It can be challenging for healthcare institutions to protect their PACS against cybersecurity threats. In an effort to help, the U.S. National Institute of Standards and Technology (NIST) has published a draft practice guide aimed at helping healthcare organizations achieve PACS security.
Produced by the NIST's National Cybersecurity Center of Excellence (NCCoE), the practice guide details a reference architecture for how to securely configure and deploy PACS. Built using commercially available and standards-based tools, the reference architecture describes how to implement defense-in-depth, access control mechanisms, and a holistic risk management approach, according to the NCCoE.
The defense-in-depth model features network zoning, which enables more granular control of network traffic and limits communications capabilities to the minimum necessary to support business functions, the NCCoE said. Meanwhile, the center recommends implementing access control mechanisms, including multifactor authentication for care providers and certificate-based authentication for imaging devices and clinical systems, and limiting vendor remote support for medical imaging components.
The NCCoE also advises a holistic risk-management approach that "includes medical device asset management, augmenting enterprise security controls, and leveraging behavior analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers."
In building its reference architecture, the NCCoE utilized existing technologies to provide the following capabilities:
- Role-based access control
- Authentication
- Network access control
- End-point protection
- Network and communication protection
- Microsegmentation
- Behavioral analytics
- Tools that use cyberthreat intelligence
- Antimalware
- Data security
- Segregation of duties
- Restoration and recoverability
- Cloud storage
"While the NCCoE used a suite of commercial products to address security challenges, this guide does not endorse these particular products, nor does it guarantee compliance with any regulatory initiatives," the authors wrote. "Information security experts should identify the products that will best integrate with existing tools and IT system infrastructure. Organizations can adopt this solution or one that adheres to these guidelines in whole, or this guide can be used as a starting point for tailoring and implementing parts of a solution."
The NCCoE said its practice guide can help an organization improve resilience in the network infrastructure, limit unauthorized "movement" within the healthcare delivery organization environment by authorized system users, and analyze behavior and detect malware throughout the ecosystem. What's more, it can help organizations secure sensitive data as well as consider and address risks that may be identified as they examine cloud solutions as part of their medical imaging infrastructure, according to the NCCoE.
The full draft guide can be downloaded on the NCCoE website. Public comments will be accepted until November 18.