National Cybersecurity Center of Excellence (NCCoE) Securing Picture Archiving and Communication System (PACS) Cybersecurity for the Healthcare Sector, 21272-21274 [2018-09897]
Download as PDF
<![CDATA[
21272
Federal Register / Vol. 83, No. 90 / Wednesday, May 9, 2018 / Notices
F. Award Administration Information
amozie on DSK3GDR082PROD with NOTICES
1. Award Notices: FAS will notify
each applicant in writing of the final
disposition of its application. FAS will
send an approval letter and project
agreement to each approved applicant.
The approval letter and project
agreement will specify the terms and
conditions applicable to the project,
including the levels of Cooperator
program funding and cost–share
contribution requirements. All
successful applicants for all grant and
cooperative agreements are required to
comply with the Standard
Administrative Terms and Conditions,
which are available online at: https://
www.fas.usda.gov/grants/general_
terms_and_conditions/default.asp. The
applicable Standard Administrative
Terms and Conditions will be for the
last year specified at that URL, unless
the application is to continue an award
first awarded in an earlier year. In that
event, the terms and conditions that
apply will be those in effect for the year
in which the award was originally made
unless explicitly stated otherwise in
subsequent mutually–agreed
amendments to the award.
Before accepting the award the
potential awardee should carefully read
the approval letter and program
agreement for instructions on
administering the grant award and the
terms and conditions associated with
responsibilities under Federal Awards.
Recipients must accept all conditions in
this NOFA as well as any special terms
and conditions in the approval letter
and program agreement to receive an
award under this program.
2. Reporting: FAS requires various
reports and evaluations from
Cooperators. Required reports include
an annual contributions report that
identifies contributions made by the
Cooperator and the U.S. industry during
that marketing plan year. All
Cooperators must also complete at least
one program evaluation each year and
must provide program success stories on
an annual basis, or more often when
appropriate or required by FAS. There
are additional reporting requirements
for trip reports, evaluation reports, and
research reports. Reporting
requirements are detailed in the
Cooperator program regulations in
sections 1484.53, 1484.70, and 1484.72.
G. Agency Contact(s)
1. Application Submission Contact(s)
and Program Support: For additional
information and assistance, contact the
Program Operations Division, Office of
Trade Programs, Foreign Agricultural
Service, U.S. Department of Agriculture
VerDate Sep<11>2014
17:39 May 08, 2018
Jkt 244001
by courier: Room 6512, 1400
Independence Ave. SW, Washington,
DC 20250, or by phone: (202) 720–4327,
or by fax: (202) 720–9361, or by e–mail:
podadmin@fas.usda.gov.
2. Grants Management Contact(s):
Eric Bozoian, Grants Management
Specialist, Foreign Agricultural Service,
United States, Department of
Agriculture, Email: Eric.Bozoian@
fas.usda.gov, Office: (202) 378–1054.
Signed at Washington, DC on the 26th of
April, 2018.
James Higgiston
Acting Administrator, Foreign Agricultural
Service, and Acting Vice President,
Commodity Credit Corporation.
[FR Doc. 2018–09867 Filed 5–8–18; 8:45 am]
BILLING CODE 3410–10–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket No. 180319295–8295–01]
National Cybersecurity Center of
Excellence (NCCoE) Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the
Healthcare Sector
National Institute of Standards
and Technology, Department of
Commerce.
ACTION: Notice.
AGENCY:
The National Institute of
Standards and Technology (NIST)
invites organizations to provide
products and technical expertise to
support and demonstrate security
platforms for the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector. This notice is the initial step for
the National Cybersecurity Center of
Excellence (NCCoE) in collaborating
with technology companies to address
cybersecurity challenges identified
under the healthcare sector program.
Participation in the use case is open to
all interested organizations.
DATES: Collaborative activities will
commence as soon as enough completed
and signed letters of interest have been
returned to address all the necessary
components and capabilities, but no
earlier than June 8, 2018.
