March 2017

Imaging Informatics: Out of Network
By Dave Yeager
Radiology Today
Vol. 18 No. 3 P. 8

Stronger security measures are needed to protect provider networks from hackers.

Data breaches are nothing new, but they occurred at an all-time high in 2016, according to a January 2017 report by the Identity Theft Resource Center (ITRC). The 1,093 breaches that were logged in 2016 represented a 40% increase over 2015, the ITRC reports. The report also found that although the health care sector saw a drop in the total number of breaches from their peak in 2012, health care was still the second leading industry affected by cyberattacks, by far.

"As we aggregate larger amounts of data about our patients, those collections of data become attractive to hackers," says Jim Whitfill, MD, CMO of Innovation Care Partners in Phoenix and president of Lumetis. "If you have a patient's medical record, it's much more valuable than a stolen credit card, for two reasons: One is that it's easy to do identity theft because the records have a lot of the patient's personal information; there's also a thriving industry of fraudulent claims submission."

Soft Targets
One of the simplest ways to protect patient data is to keep software patched and up to date. Whitfill says all software is vulnerable, and the best strategy is to patch it as fast as possible. He notes that the FDA encourages health care organizations to keep their software patched.

Increasing demands for interoperability make security more of a necessity than ever. Encrypting data can help with data exchange, but Whitfill says older versions of software can make encryption challenging. In many cases, upgrading to the newest version of software may require a large capital expenditure, which many organizations may find difficult to fit into their budgets. Upgrading technology is desirable, however, Whitfill says, because old technology will lead to software vulnerabilities and doesn't allow organizations to take advantage of technological advances, such as encrypting data at rest.

"The reason we're not encrypting data at rest, especially in health care, is because many of us are dealing with systems that were designed, engineered, and maybe even implemented more than 10 years ago," Whitfill says. "People are now starting to embed encryption at rest in their core systems, but if you're running an EMR or a RIS or a PACS that was designed in 2004, there may not even be an economically viable pathway toward encrypting that data."

Hard Targets
Along with the data in databases, medical devices can be targeted by hackers as well. Much of this medical hardware is tightly regulated by the FDA, making device security more of a challenge, says Jay Dowling, PACS administrator at Temecula Valley Hospital in Temecula, California. Dowling says updating software and getting devices off of older operating systems should be priorities. Ransomware tends to target older operating systems like Windows XP, and when vendors develop a newer model of a device, for example, they often stop upgrading the operating system and software on older models, Dowling says.

"When confronted about this, vendors complain that it costs too much money to get the FDA approvals to upgrade older devices," Dowling says.

Being prepared is the most important aspect of data security, Dowling says. He adds that it's important to review the Medical Device Security statements for each piece of equipment to determine whether a vendor allows data encryption on their device; all workstations are encrypted, but medical devices may not be. He recommends doing a thorough inventory of all medical devices to uncover less obvious data sources as well, such as printers or scanners, which may have hidden operating systems.

Dowling also recommends that USB drives be locked down and portable devices be left in well-trafficked areas to discourage tampering. He says connecting devices to an active directory whenever possible is the most efficient way of monitoring them. That way, they can be deactivated remotely when necessary, rather than manually.
Because physical security is usually the weakest link, Dowling says managing users is a key factor in data security. Medical devices should be password protected whenever possible, he says, noting that MR and CT are less of a problem than portable devices such as ultrasound. For all devices, he recommends three levels of data access: technologist, manager, and administrator.

"You need to trust your employees," Dowling says. "You don't want to lock the system down so they can't do anything, but you don't want them taking large chunks of data off of the machines."

Other Concerns
The growing threat of ransomware has been well documented, Whitfill says, and it is extremely hard to crack; the FBI usually recommends that the affected health care organization pay the hackers because, in many cases, the FBI can't decrypt it. Although ransomware is a serious problem as it relates to patient information, it could pose an immediate threat to patient health. Devices such as infusion pumps, for example, or systems such as pharmacy ordering systems could be used to cause direct patient harm if not protected adequately. Whitfill says, in addition to patient data, physicians and health care organizations need to start thinking about potential threats to patient health and how to mitigate those threats.

"You could imagine those types of vulnerabilities being exploited either for terrorist activities or by organized crime, which is starting to get involved with cybercrime as well," Whitfill says.

One possible solution that Whitfill mentions is airgapping, a policy the defense industry developed to protect sensitive data. Essentially, machines with sensitive data are kept on networks that are inaccessible from other organizational networks. Health care organizations may be able to protect some networks in this way but, as the need for interoperability increases, additional measures will be necessary as well.

Whitfill says health care providers should make their concerns known to medical device vendors. He believes that "bug bounty" programs, such as those used by other industries, can help find software vulnerabilities and fix them. Historically, medical device manufacturers have been reluctant to publicize vulnerabilities.

"Until recently, many of the medical device manufacturers have tried to keep people quiet about failures, rather than acknowledging the failures and fixing them," Whitfill says.

But the most important change that health care organizations can make, however, is to embrace IT security, Whitfill says. Many providers have tended to view security as a burden, and many IT people have tended to focus on compliance, rather than implementing solutions that mitigate the risk of attacks, he adds. More collaboration between end users and IT can make patients and their data safer.

"Collectively, end users and IT security people need to work more collaboratively to identify the things that cause the most risk to our patients' health and those things that are likely to be high risk to our patients' health information, with less of a compliance-driven approach and more of an outcome-driven approach," Whitfill says. "In the end, we have a mission to care for our patients and make their health better, and that includes sharing health information. Figuring out how to do that without walling ourselves off from the rest of the world will be critical."

— Dave Yeager is the editor of Radiology Today.

These tips for working with vendors to improve system security were provided by Jay Dowling, PACS administrator at Temecula Valley Hospital in Temecula, California.

All manufacturers will be able to provide you with a copy of the Standard HN 1-2013 Manufacturer Disclosure Statement for Medical Device Security (MDS2). Make sure you get the form that relates to the software version you are using. This form will tell you which security modifications and updates the manufacturer allows and does not allow.

Now that you know what you can do, the next step is to work with the vendor and your biomedical and IT departments to lock down your systems, bearing in mind the following:

• If your systems are using an outdated operating system (OS) like Windows XP, make upgrading that system a priority.
• If you cannot upgrade your systems, the next best thing is to put a firewall box between your system and the rest of the network. Work with your IT department and vendors to put these in place.
• Some vendors only allow specific versions of antivirus software, and the MDS2 will tell you which antivirus programs you can use. Some vendors will also only approve certain virus definitions with their approved software. If this is the case, you will need to work with them to get the approved definitions.
• Most vendors can provide you with a list of approved OS updates. If the vendor allows it, set up the system for automatic updates.
• If the vendor allows it, join your systems to your Windows domain. This will help with users who always forget their passwords.
• If you cannot join your system to the domain, work with your vendors so all of your employees have their own user accounts.
• For service accounts that have to be on the system, have vendors create a new password that is not the factory default. Make sure to document this password so that anyone who services your machine can find it.

Demand better from your vendors. If your vendors are not releasing OS and virus updates fast enough, let them know. Make security checks part of your purchasing by asking for the MDS2 along with quotes. If you find an issue, bring it up to the salespeople. The more complaints that vendors hear, the more they will realize that this is a priority.