Open to Attack
By Beth W. Orenstein
Radiology Today
Vol. 22 No. 2 P. 18
Imaging departments need to adopt best practices to prevent security breaches.
Cybersecurity experts agree that the health care industry is at least as vulnerable, if not more so, as other industries. But health care has been slower than other industries to react to cybersecurity vulnerabilities.
“Health care providers, including imaging departments, have always been at high risk for attacks,” says Alok Gupta, vice president and general manager for IBM Watson Health Imaging. Health care providers need to take proactive steps against breaches to begin catching up with some other sectors, such as finance and banking, that are also targets of cyberattacks, Gupta says.
“Health care systems are pretty easy targets for bad actors,” agrees Elad Luz, head of research for health care cybersecurity provider CyberMDX. Within health care, imaging departments are particularly vulnerable for at least two reasons, Luz says: Many imaging departments have older equipment. Their MRI and CT scanners “can last a very long time,” and may not get security updates as often as they should. “Another big issue is the use of DICOM for communicating imaging studies. DICOM is very convenient and good, but all users may not adopt the authentication and encryption techniques that are available in DICOM,” Luz says.
Tomer Levy, vice president of enterprise imaging global research and development at Change Healthcare, agrees that imaging departments are particularly vulnerable to cyberattacks because many of their operating systems could be at least 10 years old, and anyone with the desire can easily find ways to penetrate systems that aren’t patched. Levy says if users are sending information that is not encrypted “and plain text messages are going back and forth over the hospital network, it could be exploited.”
Levy adds another reason that health care and imaging departments are particularly vulnerable: “A typical hospital is managing hundreds of vendors, each one specializing in one type of treatment or workflow process,” he says. “From a security standpoint, each access point between the vendor and the hospital creates a potential cybersecurity risk and vulnerability for the environment.”
Many imaging departments have legacy infrastructure and still use older computer platforms and operating systems. While any operating system is vulnerable to network attacks, “a large percentage of commercial computing is on legacy computing platforms,” says Suresh Narayan, director of service life cycle and installed base for Canon Medical Systems USA, Inc. “Hackers and bad actors target older operating systems with specific malware and spyware, as they believe they can infect or shut down these vulnerable systems.”
Breaches on the Rise
Security breaches have been on the rise in health care. According to Fortified Health Security’s 2021 Horizon Report, “More than 500 health care organizations have reported a breach of 500-plus patient records to the Department of Health and Human Services Office for Civil Rights through the first 10 months of [2020], and we expect that number to surpass 550 by the end of 2020. In total, 513 entities have reported a significant breach so far, equating to 23.5 million individuals impacted.” The Horizon Report also found that the sector continues to be the most impacted overall and accounted for 79% of all reported security breaches during the first 10 months of 2020. That’s an 18% increase compared with the same period in 2019.
And the cost of all breaches is staggering. IBM Security’s 2020 Cost of a Data Breach study revealed that while the global average total cost of a breach across all industries was $3.68 million, the health care industry had the highest industry average cost of $7.13 million. It’s worth noting that the health care industry has led the pack for 10 consecutive years, Gupta says.
Enter COVID-19, which has intensified the problem. The COVID era has made it more challenging to maintain devices, including their security features, Luz says. Hospitals and imaging facilities are reluctant to “let people in who don’t necessarily have to be there,” he says. So, organizations often let people perform maintenance and updates on their imaging equipment remotely, which means more is being shared over the internet. The more that’s shared online or on the cloud, the more open the organization is to possible attacks because “where there’s a will, there’s a way,” Luz says.
And there’s another COVID-related issue: “COVID has made it more transparent that data needs to be available in more remote settings,” Gupta says. “That allows for vulnerabilities to be exposed more and more.”
Also, according to the Horizon Report, “the shift to work[ing] from home and increase in telehealth use has taken a toll on overall security by creating an increased attack surface for cybercriminals.” The IBM Security report estimates remote work adds $137,000 to the average cost of a data breach.
Vulnerabilities Discovered
Early last year, when the world was just learning about the COVID outbreak in Wuhan, China, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) reported that a collection of six cybersecurity vulnerabilities were discovered in a range of GE Healthcare devices that are popular in hospitals.
The bundle of six vulnerabilities had been first reported in mid-September 2019 by CyberMDX. In the months that followed, CyberMDX, GE, and CISA collaborated to confirm the vulnerabilities, audit their technical details, evaluate the risks associated with the vulnerabilities, and determine the most responsible disclosure process. Those efforts led to CISA’s release of an official advisory to health care organizations on January 23, 2020.
