Feature | Cybersecurity | November 06, 2017 | By Jeff Zagoudis

Building A Cybersecurity Team in Radiology

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

The driving force of healthcare technology advancement in recent years has focused on making it easier to share information among all members of the care team — including patients — to facilitate higher-quality care. Allowing greater connectivity comes with a price, however, as it makes personal health information (PHI) and other personal data more vulnerable to those with ill intentions. Cyberattacks on healthcare institutions as well as data breaches regularly make headlines as various individuals and entities seek to use this information for their own personal gain. To date, providers of all specialties — including radiology — have had trouble defending themselves against these invasions, and they must improve if they hope to maintain the trust of their patients.

 

Data Vulnerabilities in Radiology

Due to the nature of the specialty — medical imaging data is only ever directed outward — radiology has its own unique vulnerabilities when it comes to cybersecurity. Ambra Health conducted a survey of 1,100 healthcare consumers across age groups and genders to determine how they engage with their healthcare providers and use technology to access medical information and imaging. When asked specifically how their medical images were moved, 57 percent said CDs were used, the largest percentage by far. Online access/image share was the fifth most used method, used by just 17 percent of respondents; 31 percent said they have no online access at all to their medical records.1

Despite these statistics, many institutions have by now adopted electronic health records (EHRs) to more easily share patient information between providers. While this can significantly improve workflow between providers and between healthcare facilities, it also means “there is a proliferation of data that is being transferred continuously,” said Drex Deford, an independent healthcare IT consultant, at the 2017 annual meeting of the Association for Medical Imaging Management (AHRA) in July.

In addition, many of these records can now be viewed on mobile devices, so providers do not even have to be in the hospital or their office to check up on patients. Some hospitals provide mobile devices to providers that feature encryption and other advanced security measures — but some hospitals, said Deford, have a “bring your own device” (BYOD) policy, so physicians are accessing sensitive medical information on their personal, consumer-grade, unsecured smartphones and tablets.

According to Deford, ransomware — software designed to lock up a computer and/or the information on it unless the user pays a ransom — is the No. 1 tactic employed by medical hackers. Threats can come in countless forms, however. Radiologist Richard Kessler, M.D., was arrested Dec. 3, 2014, for stealing the PHI of nearly 97,000 current and former patients of NRAD Medical Associates on Long Island, N.Y. Kessler claimed he stole the records because he was going to start a competing radiology practice. All he had to do to steal the data was connect an external hard drive on which to download the information.2 A breach could also occur from something as innocent as an employee getting creative and finding a workaround for a process or protocol they perceive is hampering their efficiency.

With so many risks, many healthcare organizations simply are not equipped to handle cybersecurity on an adequate level. In a recent survey by Bloomberg Law of 290 healthcare attorneys, nearly 4 in 10 said they did not feel their organization’s incident response plans were detailed enough or had been adequately tested to ensure patient data safety.3

 

Industry and Government Response

While healthcare organizations are still learning to defend themselves from cyberattacks that are growing ever more complicated and clever, they are not solely responsible for their own protection. Government and vendors have been key partners in the fight against the industry-wide, worldwide cyberattack issue.

 

Government

In August, the Department of Health and Human Services (HHS) Office for Civil Rights launched an updated version of the HIPAA Breach Reporting Tool (HBRT), a searchable repository of information on recent health information breaches (within the last 24 months) and what actions are being taken to resolve them. The HBRT was originally released in 2009; new features in the updated version include:

•    Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months;

•    New archive that includes all older breaches and information about how breaches were resolved;

•    Improved navigation to additional breach information; and

•    Tips for consumers.

 

“The HBRT provides healthcare organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, director of the Office of Civil Rights (OCR), in a statement. “Furthermore, greater access to timely information strengthens consumer trust and transparency.”

Under the official HIPAA Breach Notification Rule, providers (aka “covered entities”) and “business associates” are only required to provide notification of data breach if the breach involved “unsecured” PHI — information that has not been rendered unusable, unreadable or indecipherable to unauthorized people through the use of a technology or methodology specified by the HHS Secretary in guidance (i.e., encryption and/or destruction). Notifications must be sent to individual patients, via first-class mail or e-mail, no later than 60 days after the discovery of the breach. If the breach affects more than 500 residents within the impacted state/jurisdiction, media notice is required. The HHS Secretary must be notified in the event of any information breach.

