Picture Archiving and Communication System (PACS) is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images. Its hardware components may include workstations, digitizers, communications devices, computers, video monitors, magnetic, optical disk, or other digital data storage devices, and hardcopy devices. The software components may provide functions for performing operations related to image manipulation, enhancement, compression or quantification.” [1]
PACS is nearly ubiquitous in hospitals, prompting the Healthcare Sector Community of Interest to identify securing PACS as a critical need. PACS ties into doctor-patient workflow management, where results based on image interpretation determine the patient’s next steps (e.g., determination of health condition, follow-on visits, patient care, other actions). PACS is typically found in image-intensive areas of healthcare (e.g., Radiology, Cardiology, Orthopedics, Pathology, Ophthalmology). Although the PACS fundamentals across clinical disciplines are similar, there are several significant differences due to varying clinical requirements. Therefore, PACS requires controls that provide significant integrity, availability, and confidentiality assurances.
PACS allows for remote image review by users from within the HDO infrastructure and external to the HDO infrastructure. PACS typically interacts with electronic health records (EHRs); Hospital Information System (HIS); Radiology or Cardiology Information System (RIS/CIS); diagnostic reporting; vendor neutral archive; regulatory registries; and multicenter government, academic, and commercial archives. Users access PACS by using HDO-supplied and configured devices, and personal devices. The amorphous aspect of PACS exposes a threat vector that could act as a point where an attack may be performed or may serve as a pivot point into an integrated healthcare information system.
The goal of this project is to provide a practical solution for securing the PACS ecosystem. The project team will perform a risk assessment on a representative PACS ecosystem in the laboratory environment, apply the NIST cybersecurity framework and guidance based on medical device standards, and collaborate with industry and public partners. The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on standards and best practices.
Picture Archiving and Communication System (PACS) is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images. Its hardware components may include...
See full abstract
Picture Archiving and Communication System (PACS) is defined by the Food and Drug Administration (FDA) as a Class II device that “provides one or more capabilities relating to the acceptance, transfer, display, storage, and digital processing of medical images. Its hardware components may include workstations, digitizers, communications devices, computers, video monitors, magnetic, optical disk, or other digital data storage devices, and hardcopy devices. The software components may provide functions for performing operations related to image manipulation, enhancement, compression or quantification.” [1]
PACS is nearly ubiquitous in hospitals, prompting the Healthcare Sector Community of Interest to identify securing PACS as a critical need. PACS ties into doctor-patient workflow management, where results based on image interpretation determine the patient’s next steps (e.g., determination of health condition, follow-on visits, patient care, other actions). PACS is typically found in image-intensive areas of healthcare (e.g., Radiology, Cardiology, Orthopedics, Pathology, Ophthalmology). Although the PACS fundamentals across clinical disciplines are similar, there are several significant differences due to varying clinical requirements. Therefore, PACS requires controls that provide significant integrity, availability, and confidentiality assurances.
PACS allows for remote image review by users from within the HDO infrastructure and external to the HDO infrastructure. PACS typically interacts with electronic health records (EHRs); Hospital Information System (HIS); Radiology or Cardiology Information System (RIS/CIS); diagnostic reporting; vendor neutral archive; regulatory registries; and multicenter government, academic, and commercial archives. Users access PACS by using HDO-supplied and configured devices, and personal devices. The amorphous aspect of PACS exposes a threat vector that could act as a point where an attack may be performed or may serve as a pivot point into an integrated healthcare information system.
The goal of this project is to provide a practical solution for securing the PACS ecosystem. The project team will perform a risk assessment on a representative PACS ecosystem in the laboratory environment, apply the NIST cybersecurity framework and guidance based on medical device standards, and collaborate with industry and public partners. The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on standards and best practices.
Hide full abstract