home | subscribe | comment | resources | reprints | writers' guidelines

Web Exclusive

Radiology’s Role in Crushing Cyberthreats

By Doug Schroeppel

Radiology teams have a delicate balance to strike when it comes to cybersecurity. On one hand, it’s essential to safeguard radiology systems from unauthorized access and security breaches. On the other hand, it’s imperative for providers and patients to have easy access to the images they need.

These two end goals—ease of use and security—are diametrically opposed. However, it’s possible to find a happy medium that reduces security risks and shores up HIPAA compliance while simplifying image access. The key is for radiology teams to view cybersecurity risk holistically, taking a candid look at policies, workflows, and technologies.

Traditional Risks

In a recent State of the Healthcare Industry Cybersecurity Report, Black Book Market Research forecast that health care cyberattacks would sharply increase in the foreseeable future. The analysts noted that COVID-19 exponentially complicated the “security vs access” dilemma by forcing health IT staff to scramble to accommodate the increased demand for remote access but without additional security training. As hackers set their sights on high-value health information, 73% of the survey’s respondents indicated their infrastructures were unprepared to respond.

Against that backdrop, many traditional radiology systems pose other unique risks. For example, although the DICOM standard is continually evolving, its initial development predates many current cyberthreats. In addition, radiology communication often happens via open communications ports on an organization’s network, with limited encryption. Standard protections—such as having to know the proper Application Entity Title to query a system, for example—can be set to defaults and compromised by other workarounds.

What’s crucial to understand is that cybercriminals don’t always target specific organizations. They may not care what kind of business they impact or its size. They simply launch bots that search the internet looking for any open communication channels they can exploit.

That means even the smallest radiology groups are at risk. Keep in mind that electronic personal health information (ePHI) is particularly attractive to cybercriminals. They can sell ePHI on the dark web for 10 times the value of a list of credit card numbers, which makes any health care information especially vulnerable.

Furthermore, the more channels open to the internet, the higher the risk. That’s why the recent emphasis on remote access during the pandemic has raised cyberthreat levels. However, as teleradiology and remote work arrangements continue to gather steam, radiology teams can play a part in keeping hackers at bay.

Balance Security and Access 

Compliance and security should never be considered a destination to be reached. Instead, the goal is to make compliance and security an ongoing way of doing business. Even small radiology organizations without a lot of IT expertise can work toward more accessible and secure operations.

Whenever possible, rely on multiple points of view to evaluate technology systems. For example, bring in either the IT department or an IT consultant to question how any given technology protects information. To balance security and access, radiology teams can take steps such as the following:

Policies and Workflows

  • Develop, communicate, and enforce policies and procedures. Don’t be lulled into believing that compliant technology products alone can guarantee cybersecurity. Secure technologies are just one piece of the puzzle. Achieving true compliance and security also requires establishing, routinely communicating, and enforcing well-defined policies and procedures.
  • Conduct periodic security audits. Audits can take many forms. What’s your policy for how often you conduct audits? How many users are enabled in your system—and should they all be enabled? Who has varying levels of access? Is there a policy for handling attrition to ensure access is disabled? The goal of audits is to catch mistakes and oversights as well as outright misuse.
  • Minimize workarounds. A few years ago, it was common to find username/password reminders written on sticky notes and stuck to radiology workstation monitors. Although such practices are diminishing, it’s important to remain vigilant to prevent them from reappearing. Along the same lines, radiology teams can put policies in place that prohibit the sharing of usernames and passwords, encourage password complexity, and set password lockouts. 
  • Individualize log-on credentials. Another fading practice that still must be guarded against is allowing everyone to log on to a workstation using the same credentials. Radiology teams should instead require each individual to log on to workstations using their own username and password.

Technologies

  • Use internet firewalls and internal firewalls to limit cyberattack exposure. A recent report by German software security company Greenbone shed light on the extent of global ePHI exposure risk created by unsecured DICOM ports. Firewalls are one way to help reduce that risk.
  • Leverage a secure online portal to ease information access. Rather than unsecured e-mails or faxes, a simple web page with encrypted data and log-on requirements can be effective. As with any online presence, though, there is some risk. Consider safeguards such as separating the front-end web services from back-end data.
  • Authorize software to run on registered mobile devices only. One app, for example, alerts physicians on their registered mobile phones when radiology reports are ready. Nonregistered devices are denied.
  • Examine new technology designed to balance security with ease of use. Sharing images through QR codes, for instance, illustrates the continually evolving nature of technology use-cases.
  • Ensure your technology platforms receive security updates. Working on an outdated and unsupported Windows 7.0 operating system, for example, could open security risks. Likewise, ensure antimalware software is up to date.

Small Steps Toward Significant Results

The increased demand for remote access to radiology systems has highlighted the tightrope radiology teams must walk between security and ease of access. While challenging, it is possible to achieve both goals.

Every radiology team can reduce risk by prioritizing security assessments, even if only for a few minutes each week. Just be sure to do it regularly and set realistic expectations.

Start small, and build over time. Establish good security policies and procedures, then communicate and enforce them. Purchase technologies that simplify image access through secure methods. With minimal capital outlay, radiology teams can evaluate their vulnerabilities, address them, and start to crush cyberthreats, even as they improve access to crucial medical images.

— Doug Schroeppel is the executive vice president of technical services for Novarad.