Feature | Cybersecurity | November 06, 2017 | By Jeff Zagoudis

Building A Cybersecurity Team in Radiology

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

As attacks on patients’ personal information become more sophisticated, radiology and other departments must work together with IT, government and industry to better protect their patients

The driving force of healthcare technology advancement in recent years has focused on making it easier to share information among all members of the care team — including patients — to facilitate higher-quality care. Allowing greater connectivity comes with a price, however, as it makes personal health information (PHI) and other personal data more vulnerable to those with ill intentions. Cyberattacks on healthcare institutions as well as data breaches regularly make headlines as various individuals and entities seek to use this information for their own personal gain. To date, providers of all specialties — including radiology — have had trouble defending themselves against these invasions, and they must improve if they hope to maintain the trust of their patients.


Data Vulnerabilities in Radiology

Due to the nature of the specialty — medical imaging data is only ever directed outward — radiology has its own unique vulnerabilities when it comes to cybersecurity. Ambra Health conducted a survey of 1,100 healthcare consumers across age groups and genders to determine how they engage with their healthcare providers and use technology to access medical information and imaging. When asked specifically how their medical images were moved, 57 percent said CDs were used, the largest percentage by far. Online access/image share was the fifth most used method, used by just 17 percent of respondents; 31 percent said they have no online access at all to their medical records.1

Despite these statistics, many institutions have by now adopted electronic health records (EHRs) to more easily share patient information between providers. While this can significantly improve workflow between providers and between healthcare facilities, it also means “there is a proliferation of data that is being transferred continuously,” said Drex Deford, an independent healthcare IT consultant, at the 2017 annual meeting of the Association for Medical Imaging Management (AHRA) in July.

In addition, many of these records can now be viewed on mobile devices, so providers do not even have to be in the hospital or their office to check up on patients. Some hospitals provide mobile devices to providers that feature encryption and other advanced security measures — but some hospitals, said Deford, have a “bring your own device” (BYOD) policy, so physicians are accessing sensitive medical information on their personal, consumer-grade, unsecured smartphones and tablets.

According to Deford, ransomware — software designed to lock up a computer and/or the information on it unless the user pays a ransom — is the No. 1 tactic employed by medical hackers. Threats can come in countless forms, however. Radiologist Richard Kessler, M.D., was arrested Dec. 3, 2014, for stealing the PHI of nearly 97,000 current and former patients of NRAD Medical Associates on Long Island, N.Y. Kessler claimed he stole the records because he was going to start a competing radiology practice. All he had to do to steal the data was connect an external hard drive on which to download the information.2 A breach could also occur from something as innocent as an employee getting creative and finding a workaround for a process or protocol they perceive is hampering their efficiency.

With so many risks, many healthcare organizations simply are not equipped to handle cybersecurity on an adequate level. In a recent survey by Bloomberg Law of 290 healthcare attorneys, nearly 4 in 10 said they did not feel their organization’s incident response plans were detailed enough or had been adequately tested to ensure patient data safety.3


Industry and Government Response

While healthcare organizations are still learning to defend themselves from cyberattacks that are growing ever more complicated and clever, they are not solely responsible for their own protection. Government and vendors have been key partners in the fight against the industry-wide, worldwide cyberattack issue.



In August, the Department of Health and Human Services (HHS) Office for Civil Rights launched an updated version of the HIPAA Breach Reporting Tool (HBRT), a searchable repository of information on recent health information breaches (within the last 24 months) and what actions are being taken to resolve them. The HBRT was originally released in 2009; new features in the updated version include:

•    Enhanced functionality that highlights breaches currently under investigation and reported within the last 24 months;

•    New archive that includes all older breaches and information about how breaches were resolved;

•    Improved navigation to additional breach information; and

•    Tips for consumers.


“The HBRT provides healthcare organizations and consumers with the ability to more easily review breaches reported to OCR,” said Roger Severino, director of the Office of Civil Rights (OCR), in a statement. “Furthermore, greater access to timely information strengthens consumer trust and transparency.”

