Intrusion-detection testing finds network vulnerabilities

Cynthia E. Keen
Aug 10, 2008

A 150-bed hospital once installed a PACS network without correcting several security flaws identified in a threat-detection test. Perhaps not surprisingly, the PACS was penetrated by a virus, which not only took down the imaging department but also the entire hospital's IT network.

Could this happen to your facility? Maybe, but the odds of it occurring are far lower if you conduct regular intrusion-detecting vulnerability tests and audits, according to security industry experts.

Many healthcare facilities, especially those with small IT staffs, don't recognize how easily minor changes can make their network vulnerable to intrusions. And facilities that outsource IT services have no guarantee of the quality of protection being provided. Penetration testing, as intrusion-detection audits are also called, identifies vulnerabilities.

By its very nature, an IT environment is dynamic. The regular addition and removal of users, password changes, computer component swapouts, new software, and new equipment means that regular security checks are advisable. In addition, comprehensive intrusion-detection testing should also be conducted every six months, or sooner if there is a major change on a network, experts recommend. Penetration testing, whether actual or simulated, will not only reveal areas of vulnerability but also will prioritize them.

"What you don't know, you don't know," emphasized Michael McMillan, president and CEO of CynergisTek, an Austin, TX, firm that specializes in providing information security management, regulatory compliance, and IT audit solutions to healthcare organizations. "Each and every change on a network creates an opportunity or a vulnerability. No matter how small, no healthcare IT network is static. No matter how secure an IT professional or team tries to make a network, there is always the potential for error or to overlook something."

Experts recommend that a small hospital or imaging center have both internal and external intrusion-detection testing conducted every six months. Large hospitals and integrated delivery networks (IDNs) may opt for quarterly or monthly tests. End users can purchase vulnerability scanning software, or utilize a security specialist providing the service.

Both internal and external tests can be conducted remotely, McMillan explained. "We mail a 'testing box' to our client that connects to a server or a workstation. This is used to systematically probe each component of the network against the software's library of known vulnerabilities."

As part of its intrusion-detection tests, CynergisTek uses vulnerability scanning software created by Qualys, a Redwood Shores, CA-based company. Qualys claims to have the largest vulnerability database in the industry, currently performs over 6,000 unique checks, and adds an average of 25 newly identified vulnerabilities each week.

"For an external scan, we test every IP address that is publicly available, and look to see if there are any vulnerabilities a hacker could take advantage of or exploit," McMillan said.

Medical device vulnerability

Many diagnostic modalities are inherently insecure, according to McMillan. He attributes this to system design and the platform that the modality runs on, noting that some vendors don't design products with security issues in mind.

"Medical device manufacturers need to pay a lot more attention to security," McMillan emphasized. "They don't think of the ways that a hacker could corrupt data on a device. This is more than an issue of just hacking; this is an issue of patient safety." He strongly recommends that every new medical device added to a network be independently tested for security vulnerabilities.

In McMillan's experience, an average-sized network will generate 1,500 to several thousand vulnerabilities in a baseline assessment. For a standard computer or server running a Microsoft Windows operating system, there may be 200 to 400 settings involved when "hardening" a new "out-of-box" product. It's easy to overlook some when doing the configurations.

Interpreting the reports from a vulnerability scan can be daunting if an IT staff is not familiar with and accustomed to reading the reports. A typical freestanding imaging center doesn't have this expertise, according to McMillan. Additionally, a client may not have the expertise to correct a major problem.

"Unfortunately, we encounter systems on networks to which we cannot add a security patch to counteract identified vulnerabilities, because the patch will interfere with the operation of the system," he noted. "Remote administrative system monitoring can also be a big headache if the vendor providing the service has configured it in an insecure fashion." In these situations, the network is redesigned so that the system is put behind a separate firewall.

Consult with IT staff

McMillan recommends that radiology staff always coordinate the purchase of a RIS, PACS, advanced visualization, or speech recognition system with the organization's chief information officer (CIO) and the IT organization. In the earlier example of a 150-bed hospital, the radiology department purchased and installed the PACS without notifying the IT staff.

When the CIO learned of the installation, CynergisTek was retained to test it. The PACS had not been configured in a secure manner, and the remote administration also proved to be insecure. The system not only created a huge vulnerability in the hospital's network, but the way that it was being administered remotely made it simple to hack, according to McMillan.

