Other Free Encyclopedias » Online Encyclopedia » Encyclopedia - Featured Articles » Contributed Topics from F-J

Information Security Management in Picture Archiving and Communication Systems for the Healthcare Industry - INTRODUCTION, BACKGROUND, MAIN FOCUS OF THE ARTICLE

pacs bs7799 hospital business

Carrison KS Tong
Pamela Youde Nethersole Eastern Hospital and Tseung Kwan O Hospital, Hong Kong

Eric TT Wong
The Hong Kong Polytechnic University, Hong Kong


Like other information systems in banking and commercial companies, information security is also an important issue in the healthcare industry. It is a common problem to have security incidences in an information system. Such security incidences include physical attacks, viruses, intrusions, and hacking. For instance, in the U.S.A., more than 10 million security incidences occurred in the year of 2003. The total loss was over $2 billion. In the healthcare industry, damages caused by security incidences could not be measured only by monetary cost. The trouble with inaccurate information in healthcare systems is that it is possible that someone might believe it and do something that might damage the patient. In a security event in which an unauthorized modification to the drug regime system at Arrowe Park Hospital proved to be a deliberate modification, the perpetrator received a jail sentence under the Computer Misuse Act of 1990. In another security event (The Institute of Physics and Engineering in Medicine, 2003), six patients received severe overdoses of radiation while being treated for cancer on a computerized medical linear accelerator between June 1985 and January 1987. Owing to the misuse of untested software in the control, the patients received radiation doses of about 25,000 rads while the normal therapeutic dose is 200 rads. Some of the patients reported immediate symptoms of burning and electric shock. Two died shortly afterward and others suffered scarring and permanent disability.

BS7799 is an information-security-management standard developed by the British Standards Institution (BSI) for an information-security-management system (ISMS). The first part of BS7799, which is the code of practice for information security, was later adopted by the International Organization for Standardization (ISO) as ISO17799. The second part of BS7799 states the specification for ISMS. The picture-archiving and -communication system (PACS; Huang, 2004) is a clinical information system tailored for the management of radiological and other medical images for patient care in hospitals and clinics. It was the first time in the world to implement both standards to a clinical information system for the improvement of data security.


Information security is the prevention of, and recovery from, unauthorized or undesirable destruction, modification, disclosure, or use of information and information resources, whether accidental or intentional. A more proactive definition is the preservation of the confidentiality, integrity, and availability (CIA) of information and information resources. Confidentiality means that the information should only be disclosed to a selected group, either because of its sensitivity or its technical nature . Information integrity is defined as the assurance that the information used in making business decisions is created and maintained with appropriate controls to ensure that the information is correct, auditable, and reproducible. As far as information availability is concerned, information is said to be available when employees who are authorized access, and whose jobs require access, to the information can do so in a cost-effective manner that does not jeopardize the value of the information. Also, information must be consistently available to conduct business smoothly. Business-continuity planning (BCP) includes provisions for assuring the availability of the key resources (information, people, physical assets, tools, etc.) necessary to support the business function.

The origin of ISO17799/BS7799 goes back to the days of the UK Department of Trade and Industry’s (DTI) Commercial Computer Security Centre (CCSC). Founded in May 1987, the CCSC had two major tasks. The first was to help vendors of IT security products by establishing a set of internationally recognised security-evaluation criteria and an associated evaluation and certification scheme. This ultimately gave rise to the information technology security-evaluation criteria (ITSEC) and the establishment of the UK ITSEC scheme. The second task was to help users by producing a code of good security practices and resulted in the Users Code of Practice that was published in 1989. This was further developed by the National Computing Centre (NCC) and later a consortium of users, primarily drawn from British industry, to ensure that the code was both meaningful and practical from a user’s point of view. The final result was first published as the British Standards guidance document PD 0003, A Code of Practice for Information Security Management , and following a period of further public consultation, it was recast as British Standard BS7799: 1995. A second part, BS7799-2: 1998, was added in February 1998. Following an extensive revision and public consultation period in 1997, the first revision of the standard, BS7799: 1999, was published in April 1999. Part 1 of the standard was proposed as an ISO standard via the “fast track” mechanism in October 1999, and then published with minor amendments as ISO/IEC 17799: 2000 on December 1, 2000. BS7799-2: 2002 was officially launched on September 5, 2002.

