Radiology provides some of the easiest targets for cyber criminals. Continued use of outdated imaging systems and a growing interest in enterprise imaging are among the reasons.
With their easily hacked operating systems, legacy X-ray systems and scanners are particularly vexing. Threats are even coming from "ancient" malware, like the computer worm Conficker, which first appeared in 2008 and waned a year later, only to reappear lately as a threat to legacy systems in healthcare.
And just as the old is new again, the new is presenting challenges. Enterprise imaging is increasing risk, according to Lee Barrett of the Electronic Healthcare Network Accreditation Commission (EHNAC), a non-profit accreditation commission for health IT. The interconnection of IT systems necessary to add "ologies" and linking them to electronic medical record (EMR) systems mean more potential entry points for hackers and access to more data records.
"You have all these various (data) exchange points that are proliferating," said Barrett, EHNAC executive director. "They add vulnerability and gaps for cyber attackers to target. That is what they look for."
So, what can be done? For starters, the potentially disastrous vulnerabilities of legacy systems have to be resolved. Among the legacy systems are X-ray systems, C-arms, CTs, MRI and other scams scanners that are running outdated operating systems (OSs). Patch them or replace them — if not the equipment, the OSs, cybersecurity gurus agree, before that "too good to throw out" system ends up costing you millions. (Last year the average total cost of a data breach was $4 million, according to the Ponemon Institute.)
Eventually this vulnerability will go away. New — and more secure devices — will replace installed and vulnerable systems, noted Joe Carson, senior director of sales engineering at TrapX Security.
"The manufacturers are stepping up and doing a great job of trying to address this," Carson said in a presentation at HIMSS 2017 in Orlando in February. In the meantime, the medical device industry needs to help patch vulnerabilities in the installed base, he said.
The FDA recognized the need to make installed medical equipment secure with the release late last year of a guidance regarding "Postmarket Management of Cybersecurity in Medical Devices." The guidance recommends ways to manage cybersecurity vulnerabilities for marketed and distributed medical devices and encourages manufacturers "to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device."
But not all legacy systems are X-ray machines or scanners. Many are holdovers from the last PACS or IT upgrade, according to Jamie Clifton, director of product management at BridgeHead Software. Installers of the more efficient IT systems are either unable or unwilling to bring all the data into the new equipment, Clifton told ITN in an interview at HIMSS 2017. "Every time you do an EMR migration, you generate a vast number of legacy applications," he said. "It is a spawning ground."
The interfaces often become so complicated that, when problems occur, the IT staff often has trouble finding the root causes. That can be a nightmare from a cybersecurity perspective. "If you can't tell what's going on with your system, you won't be able to tell if they are being attacked," Clifton said.
Healthcare providers should sack these legacy applications as soon as possible, he said. Yet there is a general sense of apathy working against doing so. "We have too many healthcare organizations not paying attention to this," Clifton said.
As noted by the FDA in its postmarket cybersecurity guidance, "networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats."
This vulnerability, according to a statement issued early this year by the FDA, "increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices."
In his HIMSS presentation, Carson described the risk as shared among providers and manufacturers: "Healthcare organizations (have to) do their part to prevent attacks from being successful, to mitigate attacks, and put controls in place; and device manufacturers have to ensure that they are patching and applying everything they can to mitigate attacks against devices."
Barrett recommends that providers not only look for and implement ways to reduce the risk of a successful cyberattack — but ways to mitigate damage after a breach occurs. At HIMSS 2017, Barrett told ITN that "it is not a matter of if you will ever get hacked, it is a matter of when. And when you do get hacked, it's how quickly you can recover from the attack."
Mitigating the damage means more than just minimizing the monetary cost, he said: "You want to minimize the damage to the practice's or hospitals reputation."
Barrett advocates an audit to identify gaps and vulnerabilities; putting policies, procedures, and controls in place to mitigate them; and training staff in their use, "whether that is through internal or a third-party assisting your organization." (EHNAC offers such services to vendors who then assist customers, he said.)
Overall Risk Rises
The risk of cyberattack is growing with the rising popularity of ransomware. This particularly insidious type of cyberattack does not involve the theft of patient data but its encryption. After successfully infecting a system, typically by enticing an employee to click on an email carrying malware, cyber criminals encrypt patient data then demand payment for its decryption.
Standing up to such an attack takes planning, according to Symantec. At HIMSS 2017, the cybersecurity company — through sponsored speakers — advised backing up computers and servers regularly so that replacement data is available; securing mapped network drives with a password and access controls; downloading the latest patches and plug-ins for operating systems to boost security against known malware; and using an email security product to ward off spam emails that may contain malicious attachments.
If a computer is infected and its data encrypted, isolate the infected computer and replace the encrypted files with backed up files that are known to be good, Symantec advised. What you shouldn't do — but many do anyway — is pay the ransom. There's no guarantee the attacker will unlock your computer or decrypt your files, Symantec warned. And you can be sure the money will be used to fund more attacks.
"It is estimated that the bad guys invest 40 percent of the money they make into developing new attack technologies," said Axel Wirth, a healthcare solutions architect for Symantec.
Driven by the need to collaborate, as well as increase efficiency and lower costs, processing operations and data are moving into the cloud — or, more exactly, to data centers that are accessed over the internet. This is raising some security issues. But patient data may actually be safer in some clouds than in on-premise archives, said Clifton of BridgeHead Software. Few hospitals conduct penetration tests as often as large public cloud providers do, he said.
The hurdle for putting all patient data on the cloud has more to do with efficiency than security, according to Clifton. Cloud-based systems aren't fast enough. "The data simply can't travel across the wire in time," he said.
This is why the ideal solution may be a hybrid, according to Clifton — an on-premise archive of patient data with a back-up copy in the cloud, ready to be used in the event of a denial of service attack or serving as a backup in case of a ransomware attack.
Although there is no sure way to protect patient data or medical systems from cyberattack, much can be done to keep attackers at bay or, at least, mitigate the damage they do. In his HIMSS presentation, Wirth recommended five steps to improved security. First, identify assets and risks; second, protect against attack by training staff about cyber risks and installing protective technology; third, monitor assets continuously to detect attacks; fourth, plan a response to mitigate the effects of an attack; and fifth, plan how to recover from an attack.
When it comes to ransomware, the U.S. Department of Justice recommends training employees to recognize danger so as not to click on e-mails that may be carrying malware. Strong spam filters can stop such phishing attempts, just as outgoing and incoming emails can be scanned for executable malware. Firewalls can block access to known malicious IP addresses. Security holes in operating systems, software and firmware can be patched. Drives and servers can be regularly scanned for viruses and malware.
But planning and preparation to increase cyber safety take time and money, Wirth said. This is why the organization's leadership has to establish its tolerance for risk. Once established, defenses should be fortified to that level. The trick is to minimize risk and maximize response to an attack, he said.
Now is the time to do so.
"I think healthcare just got into the crosshairs of the bad guys as an opportunity to make money," Wirth said. "So I believe it is going to get worse before it gets better."
Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.