According to CyberMDX, the vulnerabilities could allow an attacker to make changes at the software level of the device. Doing so would have many possible ramifications, including rendering devices unusable, interfering with device functionality, making changes to alarm settings, and exposing protected health information. Luz says CyberMDX’s goal in bringing these vulnerabilities to the attention of health care providers was to have them addressed quickly. GE did respond quickly and seriously, which was encouraging, Luz notes; security patches for these devices were issued. The discovery of these vulnerabilities is one of a fast-growing list of examples highlighting the need for all medical device stakeholders to redouble their vigilance in protecting patient safety and improving the security and resiliency of medical devices, premarket and postmarket, Luz says.
The need for heightened security “is highlighted every time there is an attack or compromise, which seem to be occurring with greater frequency,” Gupta agrees. Of course, it takes time to identify a possible attack, and in the health care space, that time seems to be longer than other industries, he notes. According to the IBM report, a breach in health care can take an average of 236 days to identify and as many as 93 days, on average, to contain.
Preventing Attacks
Given that medical devices have become more vulnerable to attackers, what can/should imaging departments do to ensure that their patient information remains secure?
Think bottom up.
Security has to be built into imaging equipment from the beginning, Gupta says. When purchasing imaging equipment, he says, providers should ask who has access to the information that comes from these machines and how and by whom that access is monitored and controlled. All of these matters have to be resolved before the equipment is installed, he says.
Gupta notes that customers have been hearing about cyberattacks and reaching out to IBM “to make sure they are protecting themselves.” No doubt, he says, “there’s much higher awareness about security issues than in the past.”
Consider monitoring services.
For example, should an attempt or an attack occur, some systems generate reports “that alert management to what kind of attack happened and who is trying to access the information,” Narayan says. Such services, he says, can give customers peace of mind that their systems, network, and patient information are secure and that a risk management team well trained in cybersecurity is available to help withstand any attacks.
Monitoring systems that work with multiple vendors are available. Indeed, many hospitals and imaging departments have equipment from different vendors. “Managing the cybersecurity from a single vendor is easier than doing that with 10 or 15 different vendors,” says Levy. Departments should expect security compliance from all of their vendors, Levy says, and a good practice is to expect all of them to show you how they architect their solutions. “Expect your technology vendors to provide solutions and services and take full responsibility for your cybersecurity when using their technology,” Levy says. This should include your storage and/or PACS systems, he notes.
Raise awareness among staff.
One of the most important things you can do, Levy says, is invest in training members of your staff and make certain they are aware of how their actions can be exploited by attackers. For example, he says, “Everyone must know how important it is not to open links that are not from a trusted source. It only takes one person to hit one wrong link to affect the entire hospital.” Staff also must know not to walk away from workstations while still signed on with their ID and password. And staff needs to know what to do if they suspect suspicious behavior. Staff training is a very important investment and not prohibitively expensive, Levy says. A good practice, he adds, is to use real-life hacking and phishing examples when training staff. Some organizations have phished their employees as a teaching tool. However, this practice is somewhat controversial.
Keep software/operating systems current.
Levy says it’s easy to let software updates and security patches slip through the cracks without promptly implementing them. Running outdated operating systems is an open invitation to hackers, he says. The best practice is to not only have a plan for updating software on all devices—whether it be desktop, mobile, or any device that connects to your system—but also to make it clear who is responsible for implementing the plan.
Plan your recovery.
“You need to plan for the worst,” Gupta says. Have discussions about what happens should your system be compromised. “You have to be resilient in infrastructure and data services so you can recover as quickly as possible,” he says. That’s easiest to do when plans are in place that can be put into action as soon as the department is alerted that it may have been compromised. “Every organization has a process to identify a breach, find the cause, and follow the protocols,” Gupta says. “That’s the best way to contain and correct it. That’s the part of the security posture you have to have.”
Restrict access to only those who absolutely need it.
One thing that is somewhat unique to imaging, Levy says, is the volume of data that are shared and stored. “The volume of data in imaging is huge,” he says, and it needs to be consumed in many places—whether with the ordering physician, referring physicians, or elsewhere. Often, this information is sensitive and, if exposed, could cause harm, Levy says. If too many people have access to this information, it’s easy for bad actors to get in unnoticed. Access should be limited to only those who need it.
— Beth W. Orenstein, of Northampton, Pennsylvania, is a freelance medical writer and regular contributor to Radiology Today.