Feature | Cybersecurity | November 06, 2017 | By Jeff Zagoudis

Building A Cybersecurity Team in Radiology

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

The driving force of healthcare technology advancement in recent years has focused on making it easier to share information among all members of the care team — including patients — to facilitate higher-quality care. Allowing greater connectivity comes with a price, however, as it makes personal health information (PHI) and other personal data more vulnerable to those with ill intentions. Cyberattacks on healthcare institutions as well as data breaches regularly make headlines as various individuals and entities seek to use this information for their own personal gain. To date, providers of all specialties — including radiology — have had trouble defending themselves against these invasions, and they must improve if they hope to maintain the trust of their patients.


Data Vulnerabilities in Radiology

Due to the nature of the specialty — medical imaging data is only ever directed outward — radiology has its own unique vulnerabilities when it comes to cybersecurity. Ambra Health conducted a survey of 1,100 healthcare consumers across age groups and genders to determine how they engage with their healthcare providers and use technology to access medical information and imaging. When asked specifically how their medical images were moved, 57 percent said CDs were used, the largest percentage by far. Online access/image share was the fifth most used method, used by just 17 percent of respondents; 31 percent said they have no online access at all to their medical records.1

Despite these statistics, many institutions have by now adopted electronic health records (EHRs) to more easily share patient information between providers. While this can significantly improve workflow between providers and between healthcare facilities, it also means “there is a proliferation of data that is being transferred continuously,” said Drex Deford, an independent healthcare IT consultant, at the 2017 annual meeting of the Association for Medical Imaging Management (AHRA) in July.

In addition, many of these records can now be viewed on mobile devices, so providers do not even have to be in the hospital or their office to check up on patients. Some hospitals provide mobile devices to providers that feature encryption and other advanced security measures — but some hospitals, said Deford, have a “bring your own device” (BYOD) policy, so physicians are accessing sensitive medical information on their personal, consumer-grade, unsecured smartphones and tablets.

According to Deford, ransomware — software designed to lock up a computer and/or the information on it unless the user pays a ransom — is the No. 1 tactic employed by medical hackers. Threats can come in countless forms, however. Radiologist Richard Kessler, M.D., was arrested Dec. 3, 2014, for stealing the PHI of nearly 97,000 current and former patients of NRAD Medical Associates on Long Island, N.Y. Kessler claimed he stole the records because he was going to start a competing radiology practice. All he had to do to steal the data was connect an external hard drive on which to download the information.2 A breach could also occur from something as innocent as an employee getting creative and finding a workaround for a process or protocol they perceive is hampering their efficiency.

With so many risks, many healthcare organizations simply are not equipped to handle cybersecurity on an adequate level. In a recent survey by Bloomberg Law of 290 healthcare attorneys, nearly 4 in 10 said they did not feel their organization’s incident response plans were detailed enough or had been adequately tested to ensure patient data safety.3


Industry and Government Response

While healthcare organizations are still learning to defend themselves from cyberattacks that are growing ever more complicated and clever, they are not solely responsible for their own protection. Government and vendors have been key partners in the fight against the industry-wide, worldwide cyberattack issue.



In August, the Department of Health and Human Services (HHS) Office for Civil Rights launched an updated version of the HIPAA Breach Reporting Tool (HBRT), a searchable repository of information on recent health information breaches (within the last 24 months) and what actions are being taken to resolve them. The HBRT was originally released in 2009; new features in the updated version include:

•    Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months;

•    New archive that includes all older breaches and information about how breaches were resolved;

•    Improved navigation to additional breach information; and

•    Tips for consumers.


“The HBRT provides healthcare organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, director of the Office of Civil Rights (OCR), in a statement. “Furthermore, greater access to timely information strengthens consumer trust and transparency.”

