Learn some tips about installing or upgrading to PKI in PACS

The Federal Government is pressing to modernize PACS with secure Public Key Infrastructure (PKI), the technology used to secure electronic transactions on the Internet.  While sounding complicated and expensive, it can be seamless, secure and cost effective.
Many legacy PACS suppliers offer various third party “upgrades” to meet HSPD-12 requirements. There is a caveat: many of the “upgrades” to date have only involved PIV Card Readers that are capable of supporting PKI in PACS. The latest guidance from OMB makes it clear that upgrades tht do not properly implement HSPD-12 do not qualify for FISMA and will not meet the latest proposed GSA PKI in PACS purchasing requirements. However, when PKI is designed and integrated into a PACS from the ground-up, then PKI technology has been proven to be cost effective, secure and reliable.
Today, the Federal Government and much of critical infrastructure, including finance, defense, telecommunication and energy, are moving to strong authentication. It’s clear that a new PACS should employ trusted mechanisms. Unfortunately, while agencies are faced with compressed implementation deadlines, most legacy PACS vendors are moving slowly to meet the latest standards and guidance.
Here are three common questions and the answers:
Q: Is validating certificates cumbersome and will it affect my system performance?
A: By caching certificate status in the server and controllers per NIST 800-116, a PACS performance is not impacted by the process of certificate validation. The validation process runs in the background as a service, the results are cached, and only small amounts of data are involved.
Q: I hear that doing a PKI challenge-response at the door will take a Reader 10 seconds or more?
A: Actually, it well performing readers, it only takes about 1 to 1.5 seconds longer than a typical read of a CHUID from a PIV or CAC credential.
Q: How much will PKI increase the cost of my PACS?
A: As a core function within a PACS, the added cost is marginal because it is primarily a function of software (sending and storing more bits). Conversely, “bolting” on PKI functionality to a legacy system is expensive because third party providers must interface hardware and software solutions. This configuration usually introduces unnecessary complexity, often resulting in complications. 
HSPD-12 has proven to be a visionary mandate. It is clear that the marginal added cost to install a trusted system that performs strong authentication offers a tremendous value when compared against the risk of implementing a PACS that performs legacy type transactions using PIV credentials.
When considering a new PACS implementation, four considerations should be kept in focus:
  • BE SURE YOU ARE USING A MODERN PACS: Utilize only PACS software that is assured to be compatible with a software application capable of checking certificate status against the Certificate Revocation List (CRL) via OCSP (Online Certificate Status Protocol) or SCVP (Server-based Certificate Validation Protocol).
  • PREPARE TO VALIDATE CERTIFICATES:  As soon as you possibly can, begin capturing the PKI certificates from the credential at enrollment into the PACS. This will prevent a need to re-enroll card holders in the future when going live with the PKI solution.
  • BE FULLY INTEROPERABLE:  Confirm that all components in the PACS, including software, hardware, readers and especially the controllers are capable of processing at a minimum a 56-bit FASC-N (Federal Agency Smart Credential Number). If your agency plans on granting access to contractors who may be issued PIV-I credentials, your PACS should be capable of processing the 128-bit GUID (Global Unique IDentifier).  Make sure the system provider gives assurance that a full match of the credential number is made in the controller.
  • VERIFY PRIVATE KEYS:  Even if you do not implement PKI at the outset, be sure to purchase access readers (or controllers) that have the capability to perform a PKI challenge response to the certificate private key (“CAK”) on the PIV credential. For HIGH security areas, it is advisable to install readers capable of both contactless and contact operation with PIN or even Biometric capability.
BridgePoint provides the premier solutions for PKI in PACS. Contact us today