unprotected servers worldwide that contained 45 million medical images and associated ePHI.

The guidance – Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector (NIST Cybersecurity Special Publication 1800-24) – consists of a practice guide that includes a comprehensive set of cybersecurity standards and best practices covering asset management, access control, user identification and authentication, data security, continuous monitoring, and response planning, recovery, and restoration, along with how to guides providing information on the steps that should be taken to secure the PACS ecosystem.

The guidance can be used by covered entities and their business associates to implement the current cybersecurity standards and best practices to reduce risk, without negatively impacting the usability and performance of PACS.

“The final practice guide, which in addition to incorporating feedback from the public and other stakeholders, builds on the draft guide by adding remote storage capabilities into the PACS architecture. This effort offers a more comprehensive security solution that more closely mirrors real-world HDO networking environments,” said NIST.