Date Published: September 2019
Comments Due:
Email Questions to:
Author(s)
Jennifer Cawthra (NIST), Bronwyn Hodges (MITRE), Jason Kuruvilla (MITRE), Kevin Littlefield (MITRE), Robert Niemeyer (MITRE), Chris Peloquin (MITRE), Sue Wang (MITRE), Ryan Williams (MITRE), Kangmin Zheng (MITRE)
Announcement
Medical imaging plays an important role in diagnosing and treating patients. The system that that manages medical images is known as the Picture Archiving Communications System (PACS) and is nearly ubiquitous in healthcare environments. PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems. This complexity may introduce or expose opportunities that allow for malicious actors to compromise the confidentiality, integrity and availability of the PACS ecosystem.
The NCCoE at NIST analyzed risk factors regarding the PACS ecosystem by using a risk assessment based on the NIST Cybersecurity Framework and other relevant standards. The NCCoE developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the PACS ecosystem.
The NCCoE's practice guide NIST SP 1800-24, Securing Picture Archiving Communications System, will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of PACS.
Medical imaging plays an important role in diagnosing and treating patients. The system that manages medical images is known as the picture archiving communication system (PACS) and is nearly ubiquitous in healthcare environments. PACS is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images.” PACS centralizes functions surrounding medical imaging workflows and serves as an authoritative repository of medical image information.
PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems. PACS may connect with clinical information systems and medical devices and may involve engaging with health professionals who may be both internal and external to the HDO. This complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of the PACS ecosystem.
The NCCoE at NIST analyzed risk factors regarding the PACS ecosystem by using a risk assessment based on the NIST Risk Management Framework, and the NCCoE leveraged the NIST Cybersecurity Framework and other relevant standards to identify measures to safeguard the ecosystem. The NCCoE developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the PACS ecosystem. This practice guide will help HDOs implement current cybersecurity standards and best practices, to reduce their cybersecurity risk while maintaining the performance and usability of PACS.
Medical imaging plays an important role in diagnosing and treating patients. The system that manages medical images is known as the picture archiving communication system (PACS) and is nearly ubiquitous in healthcare environments. PACS is defined by the Food and Drug Administration (FDA) as a Class...
See full abstract
Medical imaging plays an important role in diagnosing and treating patients. The system that manages medical images is known as the picture archiving communication system (PACS) and is nearly ubiquitous in healthcare environments. PACS is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images.” PACS centralizes functions surrounding medical imaging workflows and serves as an authoritative repository of medical image information.
PACS fits within a highly complex healthcare delivery organization (HDO) environment that involves interfacing with a range of interconnected systems. PACS may connect with clinical information systems and medical devices and may involve engaging with health professionals who may be both internal and external to the HDO. This complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of the PACS ecosystem.
The NCCoE at NIST analyzed risk factors regarding the PACS ecosystem by using a risk assessment based on the NIST Risk Management Framework, and the NCCoE leveraged the NIST Cybersecurity Framework and other relevant standards to identify measures to safeguard the ecosystem. The NCCoE developed an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the PACS ecosystem. This practice guide will help HDOs implement current cybersecurity standards and best practices, to reduce their cybersecurity risk while maintaining the performance and usability of PACS.
Hide full abstract
Keywords
access control; auditing; authentication; authorization; behavioral analytics; DICOM; encryption microsegmentation; multifactor authentication; PACS; picture archiving and communication system; PAM; privileged account management; vendor neutral archive; VNA
Control Families
Access Control; Configuration Management; Contingency Planning; Identification and Authentication; Risk Assessment; System and Communications Protection; System and Information Integrity
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
