Radiology Departments Can Prevent and Respond to Cyberattacks

Disaster response planning can help departments sustain operations in a crisis

Po-Hao Chen, MD, MBA
Benoit Desjardins, MD, PhD
Janine Medina, MSc

Cyberattacks currently hit hundreds of hospitals globally each year, costing $33 billion annually. 

Hospitals are vulnerable to cyberattacks partly because they are critical infrastructure that must operate 24/7. Hospital networks cannot go offline for periods of time to install system and security upgrades.

“Hospitals have to be operational at all times,” according to Po-Hao Chen, MD, MBA, chief informatics officer of imaging, IT medical director and musculoskeletal radiologist at Cleveland Clinic in Ohio. “You can't take a hospital computer system down to upgrade it or to patch a security hole. For that reason, they are easy targets.” 

And according to Benoit Desjardins, MD, PhD, professor of radiology and medicine at the University of Pennsylvania, health care providers will continue to be targets of cybercrime as long as there is money to be made. 

“Cybercrime is a multi-billion-dollar enterprise, so it's not going away,” Dr. Desjardins said. “Cybercrime is becoming more precise and sophisticated and taking advantage of the latest developments in AI and synthetic content such as deep fakes. These technological advances are making it more difficult to detect and defend against cyberattacks on individual health care institutions.”

Statistically, a cyberattacker may be in a health care system for approximately 280 days before it is recognized, according to Janine Medina, MSc, CEO and executive director of Biohacking Village, a not-for-profit organization that informs global conversations in health care cybersecurity and biotechnology research.

Hospitals do not traditionally have the financial resources to have a full cybersecurity team on hand for cyberattacks,” Medina said. “Additionally, they may not have a secondary ‘sandbox’ or backup system for them to test updates or identify attacks in their system. Taking down a 24/7/365 system that is constantly morphing to care for their patients can be a daunting task, especially under the duress of a cyberattack.”

With cyberattacks likely to continue targeting hospitals, radiology departments can prepare to prevent attacks and plan how to respond when they occur. 

Cyberattack Education and Prevention are Key to Minimizing Risk

In the event of a cyberattack on a hospital, radiology departments can be paralyzed due to the specialty's reliance on technology. 

“As radiology professionals we ‘live and die’ by the technology that we work with, therefore, cyberattacks create a larger operational problem for radiology departments than for other groups in a hospital setting,” according to Dr. Chen, whose 2021 article, “Ransomware Recovery and Imaging Operations: Lessons Learned and Planning Considerations,” appeared in the Journal of Digital Imaging. 

Of all the prevention approaches, Dr. Desjardins says that the most effective one focuses on people, not technology, particularly employee education. 

“This education should include running online phishing campaigns to hospital employees,” Dr. Desjardins said. “Those who fall for the fake phishing scam should receive training on how to identify and avoid these types of emails and links.” 

Security for work from home situations must also be considered, as every connection point between the hospital and a radiologist’s home workstation is a potential entry point for attacks. 

“The home workstation should use the latest software and operating system and have all the latest security upgrades installed,” Dr. Desjardins explained. “Cybercrime is becoming more prevalent, as the software involved in cyberattacks is sold as a service on the dark web, increasing the pool of less sophisticated attackers, who can still cause a lot of damage to hospitals.”

“Every patient-focused organization must prepare to defend itself so that delivery of care is not interrupted and that patient safety is not jeopardized. Staying aware of the types of attacks being launched and keeping your security program updated will lower your risk of cyberattack.”

Benoit Desjardins, MD, PhD

Effectively Responding to Cyberattacks

While cyberattacks are often thought of as an IT issue, Dr. Chen pointed out that in the event of an attack, radiology’s main priorities are the safety of patients, followed by maintaining operational capacity until systems are restored. 

“This is not just an IT problem. At the time of an attack, we have a commitment to admitted patients who still need scans or who are in the interventional radiology suite getting a new central line,” Dr. Chen said. “For radiology professionals, this commitment means having a solid operational downtime plan.”

Dr. Desjardins agrees.

“Cyberattacks on supply chains and software, such as RIS, PACS or voice recognition, can simultaneously affect multiple radiology departments at the same time across the entire industry,” he said. “It is vital to build more sophisticated cyber defenses, protect the supply chain and prepare hospital employees against this increasing range and sophistication of cyberattacks.”

An effective operational downtime plan includes analog or low-tech solutions for every task in the imaging pipeline, from booking appointments to releasing images to patients or referring physicians. 

