The American College of Radiology (ACR) and the Society for Imaging Informatics in Medicine (SIIM) have jointly endorsed a new white paper stressing the need for better protection against cybersecurity threats.
The document outlines steps to strengthen the medical imaging pipeline, train caregivers, and develop incident response and recovery strategies for data breaches and disabling ransomware attacks. It was published on August 6 in the Journal of the American College of Radiology.
“Onsite and cloud-based informatics systems, including artificial intelligence, can boost efficiency but also create weak points,” wrote a team led by Po-Hao Chen, MD, from the Cleveland Clinic in Ohio. “Medical imaging systems must safeguard patient identities, control access, secure devices, and coordinate with patients, payers, and billing partners.”
Cybersecurity continues to be a challenge for imaging practices. The Office of Civil Rights reported 725 data breaches and ransomware attacks that occurred in 2024. The most significant data breach affected a reported 190 million individuals.
Chen and colleagues highlighted risk management strategies toward restoring normal operations in a cyberattack, with endorsement from the ACR and SIIM. It also wrote that these guidelines are intended to replace the 2019 ACR-AAPM-SIIM Practice Parameter for Electronic Medical Information Privacy and Security.
Physical protections for data outlined in the paper include controlling access through layers of security and environmental considerations such as fire protection systems and backup power sources in case of outages.
Data encryption and backup are also necessary, with cloud-based systems allowing for fast data recovery. And network security measures such as firewalls and virtual private networks can further protect against attacks, the paper states.
“Additional best practices include device hardening technical policies, such as adopting the latest vendor security configurations, disabling unused ports, and whitelisting allowed applications,” the authors wrote. “Regular updates and security patches help mitigate vulnerabilities.”
Practices should also organize a response team, an incident command team, and a technology response team to properly address cyber events. This includes liaising with law enforcement and insurance firms, evaluating responses to emergencies, assessing the extent of attacks, and evaluating the viability of backup systems.
Chen and colleagues also highlighted the importance of assembling committees to address safeguards and attack responses. These committees should include IT staff, physicians, technologists, and administrative personnel, the paper states. By setting up processes and procedures, this multidisciplinary work can lead to a culture of security, the authors wrote.
“Ultimately, a security culture necessitates consistent training, simulations, and active leadership involvement,” they added. “Taken together, these multidisciplinary interventions can minimize the data risk, privacy concerns, and financial implications of data breaches and disabling attacks and help maintain patient trust.”
The full paper can be found here.
