NIST guidance aims to help PACS users enhance data security
The National Institutes of Standards and Technology has issued draft cybersecurity guidance for securing Picture Archiving and Communication Systems.
The guidance has been released for public comment, with the comment period ending November 18; after that, NIST will develop final guidance.
“PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems,” NIST notes. “This complexity may introduce or expose opportunities that allow for malicious actors to compromise the confidentiality, integrity and availability of the PACS ecosystem.”
Security challenges that providers, vendors, insurers and other stakeholders face include controlling, monitoring and auditing HDO user accounts including identifying outliers in behavior that are controlling/monitoring and auditing access and modification to radiology images; and enforcing least privilege and separation-of-duties policies for internal and external users, according to NIST.
Other challenges include ensuring data integrity as imaging moves across the enterprise and providing security, data protection and access management without impacting system performance or user productivity.
The benefits of stronger controls of a PACS includes reduced likelihood of a breach, less risk of significant data losses, timely access to images for clinicians and protection of patient privacy.
However, gaps in security can affect clinical information stored in the PACS environment.
Consequently, NIST advises multiple technical and process controls to implement:
- A defense-depth solution including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support the business function.
- Access control mechanisms that include multifactor authentication for care providers, certificate-based authentication for imaging devices and clinical systems.
- An holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers.
- Improve resilience in the network infrastructure to limit a threat actor’s ability to leverage components as pivot points to attack other parts of the HDO environment.
- Limit unauthorized movement within the HDO environment by unauthorized system users to address the “insider” security risk and unauthorized actors who gain network access.
- Analyze behavior and detect malware throughout the enterprise to enable HDOs when components show compromise and limit effects of a ransomware attack.