Feature | Information Technology | March 06, 2017 | By Greg Freiherr

WEB EXCLUSIVE: Why Radiology Should Be Very Afraid Of Cyber Criminals

Editor's Note: This is the first in a two-part series on cybercrime. The second will focus on how radiology can protect itself and its patients.

cybersecurity

Healthcare is an appealing target for cybercriminals. Last year cyberattacks led to the loss of 13 million patient records, according to Symantec Corp., a company focused on addressing cyberthreats. Last August Banner Health alone, with its 23 hospitals and specialized facilities across seven states, reported a data breach affecting 3.7 million patients and staff. The attack is believed to have occurred in June. It was discovered a month later, long after the data was gone.

Banner responded quicker than most.  On average, it takes 229 days to find a breach and 82 to contain it, according to the Ponemon Institute, a cybersecurity research company. Attackers are typically in and out in less than an hour.

 

Attacks On Imaging

Legacy imaging equipment and outdated medical IT systems are easy targets. These systems serve as "pivot points" forcyber criminals, weak links by which hackers can get into medical information technology systems.

What makes them weak is their reliance on obsolete operating systems like Windows NT and XP, which do not have up-to-date security. Even attacks with outdated malware like Conficker can succeed.

Conficker, a computer worm that exploits weaknesses in early versions of Microsoft Windows, was first detected in 2008. "It basically disappeared in early 2009, but in healthcare we see it over and over again because of legacy systems," said Alex Wirth, a healthcare solutions architect for Symantec, who spoke last month at the HIMSS 2017 annual meeting in Orlando.

The reason is that outdated operating systems like NT and XP are no longer being patched for security vulnerabilities. An outdated operating system made a C-arm X-ray system vulnerable, according to a report by TrapX Security, a cybersecurity firm. In this instance, the security company traced the malware to a backdoor in a fluoroscopy workstation running Windows XP. The intent of the attacker was to steal patient data, according to TrapX.

The attack was one of several in the oncology department of a hospital. Each attack targeted medical devices running out-of-date Windows operating systems. These are "quite vulnerable and have no endpoint detection cyber defense installed," according to the TrapX report.

In one attack, a hackster gained access to a hospital network through a backdoor in an X-ray system running Windows NT. A different attack was foiled by TrapX, which created a decoy picture archiving and communication system (PACS). The decoy led the attacker to believe the hack had succeeded. TrapX traced the malware to a backdoor in a magnetic resonance imaging (MRI) system running an unpatched operating system.

 

Medjacking for Dollars

Devices vulnerable to such "Medjacking" include positron emission therapy (PET) and computed tomography (CT) scanners, as well as infusion pumps, medical lasers, ventilators and dialysis machines. The common denominator is their outdated operating systems.

Medjackers may be political operatives or disgruntled employees, according to Wirth. But usually they are cybercriminals motivated by money.

Patient records can be sold on the black market for many times that of a credit card number. And cyber criminals don't even have to steal patient data.  They can hack an information system, encrypt the data, then demand payment to decrypt it. This kind of attack, called ransomware, is growing in popularity. 

Ransomware attacks against all industries, not just healthcare. It rose from 1,000 per day in 2015 to 4,000 per day in 2016, according to the U.S. Department of Justice. The malware is usually delivered through "spear phishing," in which an unsuspecting person in the network opens an email from what appears to be — but isn't — a known person.

Once the data is encrypted, it can't be fixed by anyone other than the cybercriminals.

 

Good Intentions, Bad Security

Noble intentions can be the root of vulnerabilities. Extending the life of a legacy system to save money is one. Another is patient engagement. Spurred by patient demands for increased access to their data, as well as "meaningful use" mandates from the Federal government, providers have created a plethora of patient portals.

"This is where the real vulnerability is," said Krishna Kurapati at HIMSS 2017. The CEO of QliqSOFT, a provider of secure messaging for doctors and nurses, noted that these portals typically are tightly integrated with the electronic medical record (EMR) system.  This makes patient portals a prime target for hackers.