Under the official HIPAA Breach Notification Rule, providers (aka “covered entities”) and “business associates” are only required to provide notification of data breach if the breach involved “unsecured” PHI — information that has not been rendered unusable, unreadable or indecipherable to unauthorized people through the use of a technology or methodology specified by the HHS Secretary in guidance (i.e., encryption and/or destruction). Notifications must be sent to individual patients, via first-class mail or e-mail, no later than 60 days after the discovery of the breach. If the breach affects more than 500 residents within the impacted state/jurisdiction, media notice is required. The HHS Secretary must be notified in the event of any information breach.



Manufacturers are also doing their part to help their radiology customers protect themselves from cyberattacks. “Medical imaging manufacturers and hospital IT departments share the responsibility for technical infrastructure and mechanisms to provide compliance with best-in-class cybersecurity provisions and risk assessment tools,” said Henri “Rik” Primo, director of strategic relations and digital health services for Siemens Healthineers, at AHRA 2017.

One way that manufacturers are participating in cybersecurity efforts is through the Medical Device Innovation, Safety and Security Consortium (MDISS), a nonprofit organization. The mission of MDISS — made up of medical device vendors, healthcare delivery organizations, universities and other industry stakeholders — is to “develop practical technologies, practices and policy solutions for making devices safer and more secure.” In August, the group announced the launch of a new network of medical device security testing labs called WHISTL (World Health Information Security Testing Lab). These facilities, independently owned and operated by MDISS members, will each conduct research and development under their own set of standard operating procedures. It is the first time this type of “proving ground” has been designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. Researchers will be able to run devices through more rigorous and realistic testing, allowing hidden vulnerabilities to surface more quickly.

Developing best practices should be high priority for device manufacturers, according to Primo, to ensure consistent, high-quality protections on all equipment. Examples include making user interfaces simple so employees are not tempted to create workarounds, and multi-factor authentication for all device users (i.e., requiring presentation of multiple pieces of evidence to validate a user’s identity).

When working with a vendor, Primo told his AHRA audience, the vendor should always pre-test the security of the device prior to installation, and may also want to engage whitelisting protocols; these will create a list of entities approved to access the device. Vendors and users will also want to ensure communication protocols are protected, “which is essential when transmitting protected health information,” Primo said.

The National Electrical Manufacturers Association (NEMA) offers several guidance documents related to cybersecurity, including PS3.15 of the DICOM standard, which provides specific guidance on security and system management profiles, and the Manufacturer Disclosure Statement for Medical Device Security (MDS2), a form that manufacturers can use as a tool when performing risk assessment for a customer.


Marrying Radiology and IT

While the technical components are an important piece of any cybersecurity strategy, the most important part of any plan is without a doubt the humans, according to Deford. Without sufficient knowledge and training followed by successful execution, best practices, technologies and protocols will provide little protection against malicious entities and individuals.

The single biggest mistake that Deford sees most healthcare organizations make is foregoing transparency between IT and the departments they are helping. In essence, this puts the entire responsibility for cybersecurity in the hands of the IT department. While it is important to call upon their technological expertise, they will not have an inherent understanding of the clinical workflow requirements for radiology (or any other hospital department). From the other side, working with IT will help radiology better select and implement technology and practices that help keep the entire organization safe, according to Deford.

It is also important to involve department or hospital executives, board members and other high-ranking individuals to build the most effective security program. “A good security program is driven into place and monitored from the top of the organization — they are the leaders who can change the organization’s culture and attitude about the importance of cybersecurity,” said Deford.

“Whether we like it or not these days, everything is connected to everything else, so a risk accepted by one person (department) is a risk imposed on everyone else connected to that network,” he added. “By understanding radiology’s clinical requirements, corporate IT departments and CISOs [chief information security officers] can build better security programs to protect the entire organization.” 


