NCCoE Releases Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem was issued by the National Cybersecurity Center of Excellence (NCCoE).

The guidelines called NIST Cybersecurity Practice Guide, SP 1800-24 were penned for health healthcare delivery organizations (HDOs) to help protect their PACS and minimize the likelihood of a data breach or data loss, secure patient privacy, and protect the reliability of medical photos at the same time reducing interruption to hospital systems.

All HDOs practically use PACS for saving, viewing, and sharing electronic medical photos. The systems make it simple for healthcare experts to access and share medical photos to accelerate diagnosis.

The system could usually be accessed through laptops, desktops, and mobile gadgets and a PACS could also connect to electronic health records, other hospital systems, academic, government, and commercial archives and regulatory registries.

Because of numerous users and devices and interactions with several systems, HDOs could face problems acquiring their PACS ecosystem, particularly without getting an adverse effect on user productivity and system functionality.

Major difficulties include managing, supervising, and auditing user accounts, determining outliers in user conduct, implementing the rule of least privilege, making separation-of-duties policies for external and internal users, tracking and protecting external and internal connections to the system, and making sure of data integrity as images are transmitted across the enterprise.

The Healthcare PACS Project determines the people who have interaction with the system, describes their interactions, carries out a risk assessment, and pinpoints commercially offered mitigating security systems.

The guidance document clarifies the most effective approach and design to choose, together with the qualities of a secure PACS. It included how-to-guides and a sample implementation which utilizes commercially available systems to execute better security controls to make a lot more secure PACS ecosystem.

The guidance document was created with the help from a number of PACS system developers as well as cybersecurity firms, such as Cisco, Forescout, Digicert, Philips, Hylans, tripwire, Symantec, Zingbox, Virta Labs, and Clearwater compliance.

NCCoE would like to receive comments from HDOs and healthcare market stakeholders about the new guidance up to November 18, 2019. Download the draft guidance from the NCCoE website here.