Cybercrime is becoming increasingly prevalent. In recent years, attacks have evolved to circumvent even the most modern cybersecurity controls. Ransomware such as WannaCry, phishing attempts, and social engineering have cost businesses and individuals $6.9 billion dollars in 2019. More concerningly, the number has been growing over recent years. But what does that mean for radiology?
Dealing with cyber-attacks in a healthcare setting is not a matter of if; it's a matter of when. Both large and small medical settings are equally at risk for security breaches. Radiologists and care providers must be alert to the amount of damage hackers can inflict on hospitals and clinics, not to mention what can be done with the sensitive information they collect. According to a report by IBM, the average cost of a data breach for medical settings in 2022 amounts to $10.1 million.
Cybersecurity attacks are an eventuality, cybersecurity incidents don’t have to be.. The way you train your people, the tech you have, the processes in place, and keeping your certifications current act as a bulwark of defense against these threats. When a cyber event begins, your PACS suddenly slows, and all devices on your network are abruptly locked; the results are directly tied to how well you’ve prepared.
While the dangers are real, there are of course things that radiologists can do to mitigate these risks. For example, fully deploying security AI reduces the "security breach lifecycle" by 74 days. But certainly, investing in expensive AI isn't the only solution. The biggest protection that you have from cyber-attacks is your staff. Proper training in risk avoidance, like not using company devices to access outside websites, is integral to your company’s integrity.
In the following sections, we'll examine some particularly damaging cyber-attacks. We'll take you through the role that your radiology equipment plays in your organization's cybersecurity posture. In addition, to help you better evaluate your radiology equipment, we'll review some standards to consider when updating or purchasing new imaging equipment. Making this your top priority now can pay off in the peace of mind that your company is well-insulated against cybercrime.
“PrintNightmare” and the Internet of Things
According to the Cybersecurity and Infrastructure Security Agency (CISA), foreign entities such as Russian state-sponsored threat actors are targeting a number of industries in western nations, including healthcare and pharmaceuticals. CISA, the FBI, and international organizations have specifically advised that healthcare providers need to be more cautious than ever with their software.
One more alarming capability of these attackers is their ability to execute attacks on Uninterruptible Power Supplies, which service critical equipment if the power grid is suddenly offline. They often target supplies connected via the Internet of Things platform, using databases of default usernames and passwords. In addition to securing all internet-connected devices and using proper security measures, make sure your staff is trained in the implications of using company equipment to access unauthorized websites. Your personnel is either your biggest liability or your biggest protection against cyber-attacks.
Take, for example, one attack reported on March 15, 2022. It is an attack known as "PrintNightmare." Cybercriminals exploited a Windows vulnerability that connected devices to printers and gained access to the system’s internal network. The hackers enrolled themselves in the system as if they were authorized users, gaining access to a network's cloud and email accounts. They ran arbitrary code on computers with admin privileges and exfiltrated sensitive data.
This is one example in which a mix of technical and person-related steps can help mitigate the damage or protect against an attack altogether. For example, admins can monitor the creation of new users to know quickly when someone may have gained access to their system. Remote printing can also be disabled and directly cut off the line of communication that allowed hackers to access the data via their remote print software.
One central overarching theme in all major cyber-attacks is that individuals are neglecting to take a closer look at the security of their machines. The vulnerabilities that modern-day hackers are taking advantage of are only partially known, so it pays to be forward-thinking and plan for surprises. Having equipment that does its job well and protects against cyber threats is an invaluable part of a healthy radiology practice.
Broward Health and Outdated Equipment
Budget constraints have led hospitals to forgo upgrading their machines and invest in other assets instead. In these cases, the opportunity cost of these other assets can be infinitely more expensive than the initial savings would imply. However, short-sightedness in your equipment’s ability to stand up to future cyber-attacks can invite tremendous losses.
According to the American Hospitals Association, two of the principal vulnerabilities of hospitals are "unpatched medical devices running on outdated software and devices that lack adequate security features."
