Securing Picture Archiving and Communication System (PACS)

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory to emulate a medical imaging environment, performed a risk assessment, and identified controls from the NIST Cybersecurity Framework to secure the medical imaging ecosystem. This project used Picture Archiving Communications Systems (PACS) and a Vendor Neutral Archive (VNA), and implemented controls to safeguard medical images from cybersecurity threats. PACS and VNA, hereafter referred to as “PACS,” comprise the systems to centrally manage medical imaging data. This effort resulted in a NIST Special Publication 1800 series Cybersecurity Practice Guide, based on the following considerations relative to PACS:

• PACS allows for the acceptance, transfer, display, storage, and digital processing of medical images. PACS centralizes functions surrounding medical imaging workflows and serves as an authoritative repository of medical image information. Medical imaging is a critical component in rendering patient care. The PACS ecosystem serves as the repository to manage these images and accompanying clinical information within the healthcare delivery organization (HDO).
• PACS fits within a highly complex HDO environment that includes back-office systems, electronic health record systems, and pharmacy and laboratory systems, as well as an array of electronic medical devices. In managing these systems, HDOs work with a diverse group of individuals who interact with the enterprise information technology (IT) infrastructure and may include IT operations staff, internal support teams, and biomedical engineers, as well as vendors and manufacturers.
• Securing PACS presents several challenges. Various departments operating in the HDO have unique medical imaging needs and may operate their own PACS or other medical imaging archiving systems. Further, HDOs may use external medical imaging specialists when reviewing patient medical data. The PACS ecosystem, therefore, may include multiple systems for managing medical imaging data, along with a diverse clinical user community, accessing PACS from different locations. This complexity leads to cybersecurity challenges.
• PACS may have vulnerabilities that, given its central nature, may impact an HDO’s ability to render patient care or to preserve patient privacy. These vulnerabilities could impede the timely diagnosis and treatment of patients, if medical images are altered or misdirected. These vulnerabilities could also expose an HDO to risks of significant data loss, malware and ransomware attacks, and unauthorized access to other parts of an HDO enterprise network.
• This NIST Cybersecurity Practice Guide features a reference architecture using commercially available, standards-based tools and technologies demonstrating how HDOs can securely configure and deploy PACS.