Feature | Cybersecurity | March 13, 2017 | By Greg Freiherr

WEB EXCLUSIVE: How Radiology Can Fight Cyber Crime

Editor's Note: This is the second in a two-part series on cyber crime and radiology. The first article, “Why Radiology Should be Very Afraid of Cyber Criminals,” defined cyber threats.

cyber crime cybersecurity

Radiology provides some of the easiest targets for cyber criminals. Continued use of outdated imaging systems and a growing interest in enterprise imaging are among the reasons. 

With their easily hacked operating systems, legacy X-ray systems and scanners are particularly vexing. Threats are even coming from "ancient" malware, like the computer worm Conficker, which first appeared in 2008 and waned a year later, only to reappear lately as a threat to legacy systems in healthcare.

And just as the old is new again, the new is presenting challenges. Enterprise imaging is increasing risk, according to Lee Barrett of the Electronic Healthcare Network Accreditation Commission (EHNAC), a non-profit accreditation commission for health IT. The interconnection of IT systems necessary to add "ologies" and linking them to electronic medical record (EMR) systems mean more potential entry points for hackers and access to more data records.

"You have all these various (data) exchange points that are proliferating," said Barrett, EHNAC executive director. "They add vulnerability and gaps for cyber attackers to target. That is what they look for."


Legacy Liabilities

So, what can be done? For starters, the potentially disastrous vulnerabilities of legacy systems have to be resolved. Among the legacy systems are X-ray systems, C-arms, CTs, MRI and other scams scanners that are running outdated operating systems (OSs). Patch them or replace them — if not the equipment, the OSs, cybersecurity gurus agree, before that "too good to throw out" system ends up costing you millions. (Last year the average total cost of a data breach was $4 million, according to the Ponemon Institute.) 

Eventually this vulnerability will go away. New — and more secure devices — will replace installed and vulnerable systems, noted Joe Carson, senior director of sales engineering at TrapX Security.

"The manufacturers are stepping up and doing a great job of trying to address this," Carson said in a presentation at HIMSS 2017 in Orlando in February. In the meantime, the medical device industry needs to help patch vulnerabilities in the installed base, he said.

The FDA recognized the need to make installed medical equipment secure with the release late last year of a guidance regarding "Postmarket Management of Cybersecurity in Medical Devices." The guidance recommends ways to manage cybersecurity vulnerabilities for marketed and distributed medical devices and encourages manufacturers "to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device."

But not all legacy systems are X-ray machines or scanners. Many are holdovers from the last PACS or IT upgrade, according to Jamie Clifton, director of product management at BridgeHead Software. Installers of the more efficient IT systems are either unable or unwilling to bring all the data into the new  equipment, Clifton told ITN in an interview at HIMSS 2017.  "Every time you do an EMR migration, you generate a vast number of legacy applications," he said.  "It is a spawning ground."

The interfaces often become so complicated that, when problems occur, the IT staff often has trouble finding the root causes. That can be a nightmare from a cybersecurity perspective. "If you can't tell what's going on with your system, you won't be able to tell if they are being attacked," Clifton said.

Healthcare providers should sack these legacy applications as soon as possible, he said. Yet there is a general sense of apathy working against doing so. "We have too many healthcare organizations not paying attention to this," Clifton said.


Enterprise Vulnerabilities

As noted by the FDA in its postmarket cybersecurity guidance, "networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats."

This vulnerability, according to a statement issued early this year by the FDA, "increases as medical devices are increasingly connected to the internet, hospital networks and to other medical devices."

In his HIMSS presentation, Carson described the risk as shared among providers and manufacturers: "Healthcare organizations (have to) do their part to prevent attacks from being successful, to mitigate attacks, and put controls in place; and device manufacturers have to ensure that they are patching and applying everything they can to mitigate attacks against devices."

Barrett recommends that providers not only look for and implement ways to reduce the risk of a successful cyberattack — but ways to mitigate damage after a breach occurs. At HIMSS 2017, Barrett told ITN that "it is not a matter of if you will ever get hacked, it is a matter of when. And when you do get hacked, it's how quickly you can recover from the attack."

Mitigating the damage means more than just minimizing the monetary cost, he said: "You want to minimize the damage to the practice's or hospitals reputation."

Barrett advocates an audit to identify gaps and vulnerabilities; putting policies, procedures, and controls in place to mitigate them; and training staff in their use, "whether that is through internal or a third-party assisting your organization." (EHNAC offers such services to vendors who then assist customers, he said.)


Overall Risk Rises

The risk of cyberattack is growing with the rising popularity of ransomware. This particularly insidious type of cyberattack does not involve the theft of patient data but its encryption. After successfully infecting a system, typically by enticing an employee to click on an email carrying malware, cyber criminals encrypt patient data then demand payment for its decryption.