In other words, old medical devices in radiology may be a potential avenue for a cyber-attack. In fact, Cuattro’s software will not allow users to access any unauthorized software or connect to an unauthorized website. When the user exits the Image Acquisition Workstation it shuts the workstation off, preventing human vulnerabilities with software adaptations.
And according to HG.org, a popular legal resource started by Lex Mundi, using outdated medical equipment could lead to various legal troubles. Individuals who have suffered losses as a result of their data being leaked can sue hospitals using legislation covering malpractice, negligence, and lack of knowledge of modern technology to cover the damages incurred by such an attack. Care providers using outdated equipment in this case would be held liable for any physical and monetary damages to the patient in the event that their data is compromised.
Remember, it takes only one event for hackers to gain access to all your patients' personally identifiable information. A patient who loses their life savings due to old machines, for example, will likely receive a settlement from the hospital. Keep in mind that with proper planning, these scenarios are entirely avoidable.
Take the case of Broward Health in October 2021. During this cyber-attack, hackers gained access to the network through an unnamed third-party app. How did this app’s vulnerability lead to that attack? Most likely, the developers did not build the app under current cybersecurity specifications set by the NIST, the FDA, and IEC. Over 1.3 million patients were affected. The article goes on to say:
"The hackers accessed names, birthdays, addresses, banking information, Social Security numbers, drivers' license numbers, patient histories and treatment, and diagnosis records, among other information, according to the health system."
Interestingly, the article says the patient's information had not been misused, and no ransom was demanded by the time the article was published three months later. Could this be a foreign state gathering intelligence? What would a bad actor seek to gain from this information if not a ransom from the hospital? And most importantly, did they succeed?
To remediate the damages, Broward Health is covering affected patients for 24 months for any identity theft issues stemming from this event. Since the impacts are still unknown, they are doing their best to ensure that their patients suffer minimal damage after the attack.
Is It Time To Upgrade Your Machines?
Adherence to modern standards ensures you're doing everything possible to avoid legal issues, loss of your reputation, and clear financial effects. Your imaging equipment should be aligned with the following in order to prevent known and future vulnerabilities:
- NIST 800.53, a catalog of security and privacy controls for all U.S. federal information systems except those related to national security
- IEC/TR80001-2-2:2012(E) Application of risk management for IT networks incorporating medical devices — Part 2-2
- NIST SP 800-34, Contingency Planning Guide for Federal Information Systems
- SP 800-61, Computer Security Incident Handling Guide
- SP 800-128, Guide for Security-Focused Configuration Management of Information Systems
- SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- VA Directive 6550, Pre-Procurement Assessment And Implementation Of Medical Devices/Systems
- MDS2, Manufacturer Disclosure Statement for Medical Device Security
- Other FDA and NIST standards for the development of Health Care Devices
- ANSI NEMA-1-2019 for supplier credentialing in healthcare
Security Checklist for Radiology Departments
Whether or not you decide to upgrade your machine, there are other things you can do as radiologists to bolster your organization's cybersecurity posture. Use this checklist as a guide to ensure that your department is taking the proper measures to secure its information.
- Regularly train your staff in cyber-security protocol
- Monitor machines for new users
- Monitor IoT devices for unusual behavior
- Regularly scan for software patches and updates
- Create a preventative maintenance schedule with your department’s IT team
- Use the 3-2-1 method of data backups - Back up your information in three separate places, two different formats, and at least one offline backup.
- Use firewalls wherever possible
- Conform to relevant vulnerability management strategies
- Understand basic network segmentation and access controls
- Adhere to wireless access controls
- Ask your IT department about your organization's data encryption, loss prevention, and destruction prevention strategies
- Ensure strong password policies are invoked in any instance where operators may encounter protected health information, such as:
- Ensure Audit Logs are available with reporting for workstation Logins (log all attempts to log in and whether they were successful or not)