Greg Freiherr, Industry Consultant
Greg Freiherr, Industry Consultant

Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.

Blog | Greg Freiherr, Industry Consultant | Enterprise Imaging| May 17, 2017

Agents of Change: Cybersecurity In A World Of Old And New

cybersecurity

Mobile devices and standards that support interoperability stand out in the shadowy world of cyber intrusions. They allow access to patient files, the making of information requests, the placing of exam orders from anywhere at any time. Those devices may be smartphones or tablets — each with varying levels of security.

With increasing interoperability, data from multiple systems will be viewed simultaneously on a single screen — prior images beside those from exams just completed, displayed in windows beside ones with path reports, vital signs and demographics pulled from patient histories.

In an efficiently constructed and maintained enterprise imaging system, this stream of information will give radiologists and clinicians an unprecedented edge in making better decisions. For those in charge of cybersecurity, it could be a nightmare.

The more nodes in a network, the more opportunities for hackers to break in. And user-owned mobile devices — the so-called bring your own devices (BYODs) — will further increase the risk by reducing the medical institution's control.

 

HIPAA Requirements

Regulation promises some protection. To stay on the right side of the Health Insurance Portability and Accountability Act (HIPAA), medical images must be transferred securely and accessed only by authenticated users. (Notably, secure transfer and user authentication is up to the provider.) Tablet applications for radiology, including ones used on the iPad, often use the secure socket layer (SSL) protocol or virtual private networks that lessen risk of hacking when transferring and accessing images. To eliminate the risk that patient data might be lost if tablets are misplaced or stolen, images are accessed only from the server through login-based interfaces and image display typically stops after a preset time.

Adding BYOD mobile devices increases the risk of cyberintrusion. Because they own the device, users may add whatever software they (or their families) like, just as they may access entertainment sites that may harbor malware or viruses. BYOD mobile devices that transmit or store patient data in ways that are not HIPAA compliant give medical providers the biggest headaches, as lost or stolen devices can be hacked for the information they possess.

These problems can be addressed through a strict BYOD policy, one that details the apps and links not permitted on a BYOD; keeps security software updated; requires the use of a strong password; encrypts devices, while detailing how data can be wiped from lost or stolen devices; periodically audits devices for policy compliance; requires multifactor authentication to access patient data; and describes training for users on cybersecurity practices.

In short, HIPAA requirements applied to conventional means for accessing patient data should (must) be applied to BYODs.

 

FDA Steps In

But there is plenty to worry about in regard to traditional equipment, as well. Last year, the Food and Drug Administration (FDA) issued recommendations for industry (and agency staff) about how to manage some of these risks. The "nonbinding" guidance, which the agency says represents its "current thinking," notes that the software in networked medical devices may be vulnerable to hackers and, therefore, "typically requires continual maintenance throughout the product life cycle." That is good advice, especially for radiology.

Aging medical equipment — X-ray, CT, MRI and PET systems well past their prime, for example — make tempting targets for hackers. The operating systems onboard this equipment often is no longer supported by their makers, for example, Windows NT and XP.

The theft of patient-specific insurance data or personal data such as a Social Security numbers represent one opportunity for hackers. Another is ransomware, so named because it encrypts data that can only be decrypted by the cybercriminal, who typically requires the victim to pay a ransom to do so.

Of greatest concern to the FDA are malware and viruses that might physically harm patients. An infected implantable defibrillator or pacemaker might be reprogrammed by a hacker in ways that could cause injury or death, according to the FDA's guidance "Postmarket Management of Cybersecurity in Medical Devices." Of lesser consequence, but still a threat, is malware that causes a medical device to spit out incorrect data.

Alternatively, malware might collect Internet browsing information. Although patient harm may be limited, the FDA still suggests that the product be patched or updated to reduce or eliminate the threat.

And this threat is already frightening. Last year cybercriminals made off with data from 13 million patient records, according to Symantec Corp. Banner Health alone reported a data breach affecting 3.7 million patients and staff.

Effective cybersecurity is possible, but providers and manufacturers must be cautious. The need for vigilance will increase as interoperability standards raise the number of devices on a network and the BYOD trend gathers steam among medical practitioners.

Editor’s note: This is the third blog in four-part series on Agents of Change. The first blog, “iPads On Track To Be Radiologists' BYOD of Choice,” can be found here. The second blog, “Agents of Change: Interoperability Standards Offer Carrot Over Stick” can be found here.

Related Content

Intelerad Launches Nuage Patient Portal
Technology | Patient Engagement | October 15, 2018
Intelerad Medical Systems announced the launch of nuage Patient Portal, a cloud-based patient portal solution. The zero...
Enterprise imaging has been a hot topic in radiology and healthcare information technology (IT) circles for the last several years as medical image acquisition has moved beyond the exclusive purview of radiology.
Feature | Enterprise Imaging | October 03, 2018 | By Jeff Zagoudis
Enterprise imaging has been a hot topic in radiology and healthcare information technology (IT) circles for the last...
Intelerad Medical Systems Appoints New President and CEO
News | Enterprise Imaging | September 25, 2018
September 25, 2018 — Intelerad Medical Systems announced that following the retirement of Randall Oka, its board of d
Laurel Bridge Enables Healthcare Providers to Manage Image Archive Migrations and Consolidations
News | Enterprise Imaging | September 25, 2018
September 25, 2018 — Laurel Bridge Software announced improvements to their Exodus Migration and Consolidation Contro
DocPanel is a community of US-based academic level subspecialty radiologists
News | Enterprise Imaging | September 12, 2018
Client Outlook, a leading provider of FDA Class II enterprise diagnostic and clinical image viewing solutions,...
Novarad No. 1 in Customer Satisfaction on Gartner Peer Insights VNA Category
News | Vendor Neutral Archive (VNA) | September 04, 2018
Novarad Healthcare Enterprise Imaging has taken the highest rated spot on Gartner’s Peer Insights technology review...
LifeImage LITE Application Expands Image Sharing Network to 1,500 Connected Hospitals
News | Enterprise Imaging | September 04, 2018
September 4, 2018 — LifeImage announced that its recently launched application, LITE, has helped to dramatically incr
Greenville Health System Adopts Agfa HealthCare Enterprise Imaging System
News | Enterprise Imaging | August 31, 2018
Agfa HealthCare and Greenville Health System (GHS), South Carolina, announced the successful implementation of a...
Australian Pediatric Healthcare Network Adopts ResolutionMD Viewer
News | Remote Viewing Systems | August 31, 2018
August 30, 2018 — New South Wales, Australia’s Newborn and...
Visage Signs Mercy for Visage 7 Open Archive
News | Enterprise Imaging | August 09, 2018
Visage Imaging Inc. announced that it has signed a seven-year contract with Mercy, the fifth largest Catholic health...