ADDRESSES: The NCCoE is located at
9700 Great Seneca Highway, Rockville,
MD 20850. Letters of interest must be
submitted to HIT_NCCOE@nist.gov or
via hardcopy to National Institute of
Standards and Technology, NCCoE,
9700 Great Seneca Highway, Rockville,
MD 20850. Organizations whose letters
SUMMARY:
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
of interest are accepted in accordance
with the process set forth in the
SUPPLEMENTARY INFORMATION section of
this notice will be asked to sign a
consortium Cooperative Research and
Development Agreement (CRADA) with
NIST. An NCCoE consortium CRADA
template can be found at: https://
nccoe.nist.gov/node/138.
FOR FURTHER INFORMATION CONTACT:
Andrea Arbelaez via email to HIT_
NCCOE@nist.gov; by telephone 301–
975–0214; or by mail to National
Institute of Standards and Technology,
NCCoE, 9700 Great Seneca Highway,
Rockville, MD 20850. Additional details
about the healthcare sector program are
available at https://nccoe.nist.gov/
projects/use-cases/health-it/pacs.
SUPPLEMENTARY INFORMATION: Interested
parties must contact NIST to request a
letter of interest template to be
completed and submitted to NIST.
Letters of interest will be accepted on a
first come, first served basis. When the
use case has been completed, NIST will
post a notice on the NCCoE healthcare
sector program website at https://
nccoe.nist.gov/projects/use-cases/
health-it/pacs announcing the
completion of the use case and
informing the public that it will no
longer accept letters of interest for this
use case.
Background: The NCCoE, part of
NIST, is a public-private collaboration
for accelerating the widespread
adoption of integrated cybersecurity
tools and technologies. The NCCoE
brings together experts from industry,
government, and academia under one
roof to develop practical, interoperable
cybersecurity approaches that address
the real-world needs of complex
Information Technology (IT) systems.
By accelerating dissemination and use
of these integrated tools and
technologies for protecting IT assets, the
NCCoE will enhance trust in U.S. IT
communications, data, and storage
systems; reduce risk for companies and
individuals using IT systems; and
encourage development of innovative,
job-creating cybersecurity products and
services.
Process: NIST is soliciting responses
from all sources of relevant security
capabilities (see below) to enter into a
Cooperative Research and Development
Agreement (CRADA) to provide
products and technical expertise to
support and demonstrate security
platforms for the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector. The full use case can be viewed
at: https://nccoe.nist.gov/projects/usecases/health-it/pacs.
E:\FR\FM\09MYN1.SGM
09MYN1
Federal Register / Vol. 83, No. 90 / Wednesday, May 9, 2018 / Notices
Interested parties should contact NIST
using the information provided in the
FOR FURTHER INFORMATION CONTACT
amozie on DSK3GDR082PROD with NOTICES
section of this notice. NIST will then
provide each interested party with a
letter of interest template, which the
party must complete, certify that it is
accurate, and submit to NIST. NIST will
contact interested parties if there are
questions regarding the responsiveness
of the letters of interest to the use case
objective or requirements identified
below. NIST will select participants
who have submitted complete letters of
interest on a first come, first served
basis within each category of product
components or capabilities listed below
up to the number of participants in each
category necessary to carry out this use
case. However, there may be continuing
opportunity to participate even after
initial activity commences. Selected
participants will be required to enter
into a consortium CRADA with NIST
(for reference, see ADDRESSES section
above). NIST published a notice in the
Federal Register on October 19, 2012
(77 FR 64314) inviting U.S. companies
to enter into National Cybersecurity
Excellence Partnerships (NCEPs) in
furtherance of the NCCoE. For this
demonstration project, NCEP partners
will not be given priority for
participation.
Use Case Objective
To provide guidance and a
referenceable architecture for securing
the Picture Archiving and
Communication System (PACS)
ecosystem in Healthcare Delivery
Organizations (HDOs), and to include an
example solution using existing,
commercially and open-source available
cybersecurity products.
