Cybersecurity for medical imaging equipment is often more critical than for other medical devices because the equipment stores protected health information (PHI) and communicates directly with PACS and electronic medical record (EMR) systems. This makes imaging equipment an attractive target for hackers, as it provides the perfect portal to a hospital's most valuable asset: patient information.
Despite all the headlines, radiology and biomedical engineering departments have made little progress toward securing diagnostic equipment.
"In radiology, a denial exists that imaging devices are not in need of security," said J. Anthony Seibert, PhD, professor and associate chair of radiology informatics at the University of California, Davis (RSNA News, May 1, 2016). "That mindset needs to be overcome."
Cybertears over WannaCry
In May of this year, the cyberweapon-powered WannaCry ransomware attack affected more than 200,000 Windows-based computer systems in the National Health Service in the U.K. Weeks later, Petya or NotPetya/GoldenEye furthered the chaos by using the ExternalBlue exploit, which made it much harder to stop.
The attack affected not only PCs, but also many medical devices. In the case of the WannaCry attack, internet-connected contrast injectors were implicated as a point of vulnerability, and a screenshot of the WannaCry virus taking over the control screen of a contrast injector at a U.K. hospital became one of the enduring images of the crisis. In today's interconnected age, it's easy for a virus to work its way through a back door like this and into a hospital's main computer network.
As illustrated by the graph, the critical trend for healthcare providers is that while the number of providers being hacked has grown linearly in the five years from 2010 to 2015, the number of patients impacted has grown exponentially. This is mostly due to an increase in the adoption of electronic medical records, a rise in the number of medical devices and internet of things (IoT) devices connected to hospital networks, and, of course, the ubiquity of ransomware and malware and their affect on patient access and safety.
Given all the headlines decrying hacking attacks in healthcare, the industry and the U.S. Food and Drug Administration (FDA) have multiple initiatives underway to improve cybersecurity. The FDA issued new guidelines this year that placed a joint burden on both the medical device manufacturer and the health delivery organization.
"Medical device manufacturers and health care facilities should take steps to ensure appropriate safeguards," the website reads. "Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity. They are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance."
Unfortunately, most healthcare providers and the FDA still operate under the old paradigm of attempting to secure the end points as the primary weapon in their cybersecurity war. Yet, when hackers inevitably penetrate hospital end-point security through phishing emails or similar ploys that depend on human error, security and IT teams are poorly equipped to mitigate the damage.
What's worse, only 5% of hospitals test the security of their medical devices annually, according to a recent report by the Ponemon Institute called "Medical Device Security: An Industry Under Attack and Unprepared to Defend." Additionally, only 9% of medical device manufacturers test their devices annually, even though they can face significant fines from the FDA for a lack of compliance. The institute also found that at least 69% of manufacturers and 57% of healthcare delivery organizations believe their medical devices will be hacked in the next year.
Fortunately, there are new solutions that go beyond securing the perimeter and provide more effective risk management. The building blocks of this new approach include the ability to do the following:
- Understand in real-time what devices are connected to the network and their general characteristics
- Monitor device communications on the network to and from other devices to detect any threats or vulnerabilities
- Determine a device's risk based on the device's overarching criticality and exposure
- Lock down medical devices and other IoT using multiple enforcement mechanisms
The healthcare security landscape will continue to evolve with the need to improve patient safety and quality of care driving the urgency for technology innovation. 2016 was a record year for digital health venture investments, so new and better technologies will continue to emerge to address this critical issue.
Ben Wilson has more than 20 years of experience in healthcare and technology, and he is currently the vice president of business development at CloudPost. Prior to CloudPost, Wilson held healthcare marketing roles at Citrix and Intel, as well as executive positions at BabyCenter.com and Consumer Health Interactive (CHI). He has master's degrees in business administration and public health from the University of California, Berkeley and a degree in political science from Stanford University. He can be reached at email@example.com or @bwilson_mhealth.
The comments and observations expressed herein are those of the author and do not necessarily reflect the opinions of AuntMinnie.com.