Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.
2 Reasons Cybersecurity Will Dominate HIT’s Future
Image courtesy of Pixabay
Sooner or later, the bad guys are going to figure out that healthcare IT is where it is at — and that imaging has a key to get there.
That key has come from the mushrooming interest in enterprise imaging. It will turn with the coming increase in the cyber-attack surface.
Partly because of enterprise imaging, cybersecurity will dominate the future of healthcare IT. The other reason is the white-hot interest in artificial intelligence (AI), exemplified by the hundreds of AI applications that companies are preparing to introduce to the market in the months and years ahead. Their integration into enterprise imaging networks will dramatically expand the attack surface of healthcare IT.
Enterprise imaging may promise clinicians unprecedented access to data. And AI may provide the means by which radiologists and other physicians can dodge the burnout that would come with data overload. But together, enterprise imaging and AI could be a nightmare for cybersecurity. The third element, the value of patient data, already exists.
Monetary Value of Patient Data
A single patient record is far more valuable than any other data record hackers might grab. Whereas a credit card number may be worth less than a dollar, a medical record could be worth hundreds — or more.
Just in the patient’s medical history, a hacker can get that person’s full legal name and social security number, the address of his or her residence and employer, contact information about that patient’s dearest and most trusted people (medical records usually cite who should be contacted in an emergency), insurer’s name and number, and often bank account information. This information can be divided up and sold individually on the Internet or packaged for sale as “identity kits,” according to the Institute for Critical Infrastructure Technology.
Adding even more value to the nefarious is “protected health information,” such as disease diagnoses, as well as sensitive personal information about which patients might be blackmailed —
sexually transmitted diseases, for example, or psychological conditions, according to a story that appeared in Forbes.
We’re lucky that black hatters haven’t yet prioritized their cyber foraging for medical information. Hackers may not widely recognize the extraordinary value of medical records. But our luck is not likely to last.
Healthcare systems are already amazingly easy to hack. And the number of attacks is increasing, as illustrated by cyberattacks reported by Beckers Hospital Review. The low-hanging fruit that these medical records represent is about to hang even lower.
The Sunset of Legacy PACS
Cybercriminals are among the most technically versed wrongdoers anywhere. They are already well versed on the technical developments in networking and AI. In healthcare IT, developments along these lines are heating up.
At the Healthcare Information and Management Systems Society’s (HIMSS) 2019 conference, it was widely recognized that the sun is setting on legacy technologies. These legacy technologies are exemplified by archives dedicated to data silos, such as those in radiology and cardiology. The sunsetting of these technologies, some installed a decade or more ago, is driving interest in centralized archives and cloud-based computing and storage.
It’s debatable whether cloud storage or on-premise archival is more or less secure. It won’t matter to hackers. Opportunity for cyberattacks will rise with the expansion of both. The operative issue is not the means of storage — or where data are processed — but the expansion of networks, specifically, the growth in the number of nodes on each.
These numbers will blossom as providers seize the opportunity to expand beyond the data silos that have marked the use of dedicated archives, as clinical data comprised of optical and radiological images, pathology reports, vital signs and patient histories (and their synopses) stream across the enterprise.
What the widening adoption of enterprise imaging means to hackability requires nothing more than recognition that the networks linking radiologists and their referring physicians will expand markedly. Data sharing and interoperability promise great things for physicians and patients alike.
They could be real steps toward realizing the dream of truly personalized medicine. Treatments based on the genetic and clinical data that exactly characterize individual patients will increase the likelihood that these treatments will help patients. Gone will be the one-size-fits-all approach that has characterized medicine since Louis Pasteur and Robert Koch proved germ theory in the 19th century.
Simultaneously, growing with the interest in enterprise imaging is the prominence of AI. Data sharing and interoperability, along with AI apps, will offer an unprecedented opportunity for hackers.
Expanding Networks Increase the Cyberattack Surface
Imagine expansion of just the networks that today serve radiologists and referring physicians. Imagine these networks branching not just into pathology and the lab — where blood work and genomic data reside — but into general medical practices. Now think about what happens when the physicians in these offices begin getting medical selfies snapped on the cameras built into their patients’ smartphones. Then add the network nodes of specialists to whom these patients will be referred, each requiring those selfies, showing in megabytes of detail everything from abrasions to compound fractures and beyond.
Literally anything that can be photographed will. And it ain’t going to be pretty — not the images, nor the risk these images pose from hackers.
Not only might the newly opened networks nodes present an opportunity for hackers, so might the IP nodes of the patients who send pictures to their physicians. Together they will radically increase the cyberattack surface of healthcare IT.
And there’s more. Consider the impact of adding to these networks the nodes needed to connect AI applications.
While only a few dozen AI algorithms may have been cleared so far by the FDA, this could change very quickly. Rising off-shore from the medical mainstream is a tsunami of AI apps. Hundreds may be in design or testing right now. Some prioritize radiologists’ worklists. Others define and calculate suspicious structures (like pulmonary nodules). And each will require a unique node on a network.
And this covers just the apps in radiology. Remember that the operative word of enterprise imaging is “enterprise.”
How “Ease of Use" May Increase Hackability
Talk to the IT vendors dedicated to building the IT backbones for these networks. You will learn that they are committed to building networks that are easy to use. And how are they going to do it? By constructing standard interfaces, ones based on standards for interoperability, standards that by their very nature are publicly known.
Could hackers ask for more?
The time to do something about cybersecurity is now. And there is plenty that can be done. But no matter what or how much is done, the threat will always be there.
It is the yin to HIT’s yang — the nightmare that accompanies the promise of nirvana.