PACS is a filmless (Dreyer, Mehta, & Thrall, 2001) and computerized method of communicating and storing medical image data such as computed radiographic (CR), digital radiographic (DR), computed tomographic (CT), ultrasound (US), fluoroscopic (RF), magnetic resonance (MRI), and other special X-ray (XA) images. A PACS consists of image and data acquisition and storage, and display stations integrated by various digital networks. Full PACS handles images from various modalities. Small-scale systems that handle images from a single modality (usually connected to a single acquisition device) are sometimes called mini-PACS .

The medical images are stored in an independent format. The most common format for image storage is DICOM (Digital Imaging and Communications in Medicine), developed by the American College of Radiology and the National Electrical Manufacturers’ Association.

Tseung Kwan O Hospital (TKOH) is a newly built general acute hospital (built in 1999) with 458 in-patient beds and 140 day beds. The hospital is composed of several clinical departments including medicine; surgery; paediatrics and adolescent medicine; eye, ear, nose, and throat; accident and emergency, and radiology. A PACS was built in its radiology department in 1999. The PACS was connected with the CR, CT, US, RF, DSA (Digital Subtraction Angiogram), and MRI system in the hospital. The hospital has become filmless since a major upgrade of the PACS in 2003.

An ISO17799/BS7799 ISMS was implemented in the TKOH PACS in 2003. During the implementation, a PACS security forum was established with the active participation of radiologists, radiographers, medical physicists, technicians, clinicians, and employees from the information technology department (ITD). After a BS7799 audit conducted in the beginning of 2004, the TKOH PACS was the world’s first system with the ISMS certification.

In this article, the practical experience of the ISO17799/BS7799 implementation and the quality-improvement process of such a clinical information system will be explained.


In TKOH, the PACS serves the whole hospital including all clinical departments. The implementation of ISO17799 and BS7799 was started with the establishment of an ISMS for the PACS at the beginning of 2003. For effective implementation of ISO17799 and BS7799 in general, four steps will be required.

  1. Define the scope of the ISMS in the PACS.
  2. Make a risk analysis of the PACS.
  3. Created plans as needed to ensure that the necessary improvements are implemented to move the PACS as a whole forward toward the BS7799 objective.
  4. Consider other methods of simplifying the above and achieving compliance with minimum effect.

Implementation of BS7799 Controls in the TKOH PACS Security Forum

A PACS security forum was established for the effective management of all PACS-related security issues in the hospital. The members of the forum were the hospital chief executive, radiologist, clinician, radiographers, medical physicists, technicians, and representatives from the information technology department. One of the major functions of the PACS security forum was to make the security policies for the management of the PACS (Peltier, 2001a). Regular review of the effectiveness of the management was also required.

Business-Continuity Plan

BCP (Calder & Watkins, 2003) is a plan that consists of a set of activities aimed at reducing the likelihood and limiting the impact of disaster events on critical business processes. By the practice of BCP, the impact and downtime of the hospital’s PACS system operation due to some change or failure in the company operation procedure is reduced. BCP is used to make sure that the critical part of the PACS system operation is not affected by a critical failure or disaster. The design of this BCP is based on the assumption that the largest disaster is a complete breakdown of the PACS room in the radiology department of TKOH. The wards, the specialist out-patient department (SOPD), and the imaging modalities should still all be functional.

During the design of a BCP, a business-impact analysis (BIA) of the PACS was studied. The BIA was a study of the vulnerabilities of the business flow of the PACS, and it is shown in the following business flowchart.

