By Doug Schroeppel
Radiology teams have a delicate balance to strike when it comes to cybersecurity. On one hand, it’s essential to safeguard radiology systems from unauthorized access and security breaches. On the other hand, it’s imperative for providers and patients to have easy access to the images they need.
These two end goals—ease of use and security—are diametrically opposed. However, it’s possible to find a happy medium that reduces security risks and shores up HIPAA compliance while simplifying image access. The key is for radiology teams to view cybersecurity risk holistically, taking a candid look at policies, workflows, and technologies.
In a recent State of the Healthcare Industry Cybersecurity Report, Black Book Market Research forecast that health care cyberattacks would sharply increase in the foreseeable future. The analysts noted that COVID-19 exponentially complicated the “security vs access” dilemma by forcing health IT staff to scramble to accommodate the increased demand for remote access but without additional security training. As hackers set their sights on high-value health information, 73% of the survey’s respondents indicated their infrastructures were unprepared to respond.
Against that backdrop, many traditional radiology systems pose other unique risks. For example, although the DICOM standard is continually evolving, its initial development predates many current cyberthreats. In addition, radiology communication often happens via open communications ports on an organization’s network, with limited encryption. Standard protections—such as having to know the proper Application Entity Title to query a system, for example—can be set to defaults and compromised by other workarounds.
What’s crucial to understand is that cybercriminals don’t always target specific organizations. They may not care what kind of business they impact or its size. They simply launch bots that search the internet looking for any open communication channels they can exploit.
That means even the smallest radiology groups are at risk. Keep in mind that electronic personal health information (ePHI) is particularly attractive to cybercriminals. They can sell ePHI on the dark web for 10 times the value of a list of credit card numbers, which makes any health care information especially vulnerable.
Furthermore, the more channels open to the internet, the higher the risk. That’s why the recent emphasis on remote access during the pandemic has raised cyberthreat levels. However, as teleradiology and remote work arrangements continue to gather steam, radiology teams can play a part in keeping hackers at bay.
Balance Security and Access
Compliance and security should never be considered a destination to be reached. Instead, the goal is to make compliance and security an ongoing way of doing business. Even small radiology organizations without a lot of IT expertise can work toward more accessible and secure operations.
Whenever possible, rely on multiple points of view to evaluate technology systems. For example, bring in either the IT department or an IT consultant to question how any given technology protects information. To balance security and access, radiology teams can take steps such as the following:
Policies and Workflows
Small Steps Toward Significant Results
The increased demand for remote access to radiology systems has highlighted the tightrope radiology teams must walk between security and ease of access. While challenging, it is possible to achieve both goals.
Every radiology team can reduce risk by prioritizing security assessments, even if only for a few minutes each week. Just be sure to do it regularly and set realistic expectations.
Start small, and build over time. Establish good security policies and procedures, then communicate and enforce them. Purchase technologies that simplify image access through secure methods. With minimal capital outlay, radiology teams can evaluate their vulnerabilities, address them, and start to crush cyberthreats, even as they improve access to crucial medical images.— Doug Schroeppel is the executive vice president of technical services for Novarad.