NIST Publishes Final Guidance on Protecting the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has issued final guidance for healthcare delivery companies on securing the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging system that is employed to safely keep and digitally transfer medical photos like CT scans, MRIs, and X-rays, and related clinical reports and is everywhere in medical care. These systems remove the necessity to keep, transmit, and acquire medical images manually, and help healthcare delivery businesses by permitting the safe and cheap keeping of images offsite in the cloud. PACS permits quick access of medical images utilizing PACS application at any place.

By design, PACS cannot work by itself. In healthcare delivery companies, PACS is typically built-in into highly sophisticated settings and interfaces with a lot of interlinked systems. The intricacy of those settings means that protecting the PACS ecosystem could be a big task and it is easy for cybersecurity threats to be brought in that can quickly hurt the confidentiality, availability, and integrity of protected health information (PHI), the PACS ecosystem, and any programs linked to PACS.

In September 2019, a ProPublica article discovered 187 unsecured servers that were utilized to save and access medical photos. Those servers kept the medical images with PHI of over 5 million individuals in the U.S. In certain cases, the images may be accessed by utilizing a regular web browser and seen utilizing a free software program.

This 2020, the analyst staff at CyberAngel checked about 4.3 billion IP addresses around the world and identified 2,140 unprotected servers in 67 nations. Those servers have about 45 million medical photos. The images got around 200 lines of metadata that contained personally identifiable information and PHI. As per the CyberAngel “Full Body Exposure” report, those images may be seen online using a typical web browser. In certain instances, there were login pages, but approved blank username and password fields.

NIST published draft guidance on safeguarding the PACS ecosystem immediately after the publishing of the ProPublica report to assist healthcare delivery businesses to recognize cybersecurity problems connected with PACS and employ tougher security controls and lessening the effect and availability to PACS and other parts.

The latest version of the guidance contains a thorough set of cybersecurity criteria and best practices to use to enhance the PACS ecosystem security, with the guidance addressing access control, asset management, user ID and validation, data security, security constant tracking, and response planning, and recovery.

The final practice guide incorporated suggestions from the community and other stakeholders and added remote storage abilities into the PACS system. This effort gives a more extensive security option that reflects real-world HDO networking conditions.

HIPAA covered entities and their business associates may apply this practice guide to use present cybersecurity specifications and best practices to minimize their cybersecurity risk, and sustaining the overall productivity and usability of PACS.

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector can be viewed on this website.

NIST/NCCoE developed the guidance with Cisco, DigiCert, Forescout, Clearwater Compliance, Microsoft, Hyland, Philips, Symantec, Tempered Networks, Tripwire, TDI Technologies, Virtua Labs, and Zingbox.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at