 

Industry

Manufacturers are also doing their part to help their radiology customers protect themselves from cyberattacks. “Medical imaging manufacturers and hospital IT departments share the responsibility for technical infrastructure and mechanisms to provide compliance with best-in-class cybersecurity provisions and risk assessment tools,” said Henri “Rik” Primo, director of strategic relations and digital health services for Siemens Healthineers, at AHRA 2017.

One way that manufacturers are participating in cybersecurity efforts is through the Medical Device Innovation, Safety and Security Consortium (MDISS), a nonprofit organization. The mission of MDISS — made up of medical device vendors, healthcare delivery organizations, universities and other industry stakeholders — is to “develop practical technologies, practices and policy solutions for making devices safer and more secure.” In August, the group announced the launch of a new network of medical device security testing labs called WHISTL (World Health Information Security Testing Lab). These facilities, independently owned and operated by MDISS members, will each conduct research and development under their own set of standard operating procedures. It is the first time this type of “proving ground” has been designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. Researchers will be able to run devices through more rigorous and realistic testing, allowing hidden vulnerabilities to surface more quickly.

Developing best practices should be high priority for device manufacturers, according to Primo, to ensure consistent, high-quality protections on all equipment. Examples include making user interfaces simple so employees are not tempted to create workarounds, and multi-factor authentication for all device users (i.e., requiring presentation of multiple pieces of evidence to validate a user’s identity).

When working with a vendor, Primo told his AHRA audience, the vendor should always pre-test the security of the device prior to installation, and may also want to engage whitelisting protocols; these will create a list of entities approved to access the device. Vendors and users will also want to ensure communication protocols are protected, “which is essential when transmitting protected health information,” Primo said.

The National Electrical Manufacturers Association (NEMA) offers several guidance documents related to cybersecurity, including PS3.15 of the DICOM standard, which provides specific guidance on security and system management profiles, and the Manufacturer Disclosure Statement for Medical Device Security (MDS2), a form that manufacturers can use as a tool when performing risk assessment for a customer.

 

Marrying Radiology and IT

While the technical components are an important piece of any cybersecurity strategy, the most important part of any plan is without a doubt the humans, according to Deford. Without sufficient knowledge and training followed by successful execution, best practices, technologies and protocols will provide little protection against malicious entities and individuals.

The single biggest mistake that Deford sees most healthcare organizations make is foregoing transparency between IT and the departments they are helping. In essence, this puts the entire responsibility for cybersecurity in the hands of the IT department. While it is important to call upon their technological expertise, they will not have an inherent understanding of the clinical workflow requirements for radiology (or any other hospital department). From the other side, working with IT will help radiology better select and implement technology and practices that help keep the entire organization safe, according to Deford.

It is also important to involve department or hospital executives, board members and other high-ranking individuals to build the most effective security program. “A good security program is driven into place and monitored from the top of the organization — they are the leaders who can change the organization’s culture and attitude about the importance of cybersecurity,” said Deford.

“Whether we like it or not these days, everything is connected to everything else, so a risk accepted by one person (department) is a risk imposed on everyone else connected to that network,” he added. “By understanding radiology’s clinical requirements, corporate IT departments and CISOs [chief information security officers] can build better security programs to protect the entire organization.” 

 

Related Cyber Security Content:

VIDEO: Cybersecurity in the Medical Imaging Department

The Rising Danger of Cyber Crime in Healthcare

Protecting Patients From Hackers

Healthcare's Growing Cybersecurity Threats

Balancing Needs In The Fight Against Cybercrime

Raising the Bar for Medical Device Cyber Security

Read other related healthcare cybersecurity stories at "The State of Healthcare Cyber Security

Why Radiology Should Be Very Afraid Of Cyber Criminals

How Radiology Can Fight Cyber Crime

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff

 

References

1.    Era of Change: Today’s Healthcare Consumer. Ambra Health. https://ambrahealth.com/ebook/era-change-todays-healthcare-consumer/.  Accessed Oct. 12, 2017.

2.    “Radiologist Arrested in Breach Case,” Data Breach Today, Dec. 8, 2014. www.databreachtoday.com. Accessed Oct. 12, 2017.

