Recognizing the dual challenges of fending off cyberattacks and meeting the increasing demand for faster access to medical imaging, these authors offer proactive insights to address potential cybersecurity issues in radiology departments and practices.
Today’s highly integrated health-care IT infrastructure is an amazing result of ingenuity and innovation. In the span of only a couple of decades, the industry has moved from paper medical files to electronic health records. Scans and images that took days to get developed and mailed to physicians are now emailed in seconds, enabling consultations with experts across the globe and giving patients and physicians almost immediate access to diagnostic tests on their mobile phones.
For practitioners and technologists in the radiology field, it can be easy to forget just how miraculous these developments are or how profound the technologies are that make them possible. Whether it is 3D mammography scans, CT scans or MRIs, fast access to medical images is not only possible, but expected by patients and clinicians.
Indeed, we are living in a golden age in which radiologists are providing referring doctors with the ability to better diagnose patients’ afflictions, operate with greater precision, and develop more realistic treatment plans than ever before.
However, new opportunities bring new challenges. The highly integrated health-care IT systems we increasingly take for granted and the personal health-care data within them are the target not only of run-of-the-mill hackers, but also criminal syndicates with deep pockets and significant IT know-how.
Reconciling Patient and Provider Demand for Easy Access to Images with the Increasing Threat of Cyberattacks
The volume of cyberattacks is increasing. According to recent research “Trends in Ransomware Attacks on US Hospitals, Clinics and Other Health Care Delivery Organizations, 2016-2021” the number of ransomware attacks alone on healthcare organizations more than doubled annually from 2016 to 2021 and the same report estimates that the personal health data of 42 million patients, roughly 10 percent of the nation’s population, was compromised during this period.
Just as importantly, today’s cyberattacks are driven by financial motives. Due to their specificity, health records are the most lucrative data to steal, earning exponentially more than financial records or other personal data sold on the Dark Web.
No organization is immune to this reality and there is no “flying under the radar.” Any organization that possesses patient data is a viable target.
All of this is particularly pertinent to radiology departments and practices for a simple reason: patients increasingly demand fast access to medical images. This makes the images and the personal information they contain not only increasingly visible in physicians’ practices and hospitals’ EHR systems, but commonplace at the utmost edge of the network in patient portals, and ultimately on the smartphones of patients and physicians.
(Editor’s note: For related content, see “Cyberattacks: What Radiology IT Departments Must Do Now.”)
Still, there are ways to provide the fast access to images patients and referring physicians need while taking action to keep mission-critical IT systems and patient data safe. Here is a look at five top cybersecurity challenges and ways to overcome them.
Raising Awareness by Fostering a Defense-Oriented Mindset
Challenge 1: Awareness. According to a recent report published by Verizon titled, “2022 Data Breach Investigations Report,” employees, who most commonly expose networks by accident, are no longer the key offenders. Instead, organizations with patient data are being targeted by cybercriminals, who often take personal data if they can’t get actual medical data.
In response, imaging departments are well-served to mimic the military. This includes creating a culture that is vigilant and trained to expect and mitigate threats. In other words, foster a defense-oriented mindset in which employees are not only made aware of the danger of cyber threats, but are also regularly and repeatedly trained to recognize and avoid them.
This is particularly true of phishing attacks, the most common attack vector for ransomware campaigns. Training employees to effectively foil them requires more than a simple phishing simulation conducted occasionally by the IT department. It requires leadership from the top down to stress upon all employees just how important it is for them to be on the lookout for cyber threats.
Like the military, the core mission — in this case defending patient data — must be repeatedly stressed by those in command. In a defense-minded culture, the importance of remaining vigilant and the call to action to be vigilant never wavers. Radiology leaders should also advocate for the organization as a whole to embrace and accept these principles. This includes proactively engaging senior leaders outside of the imaging function and informing them of security alerts from the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI), information which can subsequently be shared with employees organization-wide.
Utilizing Compliance Assessments to Ensure Your Practice is Up to Date with Evolving Standards
Challenge 2: Evolving standards. More data is shared today than ever, and application programming interfaces (APIs) are used to enable the myriad systems, devices and applications involved to work together. Usually, APIs work with most stakeholders blissfully ignorant of the sophisticated integration and messaging technologies that make it all possible.
However, these same APIs, if outdated, can make an organization vulnerable to hackers. Therefore, it’s imperative for radiology leaders to ensure that APIs are not only up to date, but compliant with the latest safeguards. For example, developers are now required to make FHIR-based APIs available to their customers.