A detailed description of the Securing
Picture Archiving and Communication
System (PACS) Cybersecurity for the
healthcare sector is available at: https://
nccoe.nist.gov/projects/use-cases/
health-it/pacs.
Requirements: Each responding
organization’s letter of interest should
identify which security platform
component(s) or capability(ies) it is
offering. Letters of interest should not
include company proprietary
information, and all components and
capabilities must be commercially
available. Components are listed in
section 2 of the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector use case (for reference, please see
the link in the PROCESS section above)
and include, but are not limited to:
• PACS Servers, special applications
(including web services), and
workstations
VerDate Sep<11>2014
17:39 May 08, 2018
Jkt 244001
•
•
•
•
Vendor Neutral Archive (VNA)
data storage
modality or modality simulator
radiology information system (RIS) or
RIS simulator
• notification system
• Electronic Health Record (EHR)/
Electronic Medical Record (EMR)
• load balancer
• managed service model and remote
service connectivity
• certificate management
• authentication mechanism
• session management
• data encryption
• endpoint protection
Æ encryption
Æ malware/virus protection
Æ Host Intrusion Prevention System
(HIPS)/Host Intrusion Detection
System (HIDS)
• logging, monitoring, security
information and event management
(SIEM)
• network infrastructure controls
• asset management
• web services
Each responding organization’s letter
of interest should identify how their
products address one or more of the
following desired security
characteristics in section 2 of the
Securing Picture Archiving and
Communication System (PACS)
Cybersecurity for the healthcare sector
use case (for reference, please see the
link in the PROCESS section above):
The primary security functions and
processes to be implemented for this
project are listed below and are based
on the NIST Cybersecurity Framework
(CSF).
Identify (ID)
• Asset Management—includes
identification of assets on network
and management of the assets to be
deployed to workstations
• Risk Assessment—includes risk
management strategy
Protect (PR)
• Access Control—includes user
account management, remote access
Æ controlling (and auditing) user
accounts
Æ controlling (and auditing) access by
external users
Æ enforcing least privilege for all
(internal and external) users
Æ enforcing separation of duties
policies
D Privileged Access Management
(PAM) with an emphasis on the
segregation of duties
Æ enforcing least functionality
• User Identification and
Authentication
Æ multifactor authentication for the
PO 00000
Frm 00017
Fmt 4703
Sfmt 4703
•
•
•
•
•
21273
system that aligns with the sensitive
information and function that PACS
performs; NIST-recommended
algorithms; usability; impact on
system performance; and raising the
assurance profile, and higher NIST
Special Publication (SP) 800–63–3
levels, bring a higher level of
assurance
Æ viable federated identity
management
Æ credential management
Data Security—includes data
confidentiality, integrity, and
availability
Æ securing and monitoring storage of
data—includes data encryption (for
data at rest)
D access control on data
D data-at-rest controls should
implement some form of a data
security manager that would allow
for policy application to encrypted
data, inclusive of access control
policy
Æ securing the distribution of data—
includes data encryption (for data
in transit) and data loss prevention
mechanism
Æ controls that promote data integrity
Æ cryptographic modules validated as
meeting NIST Federal Information
Processing Standard (FIPS) 140–2
are preferred
Æ physical security provided by an
access controlled data center to host
the PACS servers and storage
Information Protection Processes and
Procedures—includes data backup,
endpoint protection for
workstations
Maintenance—local and remote
maintenance
Protective Technology—host-based
intrusion prevention, solutions for
malware (malicious code detection),
audit logging, (automated) audit log
review, and physical protection
Communications and Network
Security—communications and
control networks are protected (e.g.,
firewall, network access control,
network infrastructure controls)
Æ Securing and monitoring
connections with the Health
Delivery Organization (HDO)
ecosystem
D Network segmentation
Æ Securing and monitoring
connections to and from external
systems
Detect (DE)
• Anomalies and Events—analysis of
detected events (from logs,
monitoring results, SIEM)
Æ Centralized mechanism to capture
and analyze system and network
events
E:\FR\FM\09MYN1.SGM
09MYN1
21274
Federal Register / Vol. 83, No. 90 / Wednesday, May 9, 2018 / Notices
• Security Continuous Monitoring—
monitoring for unauthorized
personnel, devices, software,
connections
Æ vulnerability management—
includes vulnerability scanning and
remediation
Æ patch management
Æ system configuration security
settings
Æ user account usage (local and
remote) and user behavioral
analytics
amozie on DSK3GDR082PROD with NOTICES
Respond (RS)
• Response Planning—response plan
executed after an event, mitigation
of security issues
Recover (RC)
• Recovery and Restoration—recovery
and restoration activities executed
after an event
Æ business continuity and business
resumption processes
D In addition to restoration capability
from archival media, the project
should consider high availability
and continuity for data storage.
