As the healthcare industry ramps up its adoption of electronic health records, and radiologists increasingly add mobile devices and cloud archiving to their digital mix, questions about the security of digital data should escalate. Just how safe and impenetrable are imaging data?
Unfortunately, among medical professionals, radiologists are some of the most oblivious of the need to vigilantly protect data, according to healthcare IT security expert Mac McMillan of CynergisTek and medical device security expert Derek Brost of eProtex.
While neither expects radiologists to become security experts, they strongly advocate that radiologists obtain a high level understanding of what practices need to do. Heeding their advice, AuntMinnie.com describes several new resources focusing on security.
National cybersecurity center healthcare bulletin
The National Cybersecurity and Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security has just published a bulletin titled "Attack Surface: Healthcare and Public Health Sector." In spite of its cumbersome title, the document summarizes federal security requirements and is an easily understood "must read" overview of the vulnerabilities the NCCIC identifies with respect to medical IT.
In its introduction, the NCCIC states that communications security of networked medical devices and electronic records is now becoming a major concern to the U.S. Department of Health and Human Services (HHS). In addition to poor security practices and/or misconfigured IT networks, HHS has identified four factors that further complicate security resilience within any size of medical organization.
One of these factors, the use of medical devices that are 36 years or older, is an unlikely threat for radiologists. But not so for the converse threat: integrating new medical devices and/or data management systems into an existing IT network. The bulletin cautions that while U.S. Food and Drug Administration (FDA) testing procedures validate mandated security features of medical devices, this doesn't guarantee that they will be installed properly.
Another key factor is failure to install updates or upgrades of equipment, or deterring installation due to budgetary constraints. If these contain new software security protection, a seemingly protected system may be compromised. The final factor relates to priorities: Security may not be high enough in the food chain that allocates financial and staff resources. Put bluntly, network security tends to be underfunded.
The bulletin describes privacy and data security requirements mandated by state regulations and the federal Medicare program. It describes the types of security vulnerabilities for implantable and external medical devices, wireless interconnectivity, and portable devices, noting that the latter pose significant challenges for IT administrators. It also summarizes best-practice recommendations.
The bulletin can be accessed by clicking here.
HITRUST cybersecurity threat database
For many years, databases established as a collection point for information about imaging informatics software and hardware have proved invaluable to RIS/PACS administrators, end users, and vendors alike. They are one of the best ways to identify software glitches and spread the word about unauthorized but effective workarounds. Now, a database to report cybersecurity threats has been established by the Health Information Trust Alliance (HITRUST).
HITRUST, established in 2006, is a not-for-profit organization of healthcare, business, technology, and security companies and organizations. It created the HITRUST Common Security Framework (CSF), which normalizes and clarifies the security standards and regulations of diverse federal, state, and third-party agencies and organizations. HITRUST states that as of April 2011 -- the most recent date it released membership information -- more than 62% of hospitals and 74% of health plans with more than 500,000 members are utilizing the CSF.
In late April 2012, HITRUST established a Cybersecurity Incident Response and Coordination Center. Working with HHS and 14 leading industry organizations representing health plans and health systems, the center's mission is to provide a centralized location to report and identify cybersecurity attacks, coordinate response activities, and create best practices for healthcare organizations to deploy.
The center's initial focus is on early threat detection, alerting, remediation, and notification. It will gather information on attacks targeted against medical devices, workstations, networks, servers, and mobile devices. The center plans to provide meaningful information at all technical competency levels and to share information about threats with nonmembers in the healthcare industry.
The incident response center is just getting started. It may prove to be a valuable resource of expertise for imaging centers and radiology practices. Several years ago, when the Conficker worm invaded some commercial PACS applications and compromised hospital IT networks, members of the Conficker Working Group voluntarily contacted affected healthcare organizations. Fearing reprisals from vendors whose software had been compromised, the group did not feel that they could publicly state which PACS applications were most vulnerable to attack. The new HITRUST cybersecurity center will provide a neutral venue to identify specific devices and software that have been attacked.
ONC privacy and security guide
Any radiologist or radiology practice planning to achieve meaningful use should read the "Guide to Privacy and Security of Health Information," published in May 2012 by the U.S. Office of the National Coordinator for Health Information Technology (ONC). This 47-page guide not only details necessary information, it provides hyperlinks to resources that may be easy to overlook and difficult to locate.
One such example is a how-to guide produced by HHS titled "Cybersecurity: 10 Best Practices for the Small Healthcare Environment." Written specifically for physicians and their staffs, this 44-page guide includes a variety of invaluable checklists, including some for mobile devices.
This and other resources can help educate non-IT medical professionals and wrench anyone with a less-than-diligent perspective about the importance of cybersecurity implementation into the 21st century.
The guide can be accessed by clicking here.
