Cybersecurity and safety have become major issues in global healthcare, and it's vital to address these topics because any radiology department or practice can easily become the victim of an attack, experts told RSNA 2021 attendees at a special session on Sunday.
"We are at a crossroads," said Joshua Corman, chief strategist for COVID-19, healthcare, and public safety at the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "We're now overdependent on undependable technology. How quickly we turn the corner depends on you."
Around 560 U.S. healthcare facilities were hit by ransomware attacks in 2020, and cyberdisrupion can be an important source of delays to patient care in hospitals that are already overstretched, he added. For instance, in November 2020, clinicians were forced to send away hundreds of cancer patients after a cyberattack on a Vermont Hospital.
About 85% of U.S. hospitals do not have a single qualified security person on their payroll, and many security specialists have been put on furlough support schemes during the pandemic or laid off due to recent mergers and acquisitions, according to Corman.
"Our traditional best practices simply aren't good enough, and this is affecting patient care," he said. "Through our over dependence on undependable IT, we have created the conditions such that the actions of any single outlier can have a profound and asymmetric impact on human life and economic and national security."
The good news, though, is that politicians, regulatory agencies, healthcare providers, and the international community in general have become more alert to threats and better prepared, he continued.
In May 2021, President Biden issued an executive order about improving cybersecurity. This order emphasizes that all federal procurement deals must give full consideration of cybersecurity aspects, and it shows that this topic is now higher up on the political and social agenda.
5 core principles
Keep vigilant and be conscientious, Corman advises the medical imaging community. Overall, he thinks adhering to these five core principles will improve the situation:
- Cybersafety by design. Respect domain expertise and inform design with security lifestyle, adversarial resilience, and secure supply chain practices.
- Third-party collaboration. Acknowledge that vulnerabilities will persist, despite best efforts, and invite disclosure of potential safety or security issues, reported in good faith.
- Evidence capture. Try to foresee unexpected outcomes and to facilitate evidence capture, preservation, and analysis to learn from safety investigations.
- Resilience and containment. Recognize failures in components and in the environment are inevitable, safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable.
- Cybersafety updates. Cybersafety will always change, so it's vital to support prompt, agile, and secure updates.
"We're all in a supply chain, with most of us in the middle, and we should know how flaws in these technologies affect us downstream," Corman said.
It's going to take great courage to challenge in-built assumptions, and things won't happen overnight, he warned. After all, it took 100 years for people to believe the 19th century Hungarian physician Ignaz Philipp Semmelweis about the importance of antiseptic procedures.
The pandemic has produced a triple threat for healthcare systems: a rapid expansion of internet-connected technologies and services causing an expanded attack surface, an increase in many types of cyberattacks, and fewer available resources to defend against cyberattacks, Dr. Benoit Desjardins, PhD, professor of radiology at the University of Pennsylvania, explained at the same Sunday session.
Phishing attacks pretending to originate from the World Health Organization and others spread across the world like wildfire, and websites such as the John's Hopkins COVID-19 tracking site get duplicated and become major sources of worldwide malware distribution. In December 2020, it was confirmed that Russia had infiltrated the computer systems at many large U.S. government institutions, including Homeland Security, the Pentagon, the Treasury, the Commerce Department, the Postal Service, and the National Institutes of Health.
To counter this threat, the radiology community at large must be made aware of this growing era of digital warfare and its implications for their daily practice, and practical, actionable suggestions that radiologists and IT administrators need to be developed, Desjardins said.