- The NIST-backed National Cybersecurity Center of Excellence (NCCoE) unveiled this week an initial set of vendor partners for a medical device security project called Securing Picture Archiving and Communication Systems (PACS).
The vendor partners include Cisco, Clearwater Compliance, DigiCert, ForeScout, Hyland, Symantec, TDi Technologies, Tempered Networks, Tripwire, Virta Labs, and Zingbox.
In response to a May 9 notice in the Federal Register, these companies submitted proposals that aligned with desired solution characteristics, NCCoE explained.
In the notice, NIST invited vendors to provide products and technical expertise to support and demonstrate security platforms for the Securing PACS project.
The objective of the project is “to provide guidance and a referenceable architecture for securing the Picture Archiving and Communication System (PACS) ecosystem in healthcare delivery organizations (HDOs) and to include an example solution using existing, commercially and open-source available cybersecurity products,” explained NIST in its notice.
The notice was the initial step for NCCoE in collaborating with vendors to address cybersecurity challenges with PACs.
NCCoE was founded in 2012 by NIST, the state of Maryland, and Montgomery County, Maryland. The NCCoE brings together experts from industry, government, and academia to develop practical, interoperable cybersecurity approaches that address the real-world needs of IT systems.
The selected vendors were extended a cooperative research and development agreement, enabling them to participate in a consortium where they will contribute expertise and hardware or software to refine a reference design and build an example standards-based implementation.
These vendors will work with the NCCoE project team to provide a solution for securing the PACS ecosystem. The result will be published in a NIST Cybersecurity Practice Guide (NIST’s Special Publication 1800 series) that includes a reference design and a description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.
During an Oct. 18 panel discussion at the Safeguarding Health Information conference held in Washington, DC, and hosted by OCR and NIST, Sue Wang, principal cybersecurity engineer at MITRE, noted that connected medical devices are posing increasing risks to healthcare organizations.
Wang explained that MITRE is working with NCCoE on medical device security issues. She noted that the center recently published a guide on securing wireless infusion pumps.
Wirelessly connecting infusion pumps to point-of-care medication systems and EHRs improves healthcare delivery but also increases cybersecurity vulnerability, warned NIST and NCCoE in the guide.
If not properly secured, wireless infusion pumps open healthcare organizations to access by hackers, breach of PHI, loss or disruption of equipment and services, and damage to reputation, productivity, and revenue, the guide noted.
“Our current project is the secure PACS. This underlying technology is different from the wireless infusion pump,” Wang told the panel. .
She noted that NCCoE just announced the selection of vendors for the secure PACS project, adding that more vendors will be selected soon.
Peter Romness, cybersecurity programs lead for US public sector at Cisco Systems, told the panelists said Cisco is working with NCCoE on cybersecurity projects. “What NCCoE does is put out a call to industry about a project it is working on. We put our best foot forward. We provide the center with experts and demo equipment to set up their lab. We provide help and make it all work,” he said.
Romness noted that the NCCoE tries to stay vendor neutral and build solutions that are modular so that products from different vendors can be used.
He noted that medical device manufacturers and healthcare organizations are starting to focus more on security in the aftermath of well publicized cybersecurity events. This has made working together easier, he added.
“It is really important that we don’t disrupt patient care. Cybersecurity really has become part of patient care because if you are not taking care of patient information, you can cause very big harm,” Romness stressed.
He recommended that organizations develop a risk-based plan and make their cybersecurity decisions based on that plan.