Cybersecurity and Your Images: Taking Safety Beyond Passwords and Home-Grown Protections
By Whitney J. Palmer
As the price tag of cyberattacks on healthcare continues to rise, radiology looks to bolster its defenses. Imagine being several hours into your shift, focusing on a particularly heavy, time-sensitive case load. Perhaps you’re searching for a pneumothorax, or maybe you’re examining an intracranial bleed, trying to meet a requested turn-around time.
Imagine being several hours into your shift, focusing on a particularly heavy, time-sensitive case load. Perhaps you’re searching for a pneumothorax, or maybe you’re examining an intracranial bleed, trying to meet a requested turn-around time. Suddenly, your system freezes. You can’t access images, and you can’t write reports. Your reading room has gone dark in a frightening way. You and your facility are victims of a cyberattack.
Whether your facility has fallen victim, fended off an attempt, or been left unscathed, chances are you’re familiar with the ever-growing threat of widespread digital warfare throughout the healthcare industry. And, as medicine’s most data-rich, technology-driven specialty, radiology must be particularly careful to safeguard its tools and patient information. “Not a week goes by that you don’t hear about a hospital system that’s been impacted by a malicious software attack,” said James Whitfill, M.D., chief transformation officer and vice president of Honor Health and clinical associate professor of internal medicine and bioinformatics at the University of Arizona College of Medicine. “Our radiology departments and practices, in general, need to have a heightened sense of awareness.”
How Big is the Problem?
According to security firm RedTeam Security, healthcare is the second-most targeted industry for cyberattacks. Overwhelmingly, these attempts seek patient information for sale. According to Black Book Research, in 2019 alone, healthcare data breaches cost more than $4 billion. For radiologists, these cyberattacks mean a significant loss of workflow and work product, said Suresh Narayan, director for service life cycle and install base with Canon Medical Systems.
“When attacks hit an imaging device, the device shuts down,” he said. “So, the radiologist loses their image, and it takes time and effort and a principled way of figuring out how to restore the services of the imaging device.” For more coverage based on industry expert insights and research, subscribe to the Diagnostic Imaging e-newsletter here.
But, the dangers of cyberattacks is also expanding, said Andreas Ehrlund, product manager cross-enterprise solutions and senior security architect for Sectra Imaging IT Solutions, and the coming wave of activity could be even more damaging. “The next horizon is integrity attacks – those that slowly introduce errors into a system instead of shutting it down,” he said. “This type of attack could change blood types for groups of patients, jumble around reports, and introduce lesions into medical images that would cause not only distrust of the data that doctors work with and a huge problem in providing healthcare, but it would also cause distrust in a government’s ability to protect its healthcare system.”
Consequently, it’s critical for radiology to do its part in safeguarding patient information. Knowing the threats and identifying your weak points is vital, and selecting a strong cybersecurity solution is fundamental.
Existing and Potential Threats
Currently, there are several issues that pose an immediate threat to radiology’s cybersecurity and one that has been theoretically produced. Understanding what could happen can play a significant role in picking an effective cybersecurity solution. Ransomware: Currently, these attacks are the most common. After infiltrating your system, an attacker encrypts your data, eventually grinding your equipment and programs to a halt, and unless you pay a fee – a ransom – your system remains locked. Typically, Whitfill said, it takes roughly 10 days to reclaim your functionality, but only about 92 percent of data is recovered on average. Unprotected DICOM Archives: Within radiology, there is growing awareness about the significant number of unprotected DICOM archives that are openly available on the Internet. These files are sitting ducks, Whitfill said, and the specialty has an obligation to protect the data.
“This is a uniquely radiology-related issue. That’s patient-health information, and people might try to sell it on the black market,” he warned. “They might not care specifically about the images, but the potential identify theft from that medical information creates a market that we need to be worried about.”