Nothing was done about the situation after it was identified, presumably due to lack of radiology department funds and internal hospital politics. Eventually, the PACS was penetrated by a virus and ultimately took down the entire hospital network. All of this could have been avoided prior to the purchase of the PACS if the IT staff had been involved, McMillan observed.

Barrage from Brazil

Wyoming Medical Center, a 209-bed hospital in Casper, WY, utilizes a combination of its own IT staff and CynergisTek to do regular testing, according to Don Claunch, CIO. "When I was hired six years ago, one of my primary objectives was to have an independent perimeter security test done. This provided a baseline for us, and everyone was pleased that there was very little wrong with the security of the network."

Over 100 software applications operate on Wyoming Medical Center's network, and the majority of these are accessible over the Web. "Wyoming is rural, and our physicians represent a geographically dispersed community," Claunch said. "Twice-yearly contracted intrusion-detection systems verify that our network is secured."

The network periodically gets attacked, usually from bizarre places. The hospital identified one repeat attacker from Brazil through an IP address, as well as an overzealous computer programmer working in the training center of a major IT vendor.

Testing results difficult to dispute

IT services and network security are increasingly being outsourced, due to their complexity. Vulnerability testing not only proves the competence of a third party-provider, it also shows due diligence on the part of a healthcare provider.

"Regularly scheduled intrusion-detection reporting is one way that a healthcare organization can show due diligence with respect to [Health Insurance Portability and Accountability Act (HIPAA)] compliance. The healthcare provider is responsible for patient data, not a third-party service provider," said Mike Lloyd, Ph.D., chief scientist at RedSeal Systems in Redwood City, CA. RedSeal designs software used by the healthcare industry to map, measure, and mitigate network security using simulation.

"Even when IT security is outsourced, healthcare organizations are legally responsible for the safety and security of patient data," Lloyd said. "In a risky world, you can't make everything perfectly safe. But if you make a demonstration of due diligence of comprehensive risk and compliance reporting on a regular basis, this will document your efforts."

"The ability of software to identify the most important risks to remediate, and to prioritize them, enables an IT team to systematically determine which issues must be resolved with a specific timetable and budget," according to Lloyd. "A healthcare organization may not have the funds available to correct all security issues, and some security measures can cost more than they are worth."

Software that demonstrates its results in clearly defined visuals can make a convincing argument to hospital executives who may not fully understand the recommendations of IT staff. A vulnerability test is an independent arbitrator.

Stanford Hospital and Clinics in Stanford, CA, purchased RedSeal software in the spring of 2007. "Testing enables us to identify and fix a serious problem very rapidly," said Michael Mucha, information security officer. "It gives us more power to get things done. Its concrete identification of problems, and the level at which the problems exist, enables us to make sensible decisions utilizing the funds we have available, or support our requests for unbudgeted expenses to senior management."

"The software also identifies repeated security vulnerabilities at a low level and enables us to specify regulations and standards for a specific type of equipment," Mucha said. "We can agree upon the level of acceptable security to maintain for anything on the network in a very logical way."

RFP questions about security

Healthcare organizations should include security-related questions in requests for proposal (RFPs) for both medical device and IT systems. How secure is the device or system? How did you test it? Would the network that you are proposing pass a Payment Card Industry (PCI) audit, the standards defined for the credit card industry? Responses to these seemingly simple questions may yield answers that can save a healthcare organization a significant sum of money, according to Lloyd.

In Lloyd's experience, healthcare organizations do not pay enough attention to costs associated with security when evaluating new products. Acceptance testing, particularly of a RIS or a PACS, should include vulnerability and intrusion-detection testing by an independent security expert.

"If a network being proposed for a RIS or PACS can't pass a PCI audit, it's worth asking yourself, 'Should the security of a patient's record be any less robust than the security of a credit card number?' " Lloyd said.

It's definitely worth thinking about.

By Cynthia Keen
AuntMinnie.com staff writer
August 11, 2008

Related Reading

New protocols offer hope for wireless security, June 6, 2005

In depth approach needed for PACS security, January 20, 2005

Security in the wired or wireless world; users are the weakest link, May 24, 2004

Copyright © 2008 AuntMinnie.com

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2008 06 25 17 05 19 316 Ge Btm2
IS
08-1020 GE Imaging Center, Post lead collection, choose format.
2008 06 25 15 36 05 128 Ge Top
IS
08-1020 GE Imaging Center, Landing Page
2007 12 12 09 30 02 706
IS
RIS developer Sunquest returns to radiology as standalone company
2007 11 07 15 33 20 706
IS
ScImage
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page