Implicitly, disk arrays used for
image storage should have the
capability to implement various
Redundant Array of Independent
Disks (RAID) configurations. RAID
0, 1, 5, 6, and 1+0 should be
supported. Disk arrays should also
be made available for cold or warm
restore/failover capability. Other
data storage solutions that provide
the same (or better) reliability and
durability are considered.
Responding organizations need to
understand and, in their letters of
interest, commit to provide:
1. Access for all participants’ project
teams to component interfaces and the
organization’s experts necessary to make
functional connections among security
platform components
2. Support for development and
demonstration of the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector use case in NCCoE facilities
which will be conducted in a manner
consistent with the following standards
and guidance: FIPS 200, FIPS 201, SP
800–53 and FIPS 140–2, SP 800–30, SP
800–37, SP 800–39, SP 800–41, SP 800–
52, SP 800–57, SP 800–63–3, SP 800–66,
SP 800–77, SP 800–95, SP 800–144, SP
800–146, SP 800–171, SP 800–181, ISO
12052:2011 Health Informatics—Digital
Imaging and Communication in
Medicine (DICOM) including Workflow
and Data Management, AAMI TIR57,
ANSI/AAMI/IEC 80001–1:2010, IEC
Technical Report 80001–2–1, IEC
Technical Report 80001–2–2, internet
VerDate Sep<11>2014
17:39 May 08, 2018
Jkt 244001
Engineering Task Force Request for
Comments 4301, Food & Drug
Administration (FDA) Content of
Premarket Submissions for Management
of Cybersecurity in Medical Devices,
FDA Postmark Management of
Cybersecurity in Medical Devices, FDA
Guidance for Industry—Cybersecurity
for Networked Medical Devices
Containing Off-the-Shelf Software, FDA
Guidance for Submission of Premarket
Notifications for Medical Image
Management Devices, FDA Medical
Device Data Systems, Medical Image
Storage Devices, Medical Image
Communications Device, Department of
Health & Human Services Office for
Civil Rights Health Insurance Portability
and Accountability Act Security Rule
Crosswalk to NIST Cybersecurity
Framework, Department of Homeland
Security Attack Surface: Healthcare and
Public Sector, Integrating the Healthcare
Enterprise Radiology Technical
Framework.
Additional details about the Securing
Picture Archiving and Communication
System (PACS) Cybersecurity for the
healthcare sector use case are available
at: https://nccoe.nist.gov/projects/usecases/health-it/pacs.
