The University of North Texas (UNT) recently performed a survey to assess PACS security architectures and usage in more than 40 institutions. The facilities ranged in size from 100- to 1,000-bed facilities, and represented anywhere from 50,000 to one million examinations per year.
The data in the UNT survey showed several potential vulnerabilities with respect to security provisions. Taken in light of the U.S. Federal HIPAA security regulation goes into effect April 20th, these issues are not only impacting the availability and integrity of Patient Health Information, but also could represent potential federal HIPAA violations.
Please note, these 10 recommendations should not be considered a comprehensive assessment of the HIPAA regulations and/or how they apply to PACS. (For such an assessment, see PACS Fundamentals, chapter 8, available from www.otechimg.com.) Rather, they focus on the most obvious threats and issues, and are based on the UNT survey and through personal observations we have made while visiting institutions and talking with PACS administrators.
1. Deploy external & internal firewalls
Almost every institution has an external firewall connecting the hospital core network to the edge network provided by an ISP and/or WAN communications service provider. However, most threats actually appear from the inside - usually because someone inserts a virus-infected floppy or CD, or connects his or her laptop to a device to be calibrated or serviced. Our survey showed that 90 percent of the institutions do not have the RIS and PACS separated by a firewall. That means that a compromising situation at either the PACS or the RIS can impact both systems. Even the HIS is not always consistently screened. Several security incidents and downtime situations could have been avoided and/or their scope limited if an institution would have had these deployed more widely.
2. Implement VLANS to limit access
When combined with a gateway, a VLAN is the perfect complement because it limits the access from the gateway to a well-defined subnet. For example, one could configure the VLAN to make sure the CT or MR service engineers access only the equipment they should have access to. The same applies for any other vendor. In addition, with proper internal configuration, one can restrict certain devices to only have access to sub-domains using VLAN technology. Most of our respondents confirmed they were using this technology; however, it is not universally implemented at each institution.
3. Make sure your virus scanner is installed and up to date
Virus protection is somewhat difficult because most commercial virus protections do not always do a good job with dedicated and specialized medical imaging equipment. From personal experience, my laptop slows considerably after I've installed a virus scanner for all in-coming and out-going files. Also, it does not make sense to scan every image that leaves or enters a medical device. There have been stories about images being quarantined because they fit certain patterns of a particular virus, and the performance loss for scanning these files is often unacceptable. Therefore, deploy virus scanners, but work closely with the vendor to make sure they are configured correctly and they have been validated by the vendor to not have any negative impact on the device.
4. Force a service provider to use your gateway
The National Electrical Manufacturers Association (NEMA), in cooperation with several other international standards organizations, generated a proposal 1 which specifies using a single gateway for remote service access as an entry point for hospital networks. Based on our survey, 70 percent of participants implement a gateway. However, it appears that they allow vendors to install their own gateways rather than controlling the access themselves: only 30 percent of vendors in the survey are able to integrate their gateway with the hospital's gateway. Many vendors have indicated that installing their own gateways is a matter of preference. Imagine having four different vendors in a department. The institution is responsible to check the audit trails on these devices, especially if images and/or other clinical data are accessed or retrieved. From both cost and management perspectives (somewhere the institution pays for these devices), a single device makes much more sense.
5. Use the proper VPN configuration
Our survey showed that every hospital supports VPN for remote access, although