The University of North Texas (UNT) recently performed a survey to
assess PACS security architectures and usage in more than 40
institutions. The facilities ranged in size from 100- to 1,000-bed
facilities, and represented anywhere from 50,000 to one million
examinations per year.
The data in the UNT survey showed several potential vulnerabilities
with respect to security provisions. Taken in light of the U.S. Federal
HIPAA security regulation goes into effect April 20th, these issues are
not only impacting the availability and integrity of Patient Health
Information, but also could represent potential federal HIPAA
violations.
Please note, these 10 recommendations should not be considered a
comprehensive assessment of the HIPAA regulations and/or how they apply
to PACS. (For such an assessment, see PACS Fundamentals, chapter 8,
available from www.otechimg.com.)
Rather, they focus on the most obvious threats and issues, and are
based on the UNT survey and through personal observations we have made
while visiting institutions and talking with PACS administrators.
1. Deploy external & internal firewalls Almost every institution has an external
firewall connecting the hospital core network to the edge network
provided by an ISP and/or WAN communications service provider. However,
most threats actually appear from the inside - usually because someone
inserts a virus-infected floppy or CD, or connects his or her laptop to
a device to be calibrated or serviced. Our survey showed that 90
percent of the institutions do not have the RIS and PACS separated by a
firewall. That means that a compromising situation at either the PACS
or the RIS can impact both systems. Even the HIS is not always
consistently screened. Several security incidents and downtime
situations could have been avoided and/or their scope limited if an
institution would have had these deployed more widely.
2. Implement VLANS to limit access When combined with a gateway, a VLAN is the
perfect complement because it limits the access from the gateway to a
well-defined subnet. For example, one could configure the VLAN to make
sure the CT or MR service engineers access only the equipment they
should have access to. The same applies for any other vendor. In
addition, with proper internal configuration, one can restrict certain
devices to only have access to sub-domains using VLAN technology. Most
of our respondents confirmed they were using this technology; however,
it is not universally implemented at each institution.
3. Make sure your virus scanner is installed and up to date Virus protection is somewhat difficult
because most commercial virus protections do not always do a good job
with dedicated and specialized medical imaging equipment. From personal
experience, my laptop slows considerably after I've installed a virus
scanner for all in-coming and out-going files. Also, it does not make
sense to scan every image that leaves or enters a medical device. There
have been stories about images being quarantined because they fit
certain patterns of a particular virus, and the performance loss for
scanning these files is often unacceptable. Therefore, deploy virus
scanners, but work closely with the vendor to make sure they are
configured correctly and they have been validated by the vendor to not
have any negative impact on the device.
4. Force a service provider to use your gateway The National Electrical Manufacturers
Association (NEMA), in cooperation with several other international
standards organizations, generated a proposal1 which
specifies using a single gateway for remote service access as an entry
point for hospital networks. Based on our survey, 70 percent of
participants implement a gateway. However, it appears that they allow
vendors to install their own gateways rather than controlling the
access themselves: only 30 percent of vendors in the survey are able to
integrate their gateway with the hospital's gateway. Many vendors have
indicated that installing their own gateways is a matter of preference.
Imagine having four different vendors in a department. The institution
is responsible to check the audit trails on these devices, especially
if images and/or other clinical data are accessed or retrieved. From
both cost and management perspectives (somewhere the institution pays
for these devices), a single device makes much more sense.
5. Use the proper VPN configuration Our survey showed that every hospital
supports VPN for remote access, although 20 percent of the participants
reported that they also provide dial-up access. SSL is predominantly
used for remote access for PACS, which works at the communication
level. In other words, a secure connection is established on an
as-needed basis and the information is encrypted so that it can be
exchanged using public networks. In some cases, it might actually make
sense to use IPsec technology and establish a secure "tunnel" at the
applications level. The table below details the differences between
IPSec and SSL, and to alleviate any confusion about when to use which
technology.
