Cybersecurity News

NIST Shares Best Practice Security Guidance for Vulnerable PACS

Best practice NIST guidance is designed to support healthcare providers in securing PACS. Multiple reports have shown the highly vulnerable tech has exposed millions of medical images.

medical image security NIST cybersecurity best practice Picture Archiving and Communication System PACS DICOM flaws patient privacy

By Jessica Davis

- The Office for Civil Rights is urging healthcare organizations to review recently released NIST cybersecurity guidance for Picture Archiving and Communication System (PACS). The best practice insights are designed to secure the highly vulnerable technology.

PACS servers are widely used in healthcare to archive medical images, as well as allowing entities to share these records with other providers. However, the tech is riddled with vulnerabilities, including the use of the DICOM protocol. Flaws in DICOM could allow an attacker to install malicious code into imaging files and infect patient data.

Meanwhile, reports from Greenbone Networks in 2019 found PACS were leaking billions of medical images. One year later, a HealthITSecurity.com exclusive report confirmed US providers have not yet secured millions of medical images.

“PACS fits within a highly complex healthcare delivery organization environment that involves interfacing with a range of interconnected systems,” NIST researchers wrote. “PACS may connect with clinical information systems and medical devices and engage with HDO-internal and affiliated health professionals.”

“Complexity may introduce or expose opportunities that allow malicious actors to compromise the confidentiality, integrity, and availability of a PACS ecosystem,” they added.

The nearly-400-page NIST guidance is designed to address these security risks and support providers in ensuring their PACS and DICOM technologies are not exposing patient data.

To build the guidance, NIST analyzed the risk factors tied to PACS through a risk assessment based on NIST standards. Researchers used these results to identify the measures needed to safeguard the ecosystem.

The NIST NCCoE also developed an example implementation that details how healthcare entities can use standards-based cybersecurity technologies to improve PACS security.

Healthcare entities can leverage the NIST insights to implement those best practice cybersecurity policies and procedures to reduce their overall risk, while maintaining patient privacy and PACS performance and usability.

“Securing PACS presents several challenges,” NIST authors wrote. “The PACS ecosystem… may include multiple systems for managing medical imaging data, along with a diverse clinical user community, accessing PACS from different locations.” 

“This complexity leads to cybersecurity challenges,” they added. “PACS may have vulnerabilities that, given its central nature, may impact an HDO’s ability to render patient care or to preserve patient privacy. These vulnerabilities could impede patients’ timely diagnosis and treatment if medical images are altered or misdirected.” 

NIST also stressed that PACS flaws can also expose entities to significant risks of data loss, malware, ransomware, and other unauthorized access to other areas of the healthcare network. As such, providers should swiftly take action and leverage the new guidance to shore up these critical risks.

The practice guide can help provider organizations improve network infrastructure resilience, including limiting a threat actor’s ability to use PACS as a pivot point into the enterprise network. 

The insights also shed light on ways to limit unauthorized movement within the healthcare environment by authorized users, by addressing insider threats and limiting unauthorized actors if initial access is gained through PACS.

Providers can also use the guidance to learn effective ways of analyzing behavior and detecting malware throughout the healthcare ecosystem, including methods of determining evidence of compromise and limiting the impact of a potential advanced persistent threat (APT), such as ransomware.

Given the recent spike in nation-state APT activity, particularly in healthcare, the guidance can further support healthcare providers in securing the overall enterprise network.

Lastly, the insights contain details on best practice strategies for securing data at rest, in transit, and in the cloud, while bolstering patient privacy by limiting the means for hackers to exfiltrate or expose data, as well as considerations for leveraging cloud storage solutions to better manage the medical imaging infrastructure.

While the guidance has been finalized, NIST requested that healthcare providers leveraging the insights to share their experience and advice to ensure its effectiveness.