The driving force of healthcare technology advancement in recent years has focused on making it easier to share information among all members of the care team — including patients — to facilitate higher-quality care. Allowing greater connectivity comes with a price, however, as it makes personal health information (PHI) and other personal data more vulnerable to those with ill intentions. Cyberattacks on healthcare institutions as well as data breaches regularly make headlines as various individuals and entities seek to use this information for their own personal gain. To date, providers of all specialties — including radiology — have had trouble defending themselves against these invasions, and they must improve if they hope to maintain the trust of their patients.
Data Vulnerabilities in Radiology
Due to the nature of the specialty — medical imaging data is only ever directed outward — radiology has its own unique vulnerabilities when it comes to cybersecurity. Ambra Health conducted a survey of 1,100 healthcare consumers across age groups and genders to determine how they engage with their healthcare providers and use technology to access medical information and imaging. When asked specifically how their medical images were moved, 57 percent said CDs were used, the largest percentage by far. Online access/image share was the fifth most used method, used by just 17 percent of respondents; 31 percent said they have no online access at all to their medical records.1
Despite these statistics, many institutions have by now adopted electronic health records (EHRs) to more easily share patient information between providers. While this can significantly improve workflow between providers and between healthcare facilities, it also means “there is a proliferation of data that is being transferred continuously,” said Drex Deford, an independent healthcare IT consultant, at the 2017 annual meeting of the Association for Medical Imaging Management (AHRA) in July.
In addition, many of these records can now be viewed on mobile devices, so providers do not even have to be in the hospital or their office to check up on patients. Some hospitals provide mobile devices to providers that feature encryption and other advanced security measures — but some hospitals, said Deford, have a “bring your own device” (BYOD) policy, so physicians are accessing sensitive medical information on their personal, consumer-grade, unsecured smartphones and tablets.
According to Deford, ransomware — software designed to lock up a computer and/or the information on it unless the user pays a ransom — is the No. 1 tactic employed by medical hackers. Threats can come in countless forms, however. Radiologist Richard Kessler, M.D., was arrested Dec. 3, 2014, for stealing the PHI of nearly 97,000 current and former patients of NRAD Medical Associates on Long Island, N.Y. Kessler claimed he stole the records because he was going to start a competing radiology practice. All he had to do to steal the data was connect an external hard drive on which to download the information.2 A breach could also occur from something as innocent as an employee getting creative and finding a workaround for a process or protocol they perceive is hampering their efficiency.
With so many risks, many healthcare organizations simply are not equipped to handle cybersecurity on an adequate level. In a recent survey by Bloomberg Law of 290 healthcare attorneys, nearly 4 in 10 said they did not feel their organization’s incident response plans were detailed enough or had been adequately tested to ensure patient data safety.3
Industry and Government Response
While healthcare organizations are still learning to defend themselves from cyberattacks that are growing ever more complicated and clever, they are not solely responsible for their own protection. Government and vendors have been key partners in the fight against the industry-wide, worldwide cyberattack issue.
In August, the Department of Health and Human Services (HHS) Office for Civil Rights launched an updated version of the HIPAA Breach Reporting Tool (HBRT), a searchable repository of information on recent health information breaches (within the last 24 months) and what actions are being taken to resolve them. The HBRT was originally released in 2009; new features in the updated version include:
• Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months;
• New archive that includes all older breaches and information about how breaches were resolved;
• Improved navigation to additional breach information; and
• Tips for consumers.
“The HBRT provides healthcare organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, director of the Office of Civil Rights (OCR), in a statement. “Furthermore, greater access to timely information strengthens consumer trust and transparency.”
Under the official HIPAA Breach Notification Rule, providers (aka “covered entities”) and “business associates” are only required to provide notification of data breach if the breach involved “unsecured” PHI — information that has not been rendered unusable, unreadable or indecipherable to unauthorized people through the use of a technology or methodology specified by the HHS Secretary in guidance (i.e., encryption and/or destruction). Notifications must be sent to individual patients, via first-class mail or e-mail, no later than 60 days after the discovery of the breach. If the breach affects more than 500 residents within the impacted state/jurisdiction, media notice is required. The HHS Secretary must be notified in the event of any information breach.