NIST cannot guarantee that all of the
products proposed by respondents will
be used in the demonstration. Each
prospective participant will be expected
to work collaboratively with NIST staff
and other project participants under the
terms of the consortium CRADA in the
development of the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector capability. Prospective
participants’ contribution to the
collaborative effort will include
assistance in establishing the necessary
interface functionality, connection and
set-up capabilities and procedures,
demonstration harnesses, environmental
and safety conditions for use, integrated
platform user instructions, and
demonstration plans and scripts
necessary to demonstrate the desired
capabilities. Each participant will train
NIST personnel, as necessary, to operate
its product in capability demonstrations
to the healthcare community. Following
successful demonstrations, NIST will
publish a description of the security
platform and its performance
characteristics sufficient to permit other
organizations to develop and deploy
security platforms that meet the security
objectives of the Securing Picture
Archiving and Communication System
(PACS) Cybersecurity for the healthcare
sector use case. These descriptions will
be public information.
Under the terms of the consortium
CRADA, NIST will support
PO 00000
Frm 00018
Fmt 4703
Sfmt 4703
development of interfaces among
participants’ products by providing IT
infrastructure, laboratory facilities,
office facilities, collaboration facilities,
and staff support to component
composition, security platform
documentation, and demonstration
activities.
The dates of the demonstration of the
Securing Picture Archiving and
Communication System (PACS)
Cybersecurity for the healthcare sector
capability will be announced on the
NCCoE website at least two weeks in
advance at https://nccoe.nist.gov/. The
expected outcome of the demonstration
is to improve securing picture archiving
and communications system (PACS)
cybersecurity across an entire healthcare
sector enterprise. Participating
organizations will gain from the
knowledge that their products are
interoperable with other participants’
offerings.
For additional information on the
NCCoE governance, business processes,
and NCCoE operational structure, visit
the NCCoE website https://
nccoe.nist.gov/.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2018–09897 Filed 5–8–18; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
Proposed Information Collection;
Comment Request; Observer
Programs’ Information That Can Be
Gathered Only Through Questions
National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Notice.
AGENCY:
The Department of
Commerce, as part of its continuing
effort to reduce paperwork and
respondent burden, invites the general
public and other Federal agencies to
take this opportunity to comment on
proposed and/or continuing information
collections, as required by the
Paperwork Reduction Act of 1995.
DATES: Written comments must be
submitted on or before July 9, 2018.
ADDRESSES: Direct all written comments
to Jennifer Jessup, Departmental
Paperwork Clearance Officer,
Department of Commerce, Room 6616,
14th and Constitution Avenue NW,
Washington, DC 20230 (or via the
internet at pracomments@doc.gov).
SUMMARY:
E:\FR\FM\09MYN1.SGM
09MYN1
]]>Agencies
[Federal Register Volume 83, Number 90 (Wednesday, May 9, 2018)]
[Notices]
[Pages 21272-21274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-09897]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 180319295-8295-01]
National Cybersecurity Center of Excellence (NCCoE) Securing
Picture Archiving and Communication System (PACS) Cybersecurity for the
Healthcare Sector
AGENCY: National Institute of Standards and Technology, Department of
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
invites organizations to provide products and technical expertise to
support and demonstrate security platforms for the Securing Picture
Archiving and Communication System (PACS) Cybersecurity for the
healthcare sector. This notice is the initial step for the National
Cybersecurity Center of Excellence (NCCoE) in collaborating with
technology companies to address cybersecurity challenges identified
under the healthcare sector program. Participation in the use case is
open to all interested organizations.
DATES: Collaborative activities will commence as soon as enough
completed and signed letters of interest have been returned to address
all the necessary components and capabilities, but no earlier than June
8, 2018.
ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway,
Rockville, MD 20850. Letters of interest must be submitted to
[email protected] or via hardcopy to National Institute of Standards
and Technology, NCCoE, 9700 Great Seneca Highway, Rockville, MD 20850.
Organizations whose letters of interest are accepted in accordance with
the process set forth in the SUPPLEMENTARY INFORMATION section of this
notice will be asked to sign a consortium Cooperative Research and
Development Agreement (CRADA) with NIST. An NCCoE consortium CRADA
template can be found at: https://nccoe.nist.gov/node/138.