Related Cyber Security Content:

VIDEO: Cybersecurity in the Medical Imaging Department

The Rising Danger of Cyber Crime in Healthcare

Protecting Patients From Hackers

Healthcare's Growing Cybersecurity Threats

Balancing Needs In The Fight Against Cybercrime

Raising the Bar for Medical Device Cyber Security

Read other related healthcare cybersecurity stories at "The State of Healthcare Cyber Security

Why Radiology Should Be Very Afraid Of Cyber Criminals

How Radiology Can Fight Cyber Crime

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff



1.    Era of Change: Today’s Healthcare Consumer. Ambra Health. https://ambrahealth.com/ebook/era-change-todays-healthcare-consumer/.  Accessed Oct. 12, 2017.

2.    “Radiologist Arrested in Breach Case,” Data Breach Today, Dec. 8, 2014. www.databreachtoday.com. Accessed Oct. 12, 2017.

3.    Health Care Cybersecurity Survey. American Health Lawyers Association. www.healthplanalliance.org/Document.asp?DocID=3188. Accessed Oct. 12, 2017.

Related Content

iCAD's ProFound AI Wins Best New Radiology Solution in 2019 MedTech Breakthrough Awards
News | Computer-Aided Detection Software | September 09, 2019
iCAD Inc. announced MedTech Breakthrough, an independent organization that recognizes the top companies and solutions...
A smart algorithm has been trained on a neural network to recognize the appearance of breast cancer in MR images

A smart algorithm has been trained on a neural network to recognize the appearance of breast cancer in MR images. The algorithm, described at the SBI/ACR Breast Imaging Symposium, used deep learning, a form of machine learning, which is a type of artificial intelligence. Image courtesy of Sarah Eskreis-Winkler, M.D.

Feature | Society of Breast Imaging (SBI) | September 06, 2019 | By Greg Freiherr
The use of smart algorithms has the potential to make healthcare more efficient.
Philips and Fujifilm booths at SIIM 2019.

Philips and Fujifilm booths at SIIM 2019.

Feature | SIIM | September 06, 2019 | By Greg Freiherr
Pragmatism from cybersecurity to enterprise imaging was in vogue at the 2019 meeting of the Society of Imaging Inform
Heath information technology diagram showing use of cloud storage.
Feature | Archive Cloud Storage | September 04, 2019 | Tyna Callahan
In healthcare, critical systems are being used to deliver vital information and services 24x7x365.
Global Diagnostics Australia Incorporates AI Into Radiology Applications
News | Artificial Intelligence | September 04, 2019
Global Diagnostics Australia (GDA), a subsidiary of the Integral Diagnostics Group (IDX), has adopted artificial...
The CT scanner might not come with protocols that are adequate for each hospital situation, so at Phoenix Children’s Hospital they designed their own protocols, said Dianna Bardo, M.D., director of body MR and co-director of the 3D Innovation Lab at Phoenix Children’s.

The CT scanner might not come with protocols that are adequate for each hospital situation, so at Phoenix Children’s Hospital they designed their own protocols, said Dianna Bardo, M.D., director of body MR and co-director of the 3D Innovation Lab at Phoenix Children’s.

Sponsored Content | Case Study | Radiation Dose Management | September 04, 2019
Radiation dose management is central to child patient safety. Medical imaging plays an increasing role in the accurate...
New Report Reveals Vulnerabilities of Internet of Things-enabled Healthcare Devices
News | Cybersecurity | August 29, 2019
Use of the Internet of Things (IoT) is booming, with IHS Markit forecasting there will be 73 billion connected devices ...
Royal Solutions and ZipRad Partner to Tackle Order Entry and Pre-authorization
News | Electronic Medical Records (EMR) | August 27, 2019
August 27, 2019 — Medical data delivery company Royal Solutions has partnered with ZipRad to streamline imaging exam
Glassbeam Introduces AI-powered Rules and Alerts Engine for Clinsights
News | Analytics Software | August 23, 2019
Glassbeam Inc. revealed several technology enhancements in its Rules & Alerts engine that make it dramatically...
Sectra Signs Enterprise Imaging Contract With Vanderbilt Health
News | Enterprise Imaging | August 21, 2019
Sectra will install its enterprise imaging picture archiving and communication system (PACS) and vendor neutral archive...