Feature | Cybersecurity | May 05, 2017 | By Greg Freiherr

The Rising Danger of Cyber Crime in Healthcare

How radiology can fight back

cyber crime cybersecurity in radiology, healthcare and medicine


The radiology landscape is pocked with cyber mines. And it’s getting worse. Legacy imaging systems are connected to picture archiving and communication systems (PACS), which are being linked to electronic medical record (EMR) systems and best of breed IT systems, as hospitals increasingly move to enterprise imaging. These make tempting targets for hackers. And the worsening situation is being caused by the best intentions.

Extending the life of a legacy system to save money is one. Another is patient engagement. Spurred by patient demands for increased access to their data, as well as “Meaningful Use” mandates from the federal government, providers have created a plethora of patient portals. 

“This is where the real vulnerability is,” said Krishna Kurapati at the Healthcare Information and Management Systems Society (HIMSS) 2017 meeting in February. Kurapati, the CEO of QliqSOFT, a provider of secure messaging for doctors and nurses, noted that patient portals typically are tightly integrated with the EMR system. This makes patient portals a prime target for hackers.


Attacks On Imaging

Legacy imaging equipment and outdated medical IT systems are easy targets. Often kept functioning years beyond their expected lifetimes, these systems serve as “pivot points” for cyber criminals. They are weak links by which hackers can get into medical information technology systems.

What makes them weak is their reliance on obsolete operating systems (OS) like Windows NT and XP, which do not have up-to-date security. Even attacks with outdated malware like Conficker can succeed.

Conficker, a computer worm that exploits weaknesses in early versions of Microsoft Windows, was first detected in 2008. “It basically disappeared in early 2009, but in healthcare we see it over and over again because of legacy systems,” said Alex Wirth, a healthcare solutions architect for Symantec, who spoke at HIMSS 2017.

OS, like NT and XP, are no longer being patched for security vulnerabilities. An outdated operating system made a C-arm X-ray system vulnerable, according to a report by TrapX Security, a cybersecurity firm. In this instance, the security company traced the malware to a backdoor in a fluoroscopy workstation running Windows XP. The intent of the attacker was to steal patient data, according to TrapX.

The attack was one of several in the oncology department of a hospital. Each attack targeted medical devices running out-of-date Windows OS. These are “quite vulnerable and have no endpoint detection cyber defense installed,” according to the TrapX report.

In one attack, a hacker gained access to a hospital network through a backdoor in an X-ray system running Windows NT. A different attack was foiled by TrapX, which created a decoy PACS system. The decoy led the attacker to believe the hack had succeeded. TrapX traced the malware to a backdoor in an MRI system running an unpatched OS.


Medjacking for Dollars

Devices vulnerable to such “Medjacking” include PET and CT scanners, as well as infusion pumps, medical lasers, ventilators and dialysis machines. The common denominator is their outdated OS.

Medjackers may be political operatives or disgruntled employees, according to Wirth. But usually they are cyber criminals motivated by money.

Patient records can be sold on the black market for many times that of a credit card number. And cyber criminals don’t even have to steal patient data. They can hack an information system, encrypt the data, then demand payment to decrypt it. This kind of attack, called ransomware, is growing in popularity.  

Ransomware attacks against all industries, not just healthcare, quadrupled from 1,000 per day in 2015 to 4,000 per day in 2016, according to the U.S. Department of Justice. The malware is usually delivered through “spear phishing,” in which an unsuspecting person in the network opens an e-mail from what appears to be — but isn’t — a known person.

Once the data is encrypted, it can’t be decrypted by anyone other than the cyber criminals

And not all legacy systems are X-ray machines or scanners. Many are holdovers from the last PACS or IT upgrade, according to Jamie Clifton, director of product management at BridgeHead Software. Installers of the more efficient IT systems are either unable or unwilling to bring all the data into the new equipment, Clifton told Imaging Technology News (ITN) in an interview at HIMSS 2017. “Every time you do an EMR migration, you generate a vast number of legacy applications,” Clifton said. “It is a spawning ground.”

The interfaces often become so complicated that, when problems occur, the IT staff has trouble finding the root causes. That can be a nightmare from a cybersecurity perspective. “If you can’t tell what’s going on with your system, you won’t be able to tell if they are being attacked,” he said. 

Healthcare providers should sack these legacy applications as soon as possible, according to Clifton. Yet there is a general sense of apathy working against doing so. “We have too many healthcare organizations not paying attention to this,” he said. 


Enterprise Vulnerabilities

As noted by the FDA in its postmarket cybersecurity guidance, Postmarket Management of Cybersecurity in Medical Devices, “networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.”