FOR FURTHER INFORMATION CONTACT: Andrea Arbelaez via email to
[email protected]; by telephone 301-975-0214; or by mail to National
Institute of Standards and Technology, NCCoE, 9700 Great Seneca
Highway, Rockville, MD 20850. Additional details about the healthcare
sector program are available at https://nccoe.nist.gov/projects/use-cases/health-it/pacs.
SUPPLEMENTARY INFORMATION: Interested parties must contact NIST to
request a letter of interest template to be completed and submitted to
NIST. Letters of interest will be accepted on a first come, first
served basis. When the use case has been completed, NIST will post a
notice on the NCCoE healthcare sector program website at https://nccoe.nist.gov/projects/use-cases/health-it/pacs announcing the
completion of the use case and informing the public that it will no
longer accept letters of interest for this use case.
Background: The NCCoE, part of NIST, is a public-private
collaboration for accelerating the widespread adoption of integrated
cybersecurity tools and technologies. The NCCoE brings together experts
from industry, government, and academia under one roof to develop
practical, interoperable cybersecurity approaches that address the
real-world needs of complex Information Technology (IT) systems. By
accelerating dissemination and use of these integrated tools and
technologies for protecting IT assets, the NCCoE will enhance trust in
U.S. IT communications, data, and storage systems; reduce risk for
companies and individuals using IT systems; and encourage development
of innovative, job-creating cybersecurity products and services.
Process: NIST is soliciting responses from all sources of relevant
security capabilities (see below) to enter into a Cooperative Research
and Development Agreement (CRADA) to provide products and technical
expertise to support and demonstrate security platforms for the
Securing Picture Archiving and Communication System (PACS)
Cybersecurity for the healthcare sector. The full use case can be
viewed at: https://nccoe.nist.gov/projects/use-cases/health-it/pacs.
[[Page 21273]]
Interested parties should contact NIST using the information
provided in the FOR FURTHER INFORMATION CONTACT section of this notice.
NIST will then provide each interested party with a letter of interest
template, which the party must complete, certify that it is accurate,
and submit to NIST. NIST will contact interested parties if there are
questions regarding the responsiveness of the letters of interest to
the use case objective or requirements identified below. NIST will
select participants who have submitted complete letters of interest on
a first come, first served basis within each category of product
components or capabilities listed below up to the number of
participants in each category necessary to carry out this use case.
However, there may be continuing opportunity to participate even after
initial activity commences. Selected participants will be required to
enter into a consortium CRADA with NIST (for reference, see ADDRESSES
section above). NIST published a notice in the Federal Register on
October 19, 2012 (77 FR 64314) inviting U.S. companies to enter into
National Cybersecurity Excellence Partnerships (NCEPs) in furtherance
of the NCCoE. For this demonstration project, NCEP partners will not be
given priority for participation.
Use Case Objective
To provide guidance and a referenceable architecture for securing
the Picture Archiving and Communication System (PACS) ecosystem in
Healthcare Delivery Organizations (HDOs), and to include an example
solution using existing, commercially and open-source available
cybersecurity products.
A detailed description of the Securing Picture Archiving and
Communication System (PACS) Cybersecurity for the healthcare sector is
available at: https://nccoe.nist.gov/projects/use-cases/health-it/pacs.
Requirements: Each responding organization's letter of interest
should identify which security platform component(s) or capability(ies)
it is offering. Letters of interest should not include company
proprietary information, and all components and capabilities must be
commercially available. Components are listed in section 2 of the
Securing Picture Archiving and Communication System (PACS)
Cybersecurity for the healthcare sector use case (for reference, please
see the link in the PROCESS section above) and include, but are not
limited to:
PACS Servers, special applications (including web services),
and workstations
Vendor Neutral Archive (VNA)
data storage
modality or modality simulator
radiology information system (RIS) or RIS simulator
notification system
Electronic Health Record (EHR)/Electronic Medical Record (EMR)
load balancer
managed service model and remote service connectivity
certificate management
authentication mechanism
session management
data encryption
endpoint protection
[cir] encryption
[cir] malware/virus protection
[cir] Host Intrusion Prevention System (HIPS)/Host Intrusion
Detection System (HIDS)
logging, monitoring, security information and event management
(SIEM)
network infrastructure controls
asset management
web services
Each responding organization's letter of interest should identify
how their products address one or more of the following desired
security characteristics in section 2 of the Securing Picture Archiving
and Communication System (PACS) Cybersecurity for the healthcare sector
use case (for reference, please see the link in the PROCESS section
above):
The primary security functions and processes to be implemented for
this project are listed below and are based on the NIST Cybersecurity
Framework (CSF).
