CLEVELAND - When is the right time to start thinking about a PACS security strategy? According to Samuel Dwyer, Ph.D., the planning should begin before the PACS is installed. But even when there's already an operational system in place, it’s not too late to produce a security schema, provided a few important factors have been considered.
Dwyer, a radiology professor from the University of Virginia Health System in Charlottesville, offered a PACS security blueprint to attendees of the Symposium for Computer Applications in Radiology on Friday. Dwyer advocated a methodology that calls for policies, procedures, assessments, and training to be utilized in creating and maintaining security, and stressed that the tools should be monitored and updated continuously.
One of the driving forces behind PACS security planning, of course, is the Health Insurance Portability and Accountability Act (HIPAA). The U.S. department of Health and Human Services has issued five sets of regulations that are of particular concern to PACS administrators. These are the Proposed Security and Electronics Signature Standards, Final Standards for Electronic Transactions, Final Standards for Privacy of Individually Identifiable Information, Proposed National Standard Health Care Provider Identification, and Proposed National Standard Employer Identifier regulations.
Each of these regulations calls for a healthcare institution to implement and maintain electronic security measures. But just how attractive is a PACS to an electronic intruder?
"I conducted an informal survey of 20 institutions, and asked the system administrators at each if they’d ever been hacked. Every single one of them had had some form of outside intrusion on their network. In one case, the entire CT unit was shut down for more than four hours due to an attack," Dwyer said.
The PACS administrator's first step in creating a security policy is to determine what needs to be protected. The list may include such items as equipment, patient information, radiological and treatment information, employee data, consulting reports, and the reputation of the institution, said Dwyer.
Other areas that should be examined are the value of the assets, vulnerability to intrusion, potential methods of intrusion, potential perpetrators of attacks, and prevention plans to protect the PACS from hack attacks. The answers to these questions will enable the administrator to create a specific security plan to address these concerns.
Once the administrator has assembled a list of assets, he or she should define the overall security objectives. The next step is to examine what measures the institution already has in place to support these objectives. Then the administrator should conduct a risk assessment of the PACS vulnerabilities and quantify these risks as to potential of occurrence. Finally, the administrator will want to craft a response plan if an intrusion or attack is detected.
Dwyer emphasized that PACS security planning and implementation require considerable and continuing effort on the part of administrators to keep the networks safe. He recommended a combination of hardware and software tools, such as firewalls, packet sniffers, and intrusion detection systems as part of an ongoing security policy.
"It won’t do you much good to know how people are likely to try to break into your network if you don’t have a way of knowing when an attack is taking place," he said.
By Jonathan S. BatchelorAuntMinnie.com staff writer
May 3, 2002
Related Reading
HIPAA to make challenging, costly demands on radiology, March 18, 2002
Disaster recovery in radiology, Part I: Protecting your images and information, January 17, 2002
A roadmap for implementing HIPAA in radiology, July 26, 2001
Copyright © 2002 AuntMinnie.com
