RSNA 2010 

Abstract Archives of the RSNA, 2010


Building an Information Security Management System in RIS/PACS-based Framework ISO/IEC 27001: RISK MATRIX

Scientific Informal (Poster) Presentations

Presented on December 2, 2010
Presented as part of LL-INS-TH: Informatics


Suranarong Kamtasila MEng, Presenter: Nothing to Disclose
Krongrat Kangwanklai BS, MS, Abstract Co-Author: Nothing to Disclose
Boriruk Sukhatungka BEng, Abstract Co-Author: Nothing to Disclose
Nirun Tungketmukda, Abstract Co-Author: Nothing to Disclose


With the predefined risk analysis framework and categories, remediation plan can be designed to mitigate, accept, or avoid risks. The goal is to meet security objectives and audit requirements. RIS/PACS is considered one of core business functions of hospitals that generate huge revenue so it is a direct responsibility of executives. RIS/PACS acquisition to fit hospitals’ need can be achieved with the right risk analysis result.


Key functions of RIS/PACS involve many components e.g., modalities, networking, etc. To ensure security measures are applied properly, right strategy for risk analysis and management must be in place. Risk management is considered a key element of ISO/IEC 27001, a standard for building up an Information Security Management System. Failing to address and manage risks may lead to failing to fulfill ISMS audit requirements. This paper outlines risk analysis matrix to conduct analysis and manage risks effectively. Confidentiality, Integrity, and Availability (CIA) are three security objectives we analyze againt. The scope is limited to Imaging Department’s work procedures.


For a business to achieve its goal in a secure manner, security objectives must be met. "C" is to ensure data is accessible only by authorized person. Privacy must be protected. "I" is to ensure data remains accurate and complete at all times. "A" is to ensure reliability and timely access. Business Continuity Plan helps business functions to run smoothly in the event of failure. Incident Response Plan defines detailed procedures to respond to incident and communication plan. The core business functions should be identified so priority helps to enforce security measures in the business context.


Risks to RIS/PACS can be classified into 5 areas: network penetration, malicious code, Teleradiology, uncontrolled media, and uncontrolled system acquisition and maintenance. For example, Modalities and PACS server are exposed to external network for online maintenance. This could be a weak link for malicious users to access other components. Proper network segregation, use of firewall, good backup can reduce the risk of having an intruder hack in and sabotage the system.

Cite This Abstract

Kamtasila, S, Kangwanklai, K, Sukhatungka, B, Tungketmukda, N, Building an Information Security Management System in RIS/PACS-based Framework ISO/IEC 27001: RISK MATRIX.  Radiological Society of North America 2010 Scientific Assembly and Annual Meeting, November 28 - December 3, 2010 ,Chicago IL.