Identify (ID)
Asset Management--includes identification of assets on network
and management of the assets to be deployed to workstations
Risk Assessment--includes risk management strategy
Protect (PR)
Access Control--includes user account management, remote
access
[cir] controlling (and auditing) user accounts
[cir] controlling (and auditing) access by external users
[cir] enforcing least privilege for all (internal and external)
users
[cir] enforcing separation of duties policies
[ssquf] Privileged Access Management (PAM) with an emphasis on the
segregation of duties
[cir] enforcing least functionality
User Identification and Authentication
[cir] multifactor authentication for the system that aligns with
the sensitive information and function that PACS performs; NIST-
recommended algorithms; usability; impact on system performance; and
raising the assurance profile, and higher NIST Special Publication (SP)
800-63-3 levels, bring a higher level of assurance
[cir] viable federated identity management
[cir] credential management
Data Security--includes data confidentiality, integrity, and
availability
[cir] securing and monitoring storage of data--includes data
encryption (for data at rest)
[ssquf] access control on data
[ssquf] data-at-rest controls should implement some form of a data
security manager that would allow for policy application to encrypted
data, inclusive of access control policy
[cir] securing the distribution of data--includes data encryption
(for data in transit) and data loss prevention mechanism
[cir] controls that promote data integrity
[cir] cryptographic modules validated as meeting NIST Federal
Information Processing Standard (FIPS) 140-2 are preferred
[cir] physical security provided by an access controlled data
center to host the PACS servers and storage
Information Protection Processes and Procedures--includes data
backup, endpoint protection for workstations
Maintenance--local and remote maintenance
Protective Technology--host-based intrusion prevention,
solutions for malware (malicious code detection), audit logging,
(automated) audit log review, and physical protection
Communications and Network Security--communications and
control networks are protected (e.g., firewall, network access control,
network infrastructure controls)
[cir] Securing and monitoring connections with the Health Delivery
Organization (HDO) ecosystem
[ssquf] Network segmentation
[cir] Securing and monitoring connections to and from external
systems
Detect (DE)
Anomalies and Events--analysis of detected events (from logs,
monitoring results, SIEM)
[cir] Centralized mechanism to capture and analyze system and
network events
[[Page 21274]]
Security Continuous Monitoring--monitoring for unauthorized
personnel, devices, software, connections
[cir] vulnerability management--includes vulnerability scanning and
remediation
[cir] patch management
[cir] system configuration security settings
[cir] user account usage (local and remote) and user behavioral
analytics
Respond (RS)
Response Planning--response plan executed after an event,
mitigation of security issues
Recover (RC)
Recovery and Restoration--recovery and restoration activities
executed after an event
[cir] business continuity and business resumption processes
[ssquf] In addition to restoration capability from archival media,
the project should consider high availability and continuity for data
storage. Implicitly, disk arrays used for image storage should have the
capability to implement various Redundant Array of Independent Disks
(RAID) configurations. RAID 0, 1, 5, 6, and 1+0 should be supported.
Disk arrays should also be made available for cold or warm restore/
failover capability. Other data storage solutions that provide the same
(or better) reliability and durability are considered.