The same premise applies to hardware and software. Outdated devices and applications often include vulnerabilities. Radiology leaders should absolutely take steps to make sure compliance assessment and audits are routinely conducted.
Reassess Consent Protocols
Challenge 3: Meeting the demand for fast access to images. As mentioned previously, imaging and radiology departments are under immense pressure to provide patients, referring physicians and other departments with fast access to scans. Clearly, those in charge of medical imaging do not manage the entire, extended network required to do this.
That is why it is absolutely imperative that patient consent be effectively managed and documented upfront. Patient consent should be integrated into clinical workflows as a matter of course and should absolutely be addressed when looking at new technology assets.
Strengthen Data Safeguards
Challenge 4: Recognizing that imaging data could be in jeopardy.
The fact that data is at risk is the reality around which all cybersecurity concerns revolve. There are two questions that one needs to ask in regard to possible data breaches. Who has access to patient data internally? How safe is data in its most basic form?
Addressing the first issue about data access is important because internal breaches are still common. While these are often the result of simple mistakes, they can be associated with malicious intent. In response, imaging teams should adopt a zero-trust architecture that eliminates implicit trust and requires all users be authenticated.
The second issue, how safe data is at the most basic level, should be addressed with encryption. Ideally, this will be the application of military-grade encryption applied when images and patient data are “in transit” and being shared, and when “at rest.” Only radiology leaders and IT should hold the encryption keys.
Can a Hyperscaler’s Cloud-Based Resources Enhance System Security?
Challenge 5: Internal IT and security resources are not sufficient.
The headlines often tell the story. Last fall, an imaging firm in Hawaii had to turn away patients after a cyberattack and the required response brought its operation to a halt and led to the shutdown of its website and phones.
Although each cyberattack is different and even the most secure enterprise can be compromised, imaging departments and practices should assess whether their resources are up to the task or if they should engage partners to manage their core infrastructure.
All of the major hyperscalers, including Amazon Web Services, Google Cloud and Microsoft Azure, offer cloud instances designed specifically for health care. Few on-premises networks can offer the robust security safeguards they feature or economically provide the same level of computing performance or storage capacity, let alone at the same price levels. Likewise, today’s software-defined data centers enable imaging teams to use many of the same IT solutions while subsequently shifting them to the cloud.
By creating partnerships with such providers, medical imaging organizations with insufficient resources can dramatically strengthen their overall security stance, particularly if they engage vendors that have earned the HITRUST certification and passed a HIPAA security audit.
This same line of thinking should also be applied to testing. Hiring a third-party expert to vet your overall security stance with penetration testing and other strategies is often the best approach because it can be the most effective way to identify weaknesses in your network.
Taking a Proactive Approach to Preventing Potential Cyber Attacks
There is no way to absolutely ensure that all systems and data will remain safe. Today’s cybercriminals work in exceptionally well-financed and sophisticated criminal syndicates. In today’s extensive health care networks, they have numerous attack surfaces to choose from.
Organizations that do an exceptional job of embracing the aforementioned solutions cannot assume their efforts will be effective every time. However, they will know they made it as difficult as possible for nefarious actors to gain access to their data. Often, this is enough to prompt them to focus their attention elsewhere.
Regardless, radiology leaders should embrace the aforementioned practices at a minimum while also being realistic with a plan in place that charts each and every action they will take should an attack be successful.
Dhaval Shahis an executive vice president at CitiusTech. He has more than two decades of experience in health-care IT, including senior-level roles in engineering, research, software development, IT architecture and management roles serving pharmaceutical companies, physician practices and health insurance companies.
Shujah Das Gupta is a vice president of medical technology at CitiusTech. He has 18 years of experience in health-care technology with a focus on medical imaging, interoperability, and the digital transformation of health-care IT for pharmaceutical companies, providers, payers, technology hardware and software vendors, and service providers.
The Reading Room Podcast: Emerging Trends in the Radiology Workforce
February 11th 2022Richard Duszak, MD, and Mina Makary, MD, discuss a number of issues, ranging from demographic trends and NPRPs to physician burnout and medical student recruitment, that figure to impact the radiology workforce now and in the near future.
New Study Examines Short-Term Consistency of Large Language Models in Radiology
November 22nd 2024While GPT-4 demonstrated higher overall accuracy than other large language models in answering ACR Diagnostic in Training Exam multiple-choice questions, researchers noted an eight percent decrease in GPT-4’s accuracy rate from the first month to the third month of the study.