Manufacturers are also doing their part to help their radiology customers protect themselves from cyberattacks. “Medical imaging manufacturers and hospital IT departments share the responsibility for technical infrastructure and mechanisms to provide compliance with best-in-class cybersecurity provisions and risk assessment tools,” said Henri “Rik” Primo, director of strategic relations and digital health services for Siemens Healthineers, at AHRA 2017.
One way that manufacturers are participating in cybersecurity efforts is through the Medical Device Innovation, Safety and Security Consortium (MDISS), a nonprofit organization. The mission of MDISS — made up of medical device vendors, healthcare delivery organizations, universities and other industry stakeholders — is to “develop practical technologies, practices and policy solutions for making devices safer and more secure.” In August, the group announced the launch of a new network of medical device security testing labs called WHISTL (World Health Information Security Testing Lab). These facilities, independently owned and operated by MDISS members, will each conduct research and development under their own set of standard operating procedures. It is the first time this type of “proving ground” has been designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. Researchers will be able to run devices through more rigorous and realistic testing, allowing hidden vulnerabilities to surface more quickly.
Developing best practices should be high priority for device manufacturers, according to Primo, to ensure consistent, high-quality protections on all equipment. Examples include making user interfaces simple so employees are not tempted to create workarounds, and multi-factor authentication for all device users (i.e., requiring presentation of multiple pieces of evidence to validate a user’s identity).
When working with a vendor, Primo told his AHRA audience, the vendor should always pre-test the security of the device prior to installation, and may also want to engage whitelisting protocols; these will create a list of entities approved to access the device. Vendors and users will also want to ensure communication protocols are protected, “which is essential when transmitting protected health information,” Primo said.
The National Electrical Manufacturers Association (NEMA) offers several guidance documents related to cybersecurity, including PS3.15 of the DICOM standard, which provides specific guidance on security and system management profiles, and the Manufacturer Disclosure Statement for Medical Device Security (MDS2), a form that manufacturers can use as a tool when performing risk assessment for a customer.
Marrying Radiology and IT
While the technical components are an important piece of any cybersecurity strategy, the most important part of any plan is without a doubt the humans, according to Deford. Without sufficient knowledge and training followed by successful execution, best practices, technologies and protocols will provide little protection against malicious entities and individuals.
The single biggest mistake that Deford sees most healthcare organizations make is foregoing transparency between IT and the departments they are helping. In essence, this puts the entire responsibility for cybersecurity in the hands of the IT department. While it is important to call upon their technological expertise, they will not have an inherent understanding of the clinical workflow requirements for radiology (or any other hospital department). From the other side, working with IT will help radiology better select and implement technology and practices that help keep the entire organization safe, according to Deford.
It is also important to involve department or hospital executives, board members and other high-ranking individuals to build the most effective security program. “A good security program is driven into place and monitored from the top of the organization — they are the leaders who can change the organization’s culture and attitude about the importance of cybersecurity,” said Deford.
“Whether we like it or not these days, everything is connected to everything else, so a risk accepted by one person (department) is a risk imposed on everyone else connected to that network,” he added. “By understanding radiology’s clinical requirements, corporate IT departments and CISOs [chief information security officers] can build better security programs to protect the entire organization.”
Related Cyber Security Content:
1. Era of Change: Today’s Healthcare Consumer. Ambra Health. https://ambrahealth.com/ebook/era-change-todays-healthcare-consumer/. Accessed Oct. 12, 2017.
3. Health Care Cybersecurity Survey. American Health Lawyers Association. www.healthplanalliance.org/Document.asp?DocID=3188. Accessed Oct. 12, 2017.