Under the official HIPAA Breach Notification Rule, providers (aka “covered entities”) and “business associates” are only required to provide notification of data breach if the breach involved “unsecured” PHI — information that has not been rendered unusable, unreadable or indecipherable to unauthorized people through the use of a technology or methodology specified by the HHS Secretary in guidance (i.e., encryption and/or destruction). Notifications must be sent to individual patients, via first-class mail or e-mail, no later than 60 days after the discovery of the breach. If the breach affects more than 500 residents within the impacted state/jurisdiction, media notice is required. The HHS Secretary must be notified in the event of any information breach.



Manufacturers are also doing their part to help their radiology customers protect themselves from cyberattacks. “Medical imaging manufacturers and hospital IT departments share the responsibility for technical infrastructure and mechanisms to provide compliance with best-in-class cybersecurity provisions and risk assessment tools,” said Henri “Rik” Primo, director of strategic relations and digital health services for Siemens Healthineers, at AHRA 2017.

One way that manufacturers are participating in cybersecurity efforts is through the Medical Device Innovation, Safety and Security Consortium (MDISS), a nonprofit organization. The mission of MDISS — made up of medical device vendors, healthcare delivery organizations, universities and other industry stakeholders — is to “develop practical technologies, practices and policy solutions for making devices safer and more secure.” In August, the group announced the launch of a new network of medical device security testing labs called WHISTL (World Health Information Security Testing Lab). These facilities, independently owned and operated by MDISS members, will each conduct research and development under their own set of standard operating procedures. It is the first time this type of “proving ground” has been designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. Researchers will be able to run devices through more rigorous and realistic testing, allowing hidden vulnerabilities to surface more quickly.

Developing best practices should be high priority for device manufacturers, according to Primo, to ensure consistent, high-quality protections on all equipment. Examples include making user interfaces simple so employees are not tempted to create workarounds, and multi-factor authentication for all device users (i.e., requiring presentation of multiple pieces of evidence to validate a user’s identity).

When working with a vendor, Primo told his AHRA audience, the vendor should always pre-test the security of the device prior to installation, and may also want to engage whitelisting protocols; these will create a list of entities approved to access the device. Vendors and users will also want to ensure communication protocols are protected, “which is essential when transmitting protected health information,” Primo said.

The National Electrical Manufacturers Association (NEMA) offers several guidance documents related to cybersecurity, including PS3.15 of the DICOM standard, which provides specific guidance on security and system management profiles, and the Manufacturer Disclosure Statement for Medical Device Security (MDS2), a form that manufacturers can use as a tool when performing risk assessment for a customer.


Marrying Radiology and IT

While the technical components are an important piece of any cybersecurity strategy, the most important part of any plan is without a doubt the humans, according to Deford. Without sufficient knowledge and training followed by successful execution, best practices, technologies and protocols will provide little protection against malicious entities and individuals.

The single biggest mistake that Deford sees most healthcare organizations make is foregoing transparency between IT and the departments they are helping. In essence, this puts the entire responsibility for cybersecurity in the hands of the IT department. While it is important to call upon their technological expertise, they will not have an inherent understanding of the clinical workflow requirements for radiology (or any other hospital department). From the other side, working with IT will help radiology better select and implement technology and practices that help keep the entire organization safe, according to Deford.

It is also important to involve department or hospital executives, board members and other high-ranking individuals to build the most effective security program. “A good security program is driven into place and monitored from the top of the organization — they are the leaders who can change the organization’s culture and attitude about the importance of cybersecurity,” said Deford.

“Whether we like it or not these days, everything is connected to everything else, so a risk accepted by one person (department) is a risk imposed on everyone else connected to that network,” he added. “By understanding radiology’s clinical requirements, corporate IT departments and CISOs [chief information security officers] can build better security programs to protect the entire organization.” 


