Greg Freiherr, Industry Consultant
Greg Freiherr, Industry Consultant

Greg Freiherr has reported on developments in radiology since 1983. He runs the consulting service, The Freiherr Group.

Blog | Greg Freiherr, Industry Consultant | Cybersecurity| July 27, 2016

Protecting Patients From Hackers

hackers, cyber security

Image courtesy of Pixabay

The Internet of Things (IoT) has carved an in-road for hackers to just about everything electronic from e-mail servers to automobiles and Internet-connected kitchen refrigerators. Imaging equipment is just a segment of that unsafe world — but a remarkably vulnerable one.

Hackers are targeting networked imaging devices, particularly those using outdated operating systems, such as Windows XP, non-patched versions of Windows 7 and 8, and Windows NT. Three cases illustrate these vulnerabilities, one involving a fluoroscopy system; the second an MRI scanner; the third an X-ray system. All served as backdoors for the entry of malware designed to gain access to patient data. In each case, the attack was thwarted by software that trapped and contained the malware.

Cyber attacks in all three hospitals focused on vulnerable medical devices, ones that were attacked even though the hospital had intrusion detection software and elaborate firewalls.

 

What Hackers Want

The goal behind cyber attacks typically is the acquisition of patient data, which — because of their potential for insurance fraud — has a value 20 times that of credit cards on the black market, according to TrapX Security, whose software stopped the malware in the three documented instances.

Hackers have already determined, said TrapX, that the vulnerabilities posed by networked medical devices “are so extreme as to make healthcare the easiest choice for their attack.”

And hackers are taking advantage of it. According to a 2015 report by the Identity Theft Resource Center, cyber breaches at healthcare institutions represented about one third of reported incidents nationwide.

“Connected medical devices, applications and software used by healthcare organizations … are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data thefts and attacks,” according to a SANS Institute whitepaper. And radiology may be a substantial source of the problem. Over a 12-month period, spanning 2012 and 2013, the company, which specializes in information security and cyber security training, found that 7 percent of “malicious traffic” came from radiology imaging software.

 

Medjacking

The use of malware to hijack medical equipment, dubbed “medjacking,” directly threatens hospital operations and the security of patient data, according to TrapX. Hackers focus on networked medical devices because they are the easiest and most vulnerable points of entry into a hospital information system, according to Moshe Ben Simon, cofounder and VP of TrapX Security. Their attacks, Simon wrote, are designed “to rapidly penetrate devices, establish command-and-control, and then use these as pivot points to hijack and ‘exfiltrate’ data from across the healthcare institution.”

At RSNA 2015, the Medical Imaging and Technology Alliance (MITA), a division of the National Electrical Manufacturers Association, drew attention to the danger that radiology faces from cyber attack, distributing a MITA whitepaper on the subject. The chair of the committee that generated the whitepaper, Rik Primo, said in a prepared statement that the solution requires a collaboration of people, processes, and technologies “to safeguard the patients’ protected health information and their physical safety.”

 

Threat From Mobile Devices

The chance that hackers will gain access has increased with the use of mobile devices, particularly by radiologists who use laptops, tablets and even cell phones to interpret images. A 2013 paper in the American Journal of Roentgenology encouraged radiologists to be careful where and how they connect these devices to healthcare networks. “As the role of information technology and modern radiology practice becomes more critical, safety mechanisms must be addressed when viewing studies on any mobile device,” the authors wrote.

Meanwhile, the users of medical imaging equipment should test their devices for vulnerabilities using “threat” models, according to the MITA whitepaper: “A device can be considered secure if it defends against unintended or unauthorized operation with respect to its intended environment and its intended use — as specified by its manufacturer.”

Cyber security in medical imaging is a shared responsibility between healthcare providers and manufacturers, according to the paper: “Imaging staff must be aware of cyber security threats and best-in-class practices.”

The ultimate goal is “zero-breach cyber security.”

While that goal may prove elusive, efforts to reach it will surely help.

 

Editor's note: This is the final blog in a four-part series on patient centricity. The first blog, “Value Medicine: Radiology’s Big Chance,” can be found here. “What To Do About The Draper Effect” can be found here. “The Case Against Quantitation” can be found here.

Related Content

Selecting an AI Marketplace for Radiology: Key Considerations for Healthcare Providers
Feature | Artificial Intelligence | October 18, 2019 | Sanjay Parekh, Ph.D.
October 18, 2019 — As the nascent market for...
Surgical Institute of Reading Chooses RamSoft's PowerServer Lite PACS
News | PACS | October 18, 2019
Surgical Institute of Reading recently selected RamSoft’s PowerServer Lite PACS (picture archiving and communication...
While electronic medical record systems have helped consolidate most patient data into one location, medical imaging IT systems has proved to be more difficult to replicate by large EMR vendors. This has made room in the market for third-party radiology IT vendors that allow easy integration with the larger EMRs like Epic and Cerner. This image shows Agfa's enterprise imaging system, leveraging its ability to be accessed anywhere with internet connection and pull images from radiology and surgery.

While electronic medical record systems have helped consolidate most patient data into one location, medical imaging IT systems has proved to be more difficult to replicate by large EMR vendors. This has made room in the market for third-party radiology information system vendors that allow easy integration with the larger EMRs like Epic and Cerner. This image shows Agfa's enterprise imaging system, leveraging its ability to be accessed anywhere with an internet connection and able to pull in images from both radiology and surgery. 

Feature | Enterprise Imaging | October 17, 2019 | Steve Holloway
October 17, 2019 — The growing influence and uptake of electronic medical records (EMRs) in healthcare has driven deb
USF Health Expands Digisonics System With Vascular Reporting
News | Cardiac PACS | October 17, 2019
University of South Florida (USF) Health in Tampa, Fla., has enhanced their use of the Digisonics Cardiovascular...
Intelerad's nuage Patient Portal

Intelerad's nuage Patient Portal. Image courtesy of Intelerad.

News | Enterprise Imaging | October 17, 2019
Intelerad Medical Systems announced that OneWelbeck, a London operator of specialist facilities for minimally-invasive...
An illustration of radiology department analytics data showing GE Healthcare’s business analytics software.

An illustration of radiology department analytics data showing GE Healthcare’s business analytics software.

Feature | Radiology Business | October 17, 2019 | By April Wilson
According to IBM, the world creates 2.5 quintillion bytes of data daily.
Image courtesy of Bethesda Health

Image courtesy of Bethesda Health

Feature | Radiology Business | October 17, 2019 | By Susan DeCathelineau
Few professions have experienced the dramatic changes that radiologists have over the past few years.
Using Compressed SENSE for faster MRI scans, healthcare providers can transform their radiology workflow.

Using Compressed SENSE for faster MRI scans, healthcare providers can transform their radiology workflow.

Sponsored Content | Case Study | Magnetic Resonance Imaging (MRI) | October 16, 2019
Since the introduction of magnetic resonan...
Feature | Artificial Intelligence | October 16, 2019 | By Siddharth (Sid) Shah
The period between November through February is pretty interesting for the field of medical imaging — two major confe
At the annual meeting of the AHRA, Agfa Healthcare demonstrated a full-scale model of its DR 800, presenting the unit as a "game changer" for its multifunctionality.

At the annual meeting of the AHRA, Agfa Healthcare demonstrated a full-scale model of its DR 800, presenting the unit as a "game changer" for its multifunctionality.

Feature | AHRA | October 16, 2019 | By Greg Freiherr
Diversity was on display at the Association for Medical Imaging Mana...