Radiology Confronts Reality of Global Cyberattacks

Based on recent cyberattacks, radiologists may look back on the summer of 2017 as a time when cybersecurity made the transition from a back-burner issue to a very real threat.

While there have been isolated incidents of ransomware attacks, this summer two major ransomware attacks impacted industries across the globe, including thousands of hospitals and clinics.

In May, ransomware known as WannaCry or Wana Decryptor, was blamed for crippling computers across the U.K., including at the British National Health Service.

A second attack in June attributed to Petya, a variant of ransomware, began in the Ukraine and quickly spread to more than 60 countries including the U.S. One example: a global transcription service was disrupted, forcing physicians at some U.S. hospitals to rely on handwritten notes.

Hackers Discovering Financial Potential

While cyberattacks generally have been on the rise in the past decade, ransomware incidents are more of a recent trend, particularly within healthcare. In a ransomware attack, victims are notified that their files are encrypted and they must pay a ransom (online currency) to unlock or access them.

It is possible that hackers are just now discovering the financial potential of ransomware within healthcare, experts say.

“Criminals and bad actors will go where the money is and where there is the least risk,” according to Kevin McDonald, a director in the Mayo Clinic Office of Information Security. He is presenting several cybersecurity sessions at RSNA 2017 (see sidebar) focusing on threats to radiology and methods for securing data and imaging devices.

Healthcare is often considered a “soft target,” an observation backed up by statistics.

Risk Based Security, a consulting firm focused on cybersecurity, reported that U.S. companies and institutions experienced 4,149 cyber breaches in 2016, exposing 4.2 billion records; 9.2 percent of those breaches were in the healthcare sector, according to the 2015 report.

In response to the growing threat, the Health Care Industry Cybersecurity (HCIC) Task Force released its final report to the U.S. Congress, identifying healthcare cybersecurity as a key public health concern and outlining steps to guard against attacks.

Healthcare a Frequent Target for Cyberattacks

Radiology, experts say, has been in a state of denial about cybersecurity. But the recent attacks are forcing radiology and healthcare in general to face the issue, beginning with the factors that have made the industry vulnerable to begin with — particularly aging, outdated equipment.

“Healthcare is still running Windows XP systems for regular computer use, but also for many medical devices,” said Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), noting that the XP operating system is no longer supported by Microsoft patches and updates.

Generally, healthcare institutions are not as diligent as they could be with necessary patches and updates, Kim said. The same is true with anti-virus applications, the protection of third-party software like those supplied by Adobe and Java, and credentialing protocols.

Simultaneously, electronic devices continue to proliferate in radiology and healthcare in general and not all are overseen by the institutions’ IT departments.

“Today we have mobile phones and radiologists can even use these devices to read images,” Kim pointed out. “If a doctor loses that device or if it is not password-protected, that can cause a security breach or other problems.”

In general, the healthcare industry has been fast to adopt technology advances to benefit patients, but has not always worked as quickly to safeguard that technology against security vulnerabilities, McDonald said.

“The idea that we can build a big wall around our hospitals or dig a deep enough moat around them is just not correct anymore,” McDonald said.

Cultural Barrier to Cybersecurity

The greatest threat created by ransomware or other cyberthreats to patients, of course, is the delay or even inability to provide care. Risks range from the theft of patient data to the disruption of life-saving imaging equipment and beyond.

“What would happen if your CTs and MRIs are not operable and a patient with a head injury came into your emergency room?” McDonald asked rhetorically.

And while the expansion of CT, MRI and ultrasound has increased the need to secure the integrity of these images, which often contain sensitive protected health information (PHI), the mindset exists that imaging devices do not need to be protected.

That can present problems since a healthcare institution’s cybersecurity is only as strong as its weakest link. In fact, the HCIC report points out that “the biggest barrier to cybersecurity program maturity in health care is the cultural barrier.”

The report lists six imperatives, ranging from a uniform, industry-wide set of governance measures to increased security and resilience of medical devices to enhanced awareness and education — along with dozens of specific recommendations. McDonald and Kim also suggested recommendations for radiology, based largely on common sense.

First, and most simply, McDonald said, “Make sure all your operating systems are patched and up to date.”

Second, do not invite problems.

“If you are sitting at a work station that runs your MRI and has internet access, you really shouldn’t be browsing risky websites in your spare time,” McDonald said.

Third, do not act in isolation. It is vital that there is an institutional imperative to maintain substantial cyber defense mechanisms.

A New Era in Cybersecurity?

While the most immediate concern of radiologists may be the uninterrupted flow of information to assure patient care, the reality is that cybercriminals are looking for the easiest way into an institution’s electronic infrastructure.

Kim said, “The hackers go after the soft spots, so nowadays security is everybody’s responsibility.”

Finally, radiologists must advocate with their institutional leaders to prioritize cybersecurity.

“It can be a tough job just surviving today in healthcare, and being able to afford the tools to do this and to hire the people who have the skills you need can be hard,” McDonald said.

It could be that these recent high-profile incidents accompanied by the release of the HCIC report will launch a new era in cybersecurity.

“I do believe we will reach a palpable level of maturity in terms of cybersecurity in the next five years, in terms of awareness and security training among radiology users,” Kim said

Cyber Alert Issued for Siemens Molecular Imaging Products

The Department of Homeland Security (DHS) has issued an alert warning about cyber vulnerabilities in certain Siemens medical imaging products running on Windows 7. Hackers could exploit the vulnerabilities remotely, according to DHS.

Siemens, based in Munich Germany, is preparing updates for the affected products and recommends protecting network access to the molecular imaging products with appropriate mechanisms.

Siemens has identified four vulnerabilities in the company’s molecular imaging products running on Windows 7, according to the alert issued by the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Siemens products are used worldwide.

"Exploits that target these vulnerabilities are known to be publicly available. Successful exploitation of these vulnerabilities may allow the attacker to remotely execute arbitrary code. Impact to individual organizations depends on many factors that are unique to each organization,” according to the DHS alert.

ICS-CERT recommends that healthcare organizations using the devices evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.