3.    Health Care Cybersecurity Survey. American Health Lawyers Association. www.healthplanalliance.org/Document.asp?DocID=3188. Accessed Oct. 12, 2017.

Related Content

AIR Recon DL delivers shorter scans and better image quality (Photo: Business Wire)

AIR Recon DL delivers shorter scans and better image quality (Photo: Business Wire).

News | Artificial Intelligence | May 29, 2020
May 29, 2020 — GE Healthcare announced U.S.
The paradox is that COVID-19 has manifested the critical need for exactly what the rules require: advancement of interoperability and digital online access to clinical data and imaging, at scale, for care coordination and infection control.

The paradox is that COVID-19 has manifested the critical need for exactly what the rules require: advancement of interoperability and digital online access to clinical data and imaging, at scale, for care coordination and infection control. Getty Images

Feature | Coronavirus (COVID-19) | May 28, 2020 | By Matthew A. Michela
One year after being proposed, federal rules to advance interoperability in healthcare and create easier access for p
The opportunity to converge the silos of data into a cross-functional analysis can provide immense value during the COVID-19 outbreak and in the future

Getty Images

Feature | Coronavirus (COVID-19) | May 28, 2020 | By Jeff Vachon
In the midst of the coronavirus pandemic normal
In April, the U.S. Food and Drug Administration (FDA) cleared Intelerad’s InteleConnect EV solution for diagnostic image review on a range of mobile devices.
Feature | PACS | May 27, 2020 | By Melinda Taschetta-Millane
Fast, easily accessible patient images are crucial in this day and age, as imaging and medical records take on a new
 Recently the versatility of mixed and augmented reality products has come to the forefront of the news, with an Imperial led project at the Imperial College Healthcare NHS Trust. Doctors have been wearing the Microsoft Hololens headsets whilst working on the front lines of the COVID pandemic, to aid them in their care for their patients. IDTechEx have previously researched this market area in its report “Augmented, Mixed and Virtual Reality 2020-2030: Forecasts, Markets and Technologies”, which predicts th

Doctors wearing the Hololens Device. Source: Imperial.ac.uk

News | Artificial Intelligence | May 22, 2020
May 22, 2020 — Recently the versatility of
Actionable insight “beyond the diagnosis” enables health researchers to better understand COVID-19 progression, intervention effectiveness, and impacts on healthcare system
News | Coronavirus (COVID-19) | May 20, 2020
May 20, 2020 — Change Healthcare introduced ...
Examples of chest CT images of COVID-19 (+) patients and visualization of features correlated to COVID-19 positivity. For each pair of images, the left image is a CT image showing the segmented lung used as input for the CNN (convolutional neural network algorithm) model trained on CT images only, and the right image shows the heatmap of pixels that the CNN model classified as having SARS-CoV-2 infection (red indicates higher probability). (a) A 51-year-old female with fever and history of exposure to SARS-

Figure 1: Examples of chest CT images of COVID-19 (+) patients and visualization of features correlated to COVID-19 positivity. For each pair of images, the left image is a CT image showing the segmented lung used as input for the CNN (convolutional neural network algorithm) model trained on CT images only, and the right image shows the heatmap of pixels that the CNN model classified as having SARS-CoV-2 infection (red indicates higher probability). (a) A 51-year-old female with fever and history of exposure to SARS-CoV-2. The CNN model identified abnormal features in the right lower lobe (white color), whereas the two radiologists labeled this CT as negative. (b) A 52-year-old female who had a history of exposure to SARS-CoV-2 and presented with fever and productive cough. Bilateral peripheral ground-glass opacities (arrows) were labeled by the radiologists, and the CNN model predicted positivity based on features in matching areas. (c) A 72-year-old female with exposure history to the animal market in Wuhan presented with fever and productive cough. The segmented CT image shows ground-glass opacity in the anterior aspect of the right lung (arrow), whereas the CNN model labeled this CT as negative. (d) A 59-year-old female with cough and exposure history. The segmented CT image shows no evidence of pneumonia, and the CNN model also labeled this CT as negative.  

News | Coronavirus (COVID-19) | May 19, 2020
May 19, 2020 — Mount Sinai researchers are the first in the country to use...