Responding organizations need to understand and, in their letters
of interest, commit to provide:
1. Access for all participants' project teams to component
interfaces and the organization's experts necessary to make functional
connections among security platform components
2. Support for development and demonstration of the Securing
Picture Archiving and Communication System (PACS) Cybersecurity for the
healthcare sector use case in NCCoE facilities which will be conducted
in a manner consistent with the following standards and guidance: FIPS
200, FIPS 201, SP 800-53 and FIPS 140-2, SP 800-30, SP 800-37, SP 800-
39, SP 800-41, SP 800-52, SP 800-57, SP 800-63-3, SP 800-66, SP 800-77,
SP 800-95, SP 800-144, SP 800-146, SP 800-171, SP 800-181, ISO
12052:2011 Health Informatics--Digital Imaging and Communication in
Medicine (DICOM) including Workflow and Data Management, AAMI TIR57,
ANSI/AAMI/IEC 80001-1:2010, IEC Technical Report 80001-2-1, IEC
Technical Report 80001-2-2, internet Engineering Task Force Request for
Comments 4301, Food & Drug Administration (FDA) Content of Premarket
Submissions for Management of Cybersecurity in Medical Devices, FDA
Postmark Management of Cybersecurity in Medical Devices, FDA Guidance
for Industry--Cybersecurity for Networked Medical Devices Containing
Off-the-Shelf Software, FDA Guidance for Submission of Premarket
Notifications for Medical Image Management Devices, FDA Medical Device
Data Systems, Medical Image Storage Devices, Medical Image
Communications Device, Department of Health & Human Services Office for
Civil Rights Health Insurance Portability and Accountability Act
Security Rule Crosswalk to NIST Cybersecurity Framework, Department of
Homeland Security Attack Surface: Healthcare and Public Sector,
Integrating the Healthcare Enterprise Radiology Technical Framework.
Additional details about the Securing Picture Archiving and
Communication System (PACS) Cybersecurity for the healthcare sector use
case are available at: https://nccoe.nist.gov/projects/use-cases/health-it/pacs.
NIST cannot guarantee that all of the products proposed by
respondents will be used in the demonstration. Each prospective
participant will be expected to work collaboratively with NIST staff
and other project participants under the terms of the consortium CRADA
in the development of the Securing Picture Archiving and Communication
System (PACS) Cybersecurity for the healthcare sector capability.
Prospective participants' contribution to the collaborative effort will
include assistance in establishing the necessary interface
functionality, connection and set-up capabilities and procedures,
demonstration harnesses, environmental and safety conditions for use,
integrated platform user instructions, and demonstration plans and
scripts necessary to demonstrate the desired capabilities. Each
participant will train NIST personnel, as necessary, to operate its
product in capability demonstrations to the healthcare community.
Following successful demonstrations, NIST will publish a description of
the security platform and its performance characteristics sufficient to
permit other organizations to develop and deploy security platforms
that meet the security objectives of the Securing Picture Archiving and
Communication System (PACS) Cybersecurity for the healthcare sector use
case. These descriptions will be public information.
Under the terms of the consortium CRADA, NIST will support
development of interfaces among participants' products by providing IT
infrastructure, laboratory facilities, office facilities, collaboration
facilities, and staff support to component composition, security
platform documentation, and demonstration activities.
The dates of the demonstration of the Securing Picture Archiving
and Communication System (PACS) Cybersecurity for the healthcare sector
capability will be announced on the NCCoE website at least two weeks in
advance at https://nccoe.nist.gov/. The expected outcome of the
demonstration is to improve securing picture archiving and
communications system (PACS) cybersecurity across an entire healthcare
sector enterprise. Participating organizations will gain from the
knowledge that their products are interoperable with other
participants' offerings.
For additional information on the NCCoE governance, business
processes, and NCCoE operational structure, visit the NCCoE website
https://nccoe.nist.gov/.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2018-09897 Filed 5-8-18; 8:45 am]
BILLING CODE 3510-13-P
