In-depth approach needed for PACS security

PACS networks must provide several levels of security to offer the best protection against external and internal attacks, according to researchers from the University of Texas M. D. Anderson Cancer Center (MDACC) in Houston.

Network security has become a mission-critical task in radiology departments, said Charles Suitor of MDACC, who spoke during a presentation at the 2004 RSNA meeting in Chicago. Even film-based departments often employ networked film printers, utilize a RIS, and transfer exams over the network; of course, filmless departments can't operate at all without the network and computers.

Often, modalities, workstations, and administrative PCs are placed on the same network. Security isn't always monitored on these devices, and even if it is, it's not always performed in the same fashion, Suitor said.

For the modalities, system configuration and software are usually handled by the vendor. Workstations are also controlled by vendors, who don't like institutions applying security patches, antivirus software, or other security methods directly to the workstation software, Suitor said. Administrative PCs, on the other hand, are typically maintained by the hospital.

Edge protection

In an edge-protection security approach, a firewall at the end of the network blocks unexpected incoming network connections. This stops many external attacks, Suitor said. It's also important to add e-mail virus scanning to block e-mail-borne viruses, the most frequent cause of attacks. But edge protection can't protect against internal attacks.

"Modality security is something that the IT industry just sort of doesn't even acknowledge," he said, adding that the industry is "pretty much completely unaware of the issues."

Imaging modality vendors are required by the U.S. Food and Drug Administration (FDA) to test their security patches before applying them to their modalities, and they have to internally define procedures for doing that, Suitor said. Modalities and workstations may not be getting the latest security patches.

"Many (vendors) just have decided that they're not going to attempt to keep up," he said. "They just want to rely on the fact that security will be provided by somebody else, or they rely on the fact that many modalities are built on Unix servers that aren't the target of frequent attack."

Modality access must be maintained to allow for image transfer and remote service, Suitor said.

Administrative PCs are often the target of worms and viruses, and have the potential to be the most vulnerable systems on the network, he said. This problem is amplified by the large number of these systems.

"Applying security patches helps protect these computers," he noted.

Internal attacks can come from infected laptops or home machines connected via virtual private network (VPN). These infections can arise from downloaded programs, CDs and other removal media, and any compromised machine beyond the firewall, Suitor said.

Defense in-depth

To guard against these attacks, institutions must adopt security in-depth, with security in place at multiple levels to ensure network integrity in the event of an attack, Suitor said.

A network segmentation approach separates devices into different subnets or virtual networks. Then, limit network conversations into and out of subnets and the network as a whole, he said.

Other internal protection approaches include using private IP addresses that are not routable to the Internet for modalities and other subnets. In addition, firewalls should be placed between internal subnets, Suitor said.

"Your average secretary's PC isn't connecting to the modalities. There's really no reason for that," he said. "And your administrative PCs generally are just client PCs, and shouldn't be acting as servers."

Individual virus protection should also be included, along with security patch management, Suitor said.

Other internal protection mechanisms include using proxy servers to limit Web downloads, and limiting access to public e-mail servers. Intrusion detection should also be employed to keep the network safe. Limit remote access and VPN connections as well, Suitor said.

The multilayered security system must include tough edge security, a segmented internal network, and a strong internal security program, he said.

By Erik L. Ridley
AuntMinnie.com staff writer
January 20, 2005

Related Reading

NEMA releases patching white paper, December 16, 2004

HIPAA, data deluge driving U.S. storage market, December 7, 2004

HIPAA security: IHE guidelines help ensure compliance, November 26, 2004

Security in the wired or wireless world: users are the weakest link, May 24, 2004

New wireless network options offer benefits, despite security concerns, April 2, 2004

Copyright © 2005 AuntMinnie.com

Page 1 of 775
Next Page