This vulnerability, according to a statement issued early this year by the FDA, “increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices.”

Attacks against a patient portal might come if a patient accesses medical records while on a public network. In his HIMSS 2017 presentation, Kurapati used the example of a Starbucks patron accessing clinical data. Anyone hacking the public network, regardless of its physical location, could plant malware capable of invading all connected IT systems, he said.

Patient portals are also vulnerable to denial of service attacks during which thousands, even millions of “bots” attack a site. This kind of attack can bring down not just the patient portal, but the EMR and all other connected IT systems. 

In his HIMSS presentation, Joe Carson, senior director of sales engineering at TrapX Security, described the risk as shared among providers and manufacturers: “Healthcare organizations (have to) do their part to prevent attacks from being successful, to mitigate attacks and put controls in place; and device manufacturers have to ensure that they are patching and applying everything they can to mitigate attacks against devices.”

Barrett recommends that providers look for and implement ways to reduce the risk of a successful cyber attack. He also suggests they seek ways to mitigate damage after a breach occurs. At HIMSS 2017, Barrett told ITN that “it is not a matter of if you will ever get hacked, it is a matter of when. And when you do get hacked, it’s how quickly you can recover from the attack.” 

Mitigating the damage means more than just minimizing the monetary cost, he said: “You want to minimize the damage to the practice’s or hospital’s reputation.”

Barrett advocates an audit to identify gaps and vulnerabilities; putting in place policies, procedures and controls to mitigate the damage; and training staff in the use of them, “whether that is through internal or a third-party assisting your organization.” The Electronic Healthcare Network Accreditation Commission (EHNAC) offers such services to vendors who then assist customers, he said.


Overall Risk Rises

The risk of cyber attack is growing with the rising popularity of ransomware. This particularly insidious type of cyber attack encrypts rather than steals patient data. After successfully infecting a system, typically by enticing an employee to click on an e-mail carrying malware, cyber criminals encrypt patient data then demand payment for its decryption.

Standing up to such an attack takes planning, according to Symantec. At HIMSS 2017, the cybersecurity company — through sponsored speakers — advised backing up computers and servers regularly so that replacement data is available; securing mapped network drives with a password and access controls; downloading the latest patches and plug-ins for operating systems to boost security against known malware; and using an e-mail security product to ward off spam e-mails that may contain malicious attachments.

If a computer is infected and its data encrypted, isolate the infected computer and replace the encrypted files with backed up files that are known to be good, Symantec advised. What you should not do — but many do anyway — is pay the ransom.

There is no guarantee the attacker will unlock your computer or decrypt your files, Symantec warned. And you can be sure the money will be used to fund more attacks.

“It is estimated that the bad guys invest 40 percent of the money they make into developing new attack technologies,” said Symantec executive Wirth.


Cloud Dangers 

Driven by the need to collaborate, as well as increase efficiency and lower costs, processing operations and data are moving into the cloud — or, more exactly, to data centers that are accessed over the internet. “People are taking advantage of the fabulous opportunity to collaborate and get their jobs done using cloud applications,” said Deena Thomchick at HIMSS 2017. The problem, according to Thomchick, senior director of cloud security at Symantec, is that “your data is going all over the place.”

Not surprisingly, a big concern is data compromise. But patient data may actually be safer in some clouds than in on-premise archives, said Clifton of BridgeHead Software. Few hospitals perform penetration tests as often as large public cloud providers do, he said.

The hurdle for putting all patient data on the cloud has more to do with efficiency than security. Cloud-based systems are not fast enough, according to Clifton. “The data simply can’t travel across the wire in time,” he said.

This is why the ideal solution may be a hybrid, according to Clifton — an on-premise archive of patient data with a backup copy in the cloud, ready to be used in the event of a denial of service attack or serving as a backup in case of a ransomware attack.


Understanding Risk

Although there is no sure way to protect patient data or medical systems from cyber attack, much can be done to keep attackers at bay or, at least, mitigate the damage they do. In his HIMSS presentation, Wirth recommended five steps to improved security. First, identify assets and risks; second, protect against attack by training staff about cyber risks and installing protective technology; third, monitor assets continuously to detect attacks; fourth, plan a response to mitigate the effects of an attack; and fifth, plan how to recover from an attack. 

When it comes to ransomware, the U.S. Department of Justice recommends training employees to recognize danger so as not to click on e-mails that may be carrying malware. Strong spam filters can stop such phishing attempts, just as outgoing and incoming e-mails can be scanned for executable malware. Firewalls can block access to known malicious IP addresses. Security holes in operating systems, software and firmware can be patched. Drives and servers can be regularly scanned for viruses and malware.