6. Deployment of network monitoring tools It is essential to monitor the incoming and
outgoing traffic on a continuous basis. For example, it is required to
initiate periodic auditing of open ports using NMAP and monitor all the
changed files. There are several open source network security
monitoring tools. Some examples of these tools are Tripwire, Superscan,
Nessus, and Ethereal. In addition, there are also several commercial
tools like Lanscope which can give a three-dimensional display of the
network traffic. These displays distinguish between normal and abnormal
traffic.
7. Keep your IDS technology up to date An Intrusion Detection System (IDS) is
predominantly used to find abnormal behavior or activity within the
network. The analysis of the survey results indicates that most (70
percent) of the hospital networks have this mechanism in their network.
However, most of the IDS devices are limited in functionality and are
generally unaware of the specifics of the protocols used, such as
DICOM, HL7 or other proprietary protocols. IDSs are a rapidly evolving
area and it is critical to make sure that one constantly monitors the
new technology and is always alert to any intrusions.
8. Implement your security patches The same caution applies when updating your
operating system to include new patches that close security holes. You
should not implement these as they become available, but rather, work
with the vendor and your IT department to assess the risk. This might
have to be done daily after the patch becomes available, because
hackers are known to close the gap between security holes and create a
new virus or Trojan horse that utilizes the hole. The trade-off between
whether or not to implement the patch and the risk of someone
exploiting it is called patch management and can be formalized using
your specific architecture and implementation.
9. Limit your exposure through the use of a test system It is amazing how many institutions install
new software releases, upgrades, patches, and additional applications
without properly testing and validating them on a non-clinical test
system. It is common practice in the IT world to run tests - there are
actually even special identifiers in the HL7 protocol messages that
indicate test messages, so an application knows not to update the
patient database or perform a lab test (as might have been indicated in
the patient admission or order message). However, most institutions do
not budget for a separate PACS test system, which can be as simple as a
small version of the archive and a few simulators for modalities and
workstations. We contend that with the HIPAA regulation stressing the
preservation of data integrity, one could almost be required to have
such a system. In addition, one also could use the test system as a
back-up, thereby also satisfying another of the other critical HIPAA
security requirements. Based on feedback from those using such a test
system, and hearing what issues and problems were identified - things
that prevented potential major problems with the clinical system - it
seems a no-brainer. We did not ask about the availability of a test
system in our survey, but based on other feedback and observations, it
appears that the majority of the current PACS users do not have such a
system in place.
10. Perform a regular risk analysis The risk analysis is, perhaps, the single
most important item in the HIPAA regulations; in part because every
institution is unique and presents its own set of challenges, resources
and cost limitations. One of the key messages in the HIPAA set of
regulations is that security implementation should be reasonable and
consistent with resources of the institution. In other words, a
doctor's office will have a different security implementation than a
major hospital. However, in all cases, it is impossible to justify any
specific implementation without first performing a well-documented risk
analysis. We mention this because when we visit institutions, we
continue to see potential problems such as workstations displaying
patient information and/or images which can be seen and accessed by
anyone walking by, or workstations left un-attended, inviting anyone to
disabled the auto-log-off. We've seen service personnel accessing
devices without being monitored (until it is too late), and remote
access from people not logged in and/or not monitored. Regular
walkthroughs and risk analyses should be made every few months, if not
monthly.
April 21st is coming soon In conclusion, are we ready for HIPAA? Based
on our survey, and through individual observations, it appears as
though there are still many improvements which should be made. It also
seems there are ad-hoc changes and awareness, not to mention several
vulnerabilities and threats which could impact the HIPAA compliance of
an institution and its data integrity.
Ram Dantu is an assistant professor in the
Computer Science department at the University of North Texas. Herman
Oosterwijk is president of OTech Inc. and a member of the adjunct
faculty of the University of North Texas.
The University of North Texas (UNT) recently performed a survey to
assess PACS security architectures and usage in more than 40
institutions. The facilities ranged in size from 100- to 1,000-bed
facilities, and represented anywhere from 50,000 to one million
examinations per year. 