“Paper-based reports, orders and logs must be available to be able to continue reporting tasks, receiving radiology exam requests from our partners in the hospital and logging patient scans,” Dr. Chen recommended. 

Dr. Chen also advised having plans in place for when devices get locked down in the immediate aftermath of an attack. 

“If a patient is on the CT table for a lung biopsy and you’re locked out of your procedure medicine cabinet because it requires a fingerprint, you need an override code established beforehand,” Dr. Chen said. “The time to panic about this is not when you can’t access sedation medication to ensure that your patient doesn't wake up during the procedure.” 

As such, having the ability to quickly isolate the incident and apply countermeasures is important.

“Using a workflow example, as radiologists think about the manner in which tumors are identified and how treatment is determined, there is a distinctive workflow that is followed. Once therapy is initiated, the problem will get smaller in a few treatments and may need follow up by chemotherapy for eradication.” Medina said. “The same holds true for IT to identify and sequester a cyberattack. It must be found, identified, isolated, and removed in a safe and calculated manner to not effect patient care.”

Physicians should be prepared to report their experience during the attack to the IT department. It’s best practice to document the experience in a simple, non-jargon way to give the staff insights into what was experienced so that vulnerabilities that were exploited can be identified. 

Medina recommends a SOAP note, which is a note that is Subjective and Objective, offers Assessment and recommends a Plan for moving forward.

Listen as Dr. Desjardins shares what radiology departments can do to detect and defend against cyberattacks.

Disclosing Cyberattacks to Patients

Fortunately for radiology departments, disclosure of cyberattacks involving patient information breaches is regulated by HIPAA in the U.S. and PIPEDA in Canada and is the responsibility of hospital administration to coordinate. 

However, in the event that systems begin to malfunction in the presence of radiology patients, Dr. Chen counselled that any disclosure should be truthful and straightforward. 

“Best practice is to be fully honest that there are substantial computer issues, and that the department may not be able to deliver the best care to the patient at that time,” Dr. Chen said. “You might encourage patients to reschedule or facilitate their scans or procedures at another imaging center that can deliver that level of care.”

Being prepared is the best way to defend against cyberattacks, according to Dr. Chen.

Planning for a cyberattack is no different from planning for any other disaster,” Dr. Chen said. “Start with a plan to keep the patients and staff safe, then plan out everything else. Nothing is too small to consider.”

Dr. Desjardins noted that data security must be part of every hospital’s risk management approach.

“Every patient-focused organization must prepare to defend itself so that delivery of care is not interrupted and that patient safety is not jeopardized,” he said. “Staying aware of the types of attacks being launched and keeping your security program updated will lower your risk of cyberattack.”

As with all patient information and especially during and following a cyberattack, the more that is disclosed and in a timely fashion the outcomes are more promising, according to Medina.

“Using normalized language and discussing it in a SOAP note can be helpful in achieving optimal communications,” Medina concluded. “From a risk perspective—from the physician to the patient to the reputation of the organization—being cognitive of the environment you are in can make all the difference in ensuring patient care continues in a productive and viable fashion.”

For More Information

Access the Journal of Digital Imaging commentary, “Ransomware Recovery and Imaging Operations: Lessons Learned and Planning Considerations.”

Connect with Dr. Desjardins on LinkedIn or on Twitter @bdmdphd.

Read previous RSNA News articles on cybersecurity:

Massive Cyberattack Affects 1000+ Sites Across 21 States in U.S.

What could be the largest health care cyberattack in the U.S. occurred in early October.  CommonSpirit Health, one of the nation’s largest health systems, experienced a massive cyberattack. The attack affected many of their over 1000 sites of care across 21 states.

While little information is available about what areas were affected, it was noted that some of the CommonSpirit facilities moved their electronic health records offline.

“This could be the most massive cyberattack against a health care system in the U.S., so far. Over 100 of their facilities in several states seem to be affected, but details are still coming in at the time of this writing,” Dr. Desjardins said. “It has the characteristics of a ransomware attack. The attack required taking computers and medical records offline, diverting ambulances and rescheduling patient appointments and exams.”

Tips to Prevent and Recover From a Cyberattack

  • Educate staff regularly to prevent malware from being downloaded through email links.
  • Ensure at-home workstations are protected and employees are using the latest software.
  • Have an operational downtime plan that includes analog or low-tech solutions to every phase of the imaging pipeline.
  • Have emergency plans if in-progress imaging exams are locked out during an attack.
  • Document what team members saw and experienced during the attack and share with IT/IS.
  • Be honest and upfront with patients during and after an attack, especially if the attack compromised patient information or patient safety.