In the above flowchart, image data were acquired by the CR, DR, CT, US, RF, MRI, XA, and other (OT) imaging modalities such as a film digitizer. The acquired image data were centrally archived to the PACS server, which connected to a PACS broker for the verification of patient demographic data with the information from the Radiology Information System (RIS). In the PACS server, a storage-area network (SAN), a magneto-optical disk (MOD) jukebox, and a tape library were installed for short-term, long-term, and backup storage. The updated or verified image was redirected to the Web server cluster (Menasce & Almeida, 2001) for image distribution to the entire hospital including the emergency room (ER) and consultation room. The load-balancing switch was used for nonstop service of image distribution to the clinicians. A cluster of Cisco switches was installed and configured for automatic fail-over and firewall purposes. The switches connecting between the PACS network and hospital network were maintained by the information technology department ( A Practical Guide to IT Security for Everyone Working in Hospital Authority , 2004; Security Operations Handbook , 2004). A remote-access server was connected to the PACS for the remote service of the vendor.

Business-Impact Analysis

In the BIA (Peltier, 2001b), according to the PACS operation procedure, all potential risks and impacts were identified. The responsibilities of relevant teams or personnel were identified according to the business flow of the PACS. The critical risk(s), which may affect the business operation of the PACS, could be determined by performing a risk evaluation of the potential impact. One of the methods in the BIA was to consider the contribution of the possibility of risk occurrence for prioritization purposes. The result of the BIA is shown in the following table.

In table 1, the responsible person for each business subprocess was identified to be PACS team, radiologists, radiographers, clinicians, or the information technology department. The most critical subprocess in the TKOH PACS was associated with the Web servers. Once the critical subprocess was identified, the BCP could be designed for the system as shown in the following figure. A responsible person for the BCP was also assigned.

Disaster-Recovery Plan

Disaster-recovery planning (DRP; Toigo, 1996), as defined here, is the recovery of a system from a specific unplanned domain of disaster events such as natural disasters, or the complete destruction of the system. Following is the DRP for the TKOH PACS, which was also designed based on the result of the above BIA.

Recovery Time for the DRP

During disaster recovery, timing was also important both for the staff and the manager. The recovery times of some critical subprocesses are listed as in the following table.

Backup Plan

Backup copies of important PACS system files, patient information, essential system information, and software should be made and tested regularly.

Security and Security-Awareness Training

Training (education concerning the vulnerabilities of the health information in an entity’s possession and ways to ensure the protection of that information) includes all of the following implementation features.

  1. Awareness training for all personnel, including management personnel (in security awareness, including, but not limited to, password maintenance,
    incident reporting, and viruses and other forms of malicious software)
  2. Periodic security reminders (employees, agents, and contractors are made aware of security concerns on an ongoing basis)
  3. User education concerning virus protection (training relative to user awareness of the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected)
  4. User education in the importance of monitoring log-in success or failure and how to report discrepancies (training in the user’s responsibility to ensure the security of healthcare information)
  5. User education in password management (type of user training in the rules to be followed in creating and changing passwords and the need to keep them confidential)

Documentation and Documentation Control

Documentation and documentation control serve as a control on the document and data drafting, approval, distribution, amendment, obsolescence, and so forth to make sure all documents and data are secure and valid.

Standard and Legal Compliance

The purpose of standard and legal compliance (Hong Kong Personal Data Privacy Ordinance, 1995) was to avoid breaches of any criminal and civil law; statutory, regulatory, or contractual obligations; and any security requirements. Furthermore, the equipment compliance of the DICOM standard can improve the compatibility and upgradability of the system. Eventually, it can save costs and maintain data integrity.

Quality of PACS

In a filmless hospital, the PACS is a mission-critical system for lifesaving purposes. The quality of the PACS was an important issue. One method to measure the quality of a PACS was measuring the completeness of the system in terms of data confidentiality, integrity, and availability. A third-party audit such as the ISO17799/BS7799 certification audit could serve as written proof of the quality of a PACS.


Based on the experience in BS7799 implementation, the authors were of the view that more and more hospitals would consider similar healthcare applications of BS7799 to other safe-critical equipment and installations in Hong Kong.


ISO17799/BS7799 covers not only the confidentiality of the system, but also the integrity and availability of data. Practically, the latter is more important for the PACS. Furthermore, both standards can help to improve not only the security, but also the quality of a PACS because, to ensure the continuation of the certification, a security forum has to be established and needs to meet regularly to review and improve on existing processes.


User Comments

Your email address will be altered so spam harvesting bots can't read it easily.
Hide my email completely instead?

Cancel or

Vote down Vote up

over 5 years ago