Radiation Dosing: Though most attention has been given to the security of wearable medical devices, including insulin pumps or implants, dangers also exist for radiation-dosing devices, such as CT scanners, Whitfill said. In many cases these products have between 5-to-10 software algorithms running, and they frequently aren’t getting patched or updated on a regular basis, potentially putting all patients imaged on a compromised machine at risk.
“If a CT scanner or any other radiation-emitting device is compromised, at least, in theory, someone could change the dose. And, that’s frightening,” he said. “From a radiologist and industry perspective, we must make sure our radiation-dosing devices are protected or they could deliver a dose that could be lethal.” Image Alteration: This threat has only been produced in the lab so far, but the fact that it’s possible reveals a significant vulnerability that can harm patient care. Last summer, researchers in Israel successfully changed images captured on a CT scanner before they were uploaded into a PACS system. Manipulating an image before it is reviewed could fundamentally change any radiologist-rendered diagnosis and proposed treatment.
“With this type of attack, someone can intercept a CT scan from a normal person and introduce things like lung cancer tumors, prompting the radiologist to determine the patient has widespread disease,” Whitfill said. “Or, you could do the opposite, removing evidence of the tumors, in essence preventing the patient from receiving critical medical care.”
As these cybersecurity threats continue to evolve, it’s imperative that you examine your facility or department for areas of weakness that could serve as entry points for an attack, Ehrlund said. Unfortunately, the root of these problems largely stems from a source you can’t control with a technological solution – people.
Over-taxed IT: Historically, healthcare environments, including radiology departments, have trusted their digital security to an in-house IT department staffed with employees who they know and who are well acquainted with how the systems and modalities work together. But, with mergers and acquisitions making multi-site health systems more commonplace, relying on the same group of people no longer offers you the same level of protection.
IT departments are largely understaffed, Ehrlund said, making it harder for them to keep all equipment and software up-to-date. Ensuring the connectivity and security of multiple modalities spread across several facilities can be an overwhelming task.
“Hospital IT systems are integrating to a much larger degree than before, and interoperability is huge,” Erhlund said. “It’s hard to take care of the system. It’s too much pressure for Bob in the basement. He can’t handle it – it’s not humanly possible. That provides a very nice target for a cybercriminal who wants an easy and quick payout.”
Phishing and Spoofing: Fake emails and websites that steal usernames and passwords are known entities, but organizations still struggle with helping staff avoid the pitfalls, Ehrlund said. Healthcare systems that have done a good job of training employees will suffer a 10-percent click rate in a phishing email – and an organization with excellent training will likely witness 2-to-5 percent.
“An attacker only needs one sucker,” he said. “There has to be an in-depth conversation about security and how you can side-step problems. You can’t just put a ring wall around a system and expect it to be strong in the future.”
Whitfill agreed, suggesting facilities and departments regularly test their employees to see how many are clicking on links that open the door to a cyberattack. After these tests, he cautioned, employees should be educated on better digital hygiene rather than punished for their mistakes.
To help radiology departments and practices maximize their cybersecurity efforts, Canon and Sectra are among the industry vendors who offer product solutions. Launched during RSNA in November, Canon offers its Gateway Platinum solution, an optional service available to customers on top of their existing modality contract. The system offers cybersecurity through a three-prong system, and requires no training for the end user responsible for collecting and processing diagnostic images.
First, a Barracuda NextGen Firewall protects the imaging device, keeping it isolated from the rest of the hospital system. In addition to stopping any infiltration attempt, such as ransomware or a denial of service attack, Narayan said, the firewall can identify the type of threat before reporting it. Security data is continuously sent to the healthcare system’s security personnel, and attack alerts are sent out to notify both the system and Canon Risk Management of the threat.
Second, Gateway Platinum includes InnerVision® Plus, a remote diagnostic solution that runs Windows 10. This feature keeps the health system in constant contact with Canon’s service engineers, he explained, allowing Canon engineers access to work on any problems. For example, they can remotely view the screen of a CT console and access files and images to determine the problem, as well as identify how to fix it.
