Cybersecurity Increasingly Critical for Medical Imaging

The expansion of digital CT scans, MRIs and ultrasound has increased the need to secure the integrity of these images, which often contain sensitive protected health information (PHI) and can be used for Medicare fraud, identity theft and other illegal activity.

“In radiology, a denial exists that imaging devices are not in need of security,” said J. Anthony Seibert, Ph.D., professor and associate chair of informatics in the Department of Radiology at the University of California Davis Health System, Sacramento. “That mindset needs to be overcome.” Although many clinics and medical centers have effective cybersecurity programs, many others have not acknowledged the seriousness of the threat to PHI.

More than 111 million health information security incidents in 2015 were attributed to hacking, up from just 1.8 million in 2014, according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights report. Although only five breaches accounted for 97 percent of those incidents, any security breach can cause serious repercussions.

“You don’t want to be the data center in the news for being hacked,” said Rik Primo, chair of the Medical Imaging & Technology Alliance (MITA) Cybersecurity Taskforce. MITA, a division of the National Electrical Manufacturers Association (NEMA), released the NEMA/ MITA 2015 “Cybersecurity for Medical Imaging” white paper at RSNA 2015, which offers numerous related resources.

Security breaches occur when hackers conduct reconnaissance on a network by looking for the Internet Protocol (IP) address of medical equipment that appears to be vulnerable. Once hackers exploit a vulnerable medical device, they can leverage that device as a “jumping off” point to access the rest of the facility’s network.

In the process, the hacker could accidentally, or deliberately, cause the medical device to malfunction. While no life-threatening scenario like this has ever been documented, it is theoretically possible, if adequate cybersecurity counter measures are not in place, Primo said.

Cybersecurity Should be Part of Workplace Culture

Because of hacking threats, radiologists operating equipment linked to a computer network should help their healthcare organization’s management integrate cybersecurity into the workplace culture, Primo said. He describes an optimal cybersecurity program as one that creates an “ecosystem of shared awareness and responsibility” among medical device manufacturers, IT departments and radiologists.

Medical device manufacturers play their role by instituting security by design, which integrates security measures into the medical device from its inception. This practice makes it harder for hackers to compromise a system.

To guide healthcare providers, and especially imaging departments through the security process, the Healthcare Information and Management Systems Society (HIMSS) and NEMA jointly published a document, “Manufacturer Disclosure Statement for Medical Device Security,” or MDS2. The document standardizes the information that radiologists should expect of device manufacturers to explain the security features and vulnerabilities of imaging equipment when they are implementing the highly recommendable IEC/ISO 80001-1 Cybersecurity Risk Management Process Standard in their departments.

The best-designed system, however, can be subverted by users who are not really aware of cybersecurity threats, Primo said. He has been shocked to hear of laptops stolen from medical offices with PHI stored on the laptop’s non-encrypted hard drive.

Dr. Seibert said radiologists get frustrated with security software when it slows down the network. “Some of the things we do to prevent threats also prevent us from getting instantaneous access to all the images we use to optimize patient care,” Dr. Seibert said. The best security systems are seamless to the users, because when security systems start to harm performance or become onerous to the users, the users find ways to circumvent security protocols, which usually create an opening for hackers.

But Dr. Seibert believes this seamlessness can be achieved in the future through technological advances such as biometric scans to replace passwords and near-field communication devices, which require physical proximity to operate a device.

Educating personnel on cybersecurity risks is another key step to ensure that staff members understand the need for sometimes tedious security measures, Dr. Seibert said.

Embedding IT Staff Can Keep Hackers Out

The third component to a healthy cybersecurity ecosystem is the IT staff. Not only should the IT staff build a firewall to keep hackers out, they should be running system scans to detect intrusions, Dr. Seibert said. Because those system scans are notorious for slowing down operations, the IT department at Dr. Seibert’s institution built part of its network isolated from the Internet to eliminate the need for constantly scanning security software.

Primo recommends embedding IT staff in technology-heavy departments such as radiology. Rather than being called when a problem emerges, an embedded IT staff member is better positioned to prevent problems, teach users the corrrect use of the IT application, suggest improvements, and coach staff through security procedures.

“It’s an ecosystem of shared responsibility,” he said. “If just one person in the chain fails to do what is right, cybersecurity can be compromised. It’s all about people, processes and technology.”

Web Extras

• Access the NEMA/MITA white paper, “Cybersecurity for Medical Imaging,” at NEMA.org.
• Access the HIMSS/NEMA Manufacturer Disclosure Statement for Medical Device  Security (MDS2) at HIMSS.org.
• Rik Primo, chair of the Medical Imaging & Technology Alliance (MITA) Cybersecurity Taskforce, discusses the 2015 NEMA/MITA Cybersecurity white paper and the urgent need for patient information protection in informatics and technology in this podcast: podcast.nema.org.