But planning and preparation to increase cyber safety take time and money, Wirth said. This is why the organization’s leadership has to establish its tolerance for risk. Once established, defenses should be fortified to that level. The trick is to minimize risk and maximize response to an attack, he said.

Now is the time to do so.

“I think healthcare just got into the crosshairs of the bad guys as an opportunity to make money,” Wirth said. “So I believe it is going to get worse before it gets better.”   itn


Related Cyber Security Content:

VIDEO: Cybersecurity in the Medical Imaging Department

Building A Cybersecurity Team in Radiology

Protecting Patients From Hackers

Healthcare's Growing Cybersecurity Threats

Balancing Needs In The Fight Against Cybercrime

Raising the Bar for Medical Device Cyber Security

Read other related healthcare cybersecurity stories at "The State of Healthcare Cyber Security

Why Radiology Should Be Very Afraid Of Cyber Criminals

How Radiology Can Fight Cyber Crime

Healthcare Industry Lacking in Basic Cybersecurity Awareness Among Staff



Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.

Related Content

Use of telehealth jumped sharply during the first months of the coronavirus pandemic shutdown, with the approach being used more often for behavioral health services than for medical care, according to a new RAND Corporation study.

Getty Images

News | Teleradiology | January 13, 2021
January 13, 2021 — Use of telehealth jumped sha
The U.S. Food and Drug Administration released the agency's first Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. This action plan describes a multi-pronged approach to advance the Agency's oversight of AI/ML-based medical software.
News | Artificial Intelligence | January 12, 2021
January 12, 2021 — The U.S.
The FDA is monitoring the potential impact of viral mutations, including an emerging variant from the United Kingdom known as the B.1.1.7 variant, on authorized SARS-CoV-2 molecular tests

Getty Images

News | Coronavirus (COVID-19) | January 08, 2021
January 8, 2021 — The U.S.
Mirion Technologies, Inc., a global provider of innovative radiation detection and measurement solutions, announced that it has acquired Sun Nuclear Corporation. Sun Nuclear is the global leader in radiation oncology quality assurance, delivering patient safety solutions for diagnostic imaging and radiation therapy centers around the world.
News | Quality Assurance (QA) | January 08, 2021
January 8, 2021 — Mirion Technologies, Inc., a global provider of
In this roundtable discussion hosted by ITN Editorial Director Melinda Taschetta-Millane, three medical experts will discuss the impact COVID-19 had on the industry in 2020, as well as projections for the industry in 2021.
Webinar | Coronavirus (COVID-19) | January 06, 2021
2020 was an unprecedented year, as the world grappled with a...
OptumInsight and Change Healthcare combine to advance a more modern, information and technology-enabled healthcare platform

Getty Images

News | Information Technology | January 06, 2021
January 6, 2020 — Optum, a diversified health services company and
#coronavirus #COVID19 #pandemic

Getty Images

News | Radiology Imaging | January 01, 2021
The Imaging Technology News (ITN) team wishes you a Happy and Healthy New Year!
The top two videos on ITN for the year both involved medical imaging of COVID using point of care ultrasound (POCUS) and mass movement to teleradiology to enable remote working for radiologists and virtual collaboration with referring physicians. The image on the left is Butterfly's POCUS system that turns a smart phone into an ultrasound machine and the image is of COVID B-lines in the lung. The image on the right is a CT scan of COVID pneumonia. #COVID19

The top two videos on ITN for the year both involved medical imaging of COVID using point of care ultrasound (POCUS) and mass movement to teleradiology to enable remote working for radiologists and virtual collaboration with referring physicians. The image on the left is Butterfly's POCUS system that turns a smart phone into an ultrasound machine and the image is of COVID B-lines in the lung. The image on the right is a CT scan of COVID pneumonia. 

Feature | December 23, 2020 | Dave Fornell, Editor
Here are the top 25 best performing videos on the Imaging Technology News website (ITN) from the past year, based on
Company delivers on last year’s roadmap milestones and continues to advance cloud-native suite of tools to lead industry to the future of enterprise imaging
News | Enterprise Imaging | December 23, 2020
December 23, 2020 — ...
 EvoHealth, a trailblazer in incorporating new technology in healthcare IT software, announced it has exceeded its first milestone of more than 100 customers with over 200 locations.
News | Information Technology | December 22, 2020
December 22, 2020 — EvoHealth, a trailblazer in incorporating n