Lastly, Narayan said, a secure, constant VPN connection with multi-factor authentication between the healthcare system and Canon ensures the highest level of encrypted data transfers.
For Sectra, cybersecurity solutions focus on providing easy access to images while ensuring they’re not exposed on the Internet, Ehrlund said.
“In the earlier days of the Sectra workstation and zero footprint viewers, a lot of people wanted to expose things on the Internet. We said no,” he said. “It’s slowly turning out, years later, that we were right.” Sectra’s PACS system offers easy access and image sharing through a secure connection so you can reach out to colleagues to discuss scans, he said. In addition, the company conducts regular penetration tests on its web-based viewer, Univiewer™, with a third-party firm to validate its security. Included with the system, they also offer training so you and your staff can use the system to maximize your online safety. “We provide guidance to customers so their abilities to use the security products are on the same level of what the products are capable of doing,” he explained. “Otherwise, they’re more likely to fail. It can be the most secure product in the world, but if someone opens the wrong port on the customer side, things can go very badly.”
Picking the Right Security Vendor
Not every cybersecurity vendor will be the right fit for every organization. Identifying which one is best for you can require an intense interview and testing process. Doing so can be critical to future success and safety, said Christopher Roth, M.D., associate professor of radiology and director of imaging informatics strategy at Duke Health. “You need to know your partners – to know who you’re in bed with,” he said. “This can be something that’s easy to forget when you’re trying to find the right solution quickly. But, remember any problems can roll up stream.”
Roth presented on cybersecurity during the RSNA annual meeting in November.
To help in this endeavor, last fall, the Medical Imaging and Technology Alliance published its Manufacturer Disclosure Statement for Medical Device Security, called the MDS2, in an effort to give healthcare organizations crucial information about medical device cybersecurity features. The MDS2 can be very helpful, but this is where the Request for Proposal (RFP) fits in, Ehrlund added. And, in recent years, inquiries from customers about cybersecurity – whether they’re specific to a piece of equipment or for a holistic solution – have increased. “It’s really important to poke vendors in the ribs and really ask the difficult questions,” Ehrlund said. “You don’t need to a huge amount of questions, but you need hard-hitting ones that will put vendors on the edge of their seats – ones where their answers will let you know whether they know what they’re talking about.”
In fact, in a white paper, he outlined seven questions that can help practices and hospitals best determine which potential cybersecurity provider will best be able to meet their needs for protecting not only patient data, but also employee information.
- For facilities searching for the right vendor partner, he suggested posing these questions:
- Is the application, particularly those facing public networks, penetration tested by accredited third-party firms?
- Is the vendor willing to share the results of those penetration tests? (Anticipate being asked to sign a non-disclosure agreement.)
- Is the application capable of PKI-based authentication? (This can be important during application integrations, such as URL launch integration.)
- Does the vendor regularly conduct its own internal security reviews, assessments, or penetration tests?
- Do any software components contain hard-coded passwords or other credentials?
- Is the vendor amenable to allowing customers to penetration test products, systems, or services?
- Does the vendor provide regular product security patches?
Overall, successfully defending your practice or department from a cyberattack will require a collaborative partnership not only between your providers, but your business and IT leaders, as well, Whitfill said. You must work together to find solutions that are effective and practical – ones that fulfill security needs without hampering your ability to provide clinical care. And, it’s paramount for providers to embrace cybersecurity measures and tools rather than view them as just one more compliance requirement.
“We are moving away from the era where cybersecurity is a compliance issue. We have to be worried about our patient’s health,” he said. The only way we’re going to combat this problem is with a combined, mutually-supportive partnership of all vested parties.” At the end of the day, Roth said, cybersecurity will continue to be a consistent and growing priority for radiology practices and departments no matter how big or small. Always be preemptive and take threats seriously. “Never think it can’t happen to you. Be careful where you click, only browse and work on devices you trust, and back up all your data,” he advised. “Be skeptical of requests for sensitive information, monitor your systems for sketchy activity. Update your software early, have a firewall, and encrypt everything.”