Attacks might come if a patient accesses medical records while on a public network. Kurapati used the example of a Starbucks patron accessing his data. Patient portals are also vulnerable to denial of service attacks during which thousands, even millions of "bots" attack a site. This kind of attack can bring down not just the patient portal but the EMR and other connected IT systems.

 

The Cloud — A Soft Target

Vulnerability to cyberattack is taking on a new dimension, as providers move patient data into the cloud. "People are taking advantage of the fabulous opportunity to collaborate and get their jobs done using cloud applications," said Deena Thomchick at HIMSS 2017. The problem, according to the senior director of cloud security at Symantec, is that "your data is going all over the place."

A top concern, not surprisingly, is data compromise. Nevertheless, Gartner, a research and advisory firm specializing in IT, reported that the cloud is being viewed less as a threat to enterprise IT and more as  an extension.  While concerns about security and compliance continue regarding the cloud, security is becoming less of one.

The bottom line is that nothing — not the cloud, on-premise, or hybrid systems — can be 100 percent safe. At HIMSS 2017, Symantec's Wirth said healthcare is being asked by administrators to "secure the unsecurable" — and to do so with minimal funding, limited staffing and often little management support. And the outlook is not good.

But there are plenty of ways to reduce risk — simple, practical and pragmatic ones that can go a long way toward combating cybercrime.

Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.

Editor’s note: The second of this two-part series on cybersecurity describes how patient data and medical systems can be protected. "How Radiology Can Fight Cyber Crime," can be found here.

Related Content

RamSoft Partners With Gamel to Enhance Patient Care in Peruvian Market
News | PACS | June 23, 2017
RamSoft announced a new partnership with Peru-based medical imaging equipment provider, Gamel. With RamSoft’s...
Sponsored Content | Videos | Enterprise Imaging | June 21, 2017
Konica Minolta takes a top-down approach to looking at an entire facility and removing the departmental approach....
Sponsored Content | Videos | Information Technology | June 20, 2017
Alex Towbin, M.D., Neil D. Johnson Chair of Radiology Informatics at Cincinnati Children's Hospital, discusses the...
Fujifilm Exhibits Suite of Enterprise Imaging Solutions at SIIM 2017
News | Enterprise Imaging | June 19, 2017
Fujifilm Medical Systems U.S.A. Inc. presented its comprehensive Synapse Enterprise Imaging portfolio at the 2017...
News | Information Technology | June 16, 2017
RamSoft announced its distribution partnership with KenQuest Medical. With RamSoft’s PowerServer and Gateway solutions...
Stéphane Bordas, Professor in Computational Mechanics at the Faculty of Science, Technology and Communication of the University of Luxembourg, and his team have developed methods to train surgeons, help them rehearse for such complex operations and guide them during surgery

Stéphane Bordas, Professor in Computational Mechanics at the Faculty of Science, Technology and Communication of the University of Luxembourg, and his team have developed methods to train surgeons, help them rehearse for such complex operations and guide them during surgery. Image © Legato Team / University of Luxembourg.

News | Information Technology | June 16, 2017
Researchers from the University of Luxembourg, in cooperation with the University of Strasbourg, have developed a...
electronic medical records
News | Electronic Medical Records (EMR) | June 15, 2017
During the first quarter of 2017, Black Book surveyed 140 chief information officers (CIOs), 159 chief financial...
advanced visualization
News | Molecular Imaging | June 09, 2017
The Food and Drug Administration (FDA) has cleared syngo.via VB20 for Molecular Imaging (MI) from Siemens Healthineers...
Radiologists at Makati Medical Center in Makati, Philippines, use Novarad software to read studies

Radiologists at Makati Medical Center in Makati, Philippines, use Novarad software to read studies. 

News | PACS | June 08, 2017
Novarad Corporation has renewed a PACS contract and entered into agreement for three additional products with major...
One of the key components of managing an image archive system is determining rules for how long to retain studies before they are purged from the system.

One of the key components of managing an image archive system is determining rules for how long to retain studies before they are purged from the system. Image courtesy of Philips Healthcare

Feature | Enterprise Imaging | June 07, 2017 | By Jef Williams
Much has been documented about the role of enterprise imaging as part of the larger effort to integrate a single...
Overlay Init