Related Cyber Security Content:

VIDEO: Cybersecurity in the Medical Imaging Department

The Rising Danger of Cyber Crime in Healthcare

Protecting Patients From Hackers

Healthcare's Growing Cybersecurity Threats

Balancing Needs In The Fight Against Cybercrime

Raising the Bar for Medical Device Cyber Security

Read other related healthcare cybersecurity stories at "The State of Healthcare Cyber Security

Why Radiology Should Be Very Afraid Of Cyber Criminals

How Radiology Can Fight Cyber Crime

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff



1.    Era of Change: Today’s Healthcare Consumer. Ambra Health. https://ambrahealth.com/ebook/era-change-todays-healthcare-consumer/.  Accessed Oct. 12, 2017.

2.    “Radiologist Arrested in Breach Case,” Data Breach Today, Dec. 8, 2014. www.databreachtoday.com. Accessed Oct. 12, 2017.

3.    Health Care Cybersecurity Survey. American Health Lawyers Association. www.healthplanalliance.org/Document.asp?DocID=3188. Accessed Oct. 12, 2017.

Related Content

To get more flexibility and cost savings from storage, healthcare organizations are increasing their investments in the cloud
Feature | Information Technology | September 15, 2021 | By Kumar Goswami
Healthcare organizations today are storing petabytes of medical imaging data — lab slides,...
Revenues for teleradiology reading service providers are forecast to follow a similar profile over this period.

Outlook for 2021 and Beyond. As displayed in the figure below, these six market drivers are projected to result in teleradiology reading service volumes increasing by 21% in 2021 and nearly doubling by 2025. Revenues for teleradiology reading service providers are forecast to follow a similar profile over this period.

Feature | Teleradiology | September 15, 2021 | By Arun Gill
The closely tied relationship between...
Cloud services have been utilized within healthcare organizations for more than a decade. Now with the growth of artificial intelligence (AI) it is very common to see organizations adopting cloud services.

Getty Images

Feature | Information Technology | September 14, 2021 | By Jef Williams
Figure 1: MWT Schematic of a typical setup for detecting malignant tissues/tumors.

Figure 1: MWT Schematic of a typical setup for detecting malignant tissues/tumors.

Feature | Radiology Imaging | September 14, 2021 | By Brendon McHugh
This certification, which covers Agfa HealthCare’s Class IIa Enterprise Imaging and XERO Viewer solutions, ensures that Agfa HealthCare can continue to deliver to customers innovative solutions that meet their real challenges and address their needs and requirements.
News | Enterprise Imaging | September 09, 2021
September 9, 2021 — Agfa HealthCare is proud to be one of the first companies to receive the new European Medical Dev
Insignia Medical Systems, a leading UK-based enterprise imaging provider, announced it has been acquired by Intelerad Medical Systems, a global leader in medical image management solutions. The deal signals an important step in expanding next-generation imaging solutions and resources to help modernise hospital trusts across the UK. 

Getty Images

News | Radiology Business | September 08, 2021
September 8, 2021 — Insignia Medical Systems, a leadi
Videos | Enterprise Imaging | September 03, 2021
ITN Editor Dave Fornell collected numerous examples of how...
Canon's Vitrea PACS enterprise imaging system was one of several systems demonstrated at HIMSS 2021 that had easily modified hanging protocols. This included ease of use to customize what each radiologists prefers, including slice thickness. #HIMSS #HIMSS21

Canon's Vitrea PACS enterprise imaging system was one of several systems demonstrated at HIMSS 2021 that had easily modified hanging protocols. This included ease of use to customize what each radiologists prefers, including slice thickness. Photo by Dave Fornell

Feature | Enterprise Imaging | September 02, 2021
Taking advantage of new technology advances, several ...
The researchers say there is currently a lack of good quality evidence to support a policy of replacing human radiologists with artificial intelligence (AI) technology when screening for breast cancer.

Getty Images

News | Artificial Intelligence | September 02, 2021
September 2, 2021 — Humans still seem to be better than technology when it comes to the accuracy of spotting possible