Standing up to such an attack takes planning, according to Symantec. At HIMSS 2017, the cybersecurity company — through sponsored speakers — advised backing up computers and servers regularly so that replacement data is available; securing mapped network drives with a password and access controls; downloading the latest patches and plug-ins for operating systems to boost security against known malware; and using an email security product to ward off spam emails that may contain malicious attachments.

If a computer is infected and its data encrypted, isolate the infected computer and replace the encrypted files with backed up files that are known to be good, Symantec advised. What you shouldn't do — but many do anyway — is pay the ransom. There's no guarantee the attacker will unlock your computer or decrypt your files, Symantec warned.  And you can be sure the money will be used to fund more attacks.

"It is estimated that the bad guys invest 40 percent of the money they make into developing new attack technologies," said Axel Wirth, a healthcare solutions architect for Symantec.


Cloud Dangers

Driven by the need to collaborate, as well as increase efficiency and lower costs, processing operations and data are moving into the cloud — or, more exactly, to data centers that are accessed over the internet. This is raising some security issues. But patient data may actually be safer in some clouds than in on-premise archives, said Clifton of BridgeHead Software. Few hospitals conduct penetration tests as often as large public cloud providers do, he said.

The hurdle for putting all patient data on the cloud has more to do with efficiency than security, according to Clifton. Cloud-based systems aren't fast enough. "The data simply can't travel across the wire in time," he said. 

This is why the ideal solution may be a hybrid, according to Clifton — an on-premise archive of patient data with a back-up copy in the cloud, ready to be used in the event of a denial of service attack or serving as a backup in case of a ransomware attack.


Understanding Risk

Although there is no sure way to protect patient data or medical systems from cyberattack, much can be done to keep attackers at bay or, at least, mitigate the damage they do. In his HIMSS presentation, Wirth recommended five steps to improved security. First, identify assets and risks; second, protect against attack by training staff about cyber risks and installing protective technology; third, monitor assets continuously to detect attacks; fourth, plan a response to mitigate the effects of an attack; and fifth, plan how to recover from an attack.

When it comes to ransomware, the U.S. Department of Justice recommends training employees to recognize danger so as not to click on e-mails that may be carrying malware. Strong spam filters can stop such phishing attempts, just as outgoing and incoming emails can be scanned for executable malware. Firewalls can block access to known malicious IP addresses. Security holes in operating systems, software and firmware can be patched. Drives and servers can be regularly scanned for viruses and malware.

But planning and preparation to increase cyber safety take time and money, Wirth said. This is why the organization's leadership has to establish its tolerance for risk. Once established, defenses should be fortified to that level. The trick is to minimize risk and maximize response to an attack, he said.

Now is the time to do so.

"I think healthcare just got into the crosshairs of the bad guys as an opportunity to make money," Wirth said. "So I believe it is going to get worse before it gets better."

Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.

Related Content

Lung and respiratory health pioneer paves way for more precise care of complex respiratory conditions
News | Artificial Intelligence | September 25, 2020
September 25, 2020 — VIDA Diagnostics, Inc. announced that it has received 510(k) clearance from the Food and Drug Ad
Of all the buzzwords one would have guessed would dominate 2020, few expected it to be “virtual”. We have been virtualizing various aspects of our lives for many years, but the circumstances of this one has moved almost all of our lives into the virtual realm.

Getty Images

Feature | Radiology Education | September 18, 2020 | By Jef Williams
Of all the buzzwords one would have guessed would dominate 2020, few expected it to be “virtual”.
As the silos of data and diagnostic imaging PACS systems are being collapsed and secured, the modular enterprise imaging platform approach is gaining significance, offering systemness and security
Feature | Coronavirus (COVID-19) | September 18, 2020 | By Anjum M. Ahmed, M.D., MBBS, MBA, MIS
COVID-19 is now everywhere, and these are the lo
Cloud and cloud-native architecture is the future for computing solutions in EI applications

Getty Images

Feature | Enterprise Imaging | September 18, 2020 | By Henri “Rik” Premo
With over five years of presence in the rapidly expanding...
News | Artificial Intelligence | September 16, 2020
September 16, 2020 — Konica Minolta Healthcare Americas, Inc.
Change Healthcare announced innovative new artificial intelligence (AI) models, trained by expert physicians, which extract meaningful diagnostic information from text in EHRs. The first application of this technology will be within the InterQual AutoReview solution, which automates medical necessity reviews using real-time data from EHRs.
News | Artificial Intelligence | September 14, 2020
September 14, 2020 — Change Healthcare announced innovative new...
The National Imaging Informatics Course-Radiology (NIIC-RAD) Term 1 will be held online September 28 - October 2, 2020. NIIC-RAD is made possible through a partnership between the Radiological Society of North America (RSNA) and the Society for Imaging Informatics in Medicine (SIIM)

Getty Images

News | Radiology Education | September 11, 2020
September 11, 2020 — The...
Claritas iRAD Platform

Claritas iRAD Platform

News | Information Technology | September 10, 2020
September 10, 2020 — With a mission to empo