Managing to Succeed: Radiology's Cybersecurity Landscape
By Ned Campbell
Radiology Today
Vol. 19 No. 7 P. 8

It seems as though every day there is news of another major data security breach in our country. It's clear that the health care industry is one of the favored targets of cybercriminals; more than 16 million patient records were breached in 2016.

Department of Health and Human Services Office of Civil Rights (HHS-OCR) HIPAA breach settlements totaled a record $24 million in 2016. According to predictions by credit reporting firm Experian, the health care industry will continue to be a target for cyber attackers while "personal medical information remains one of the most valuable types of data for attackers to steal."1

While most data security attacks have focused on large health care systems, that does not mean radiology practices are immune from these cybersecurity threats. Radiology practices manage a complex data environment with many systems and entities where protected health information (PHI) is transmitted and stored, including RIS, PACS, computer information systems, DICOM, imaging equipment, mobile devices, e-mails, short message service messaging, cloud storage, patient portals, and revenue cycle management systems.

Each of these poses a unique set of data security challenges and provides a wide attack surface to guard and secure against cybersecurity attacks. As these systems and processes are often provided by a third-party vendor or outsourced completely to a service organization, a radiology practice's data security environment almost always extends to a complex variety of business associates.

The Threats Are Real
The health care cybersecurity threat landscape has an ever-expanding attack surface, with motivated and well-funded cybercriminals who can carry out creative, sophisticated attacks on private and often protected health care information from radiology practices and their business associates. These include but aren't limited to the following:

  • social engineering and phishing attack campaigns that target individual users;
  • malware, zero-day attacks, and botnets that target systems and medical devices to exploit default administrative credentials and known software vulnerabilities;
  • ransomware attacks that target network and application infrastructure;
  • targeted hacking of mobile devices via unsecured wireless networks, operating system flaws, and downloaded malicious applications;
  • interception of unencrypted PHI data transmissions;
  • structured query language injections to exploit insecure internet-facing applications; and
  • stolen or lost devices containing unencrypted PHI.

If these outside threats are not enough, employees still pose one of the greatest risks to health care organizations and their business associates. According to a 2016 data security incident response report from BakerHostetler, 24% of health care data breaches resulted from employee errors.2 Social engineering, phishing, and spear phishing campaigns targeting individual users are on a sharp increase with growing sophistication across all industries.

Data Breach Impacts Can Be Significant
Although the largest health care data breaches of 2016 were nowhere near the scale of those seen in 2015 (eg, Anthem, Premera, and Excellus), more than 16 million patient records were compromised in breaches involving more than 500 patients. Of these major breach incidents, 275 were reported by providers and 20 were reported by business associates. The potential impact to health care providers of a single data breach are significant in terms of cost, disruption, and reputational impact. Consider the following:

  • HHS-OCR HIPAA breach settlements and civil money penalties are escalating in both frequency and magnitude. One HHS-OCR settlement affecting only 6,800 individuals amounted to $4.8 million in 2016.
  • For breaches affecting more than 500 patients, both the HHS-OCR and local media outlets must be notified within 60 days of discovery of the breach.
  • Regardless of the number of patients involved, breach notification letters must be submitted within 60 days by first class postage to all affected patients.
  • Postbreach identity protection must often be provided for affected patients for one to two years, with an estimated cost of $10 per individual per month.
  • Lost business reputation can create a patient churn rate of 5% to 6% following a data breach.
  • Class action lawsuits often arise, with average claimed damages of $1,000 per victim, not counting negligence claims.
  • Other miscellaneous costs can include organizational disruption, public relations/crisis communications, technical investigations, and increased cost to raise debt.3

A Strategic Priority
Given both the growing number of health care cybersecurity threats and the potentially significant impacts from a data breach, radiology practices need to consider data security a critical business priority for their own practice and their business associates. At Zotec Partners, we consider data security a mission-critical strategic priority utilizing a three-part strategy: organizational commitment, technology and processes, and external certification. In developing their own data security controls and evaluating their business associates' data security standards and controls, a radiology practice may consider a similar approach.

Organizational Commitment
Data security requires a true organizational commitment by a company's executive team and shareholders, as effective data security requires time, resources, and investments. Companies that invest in a dedicated information security department of certified information security professionals with separate operating/capital expense budgets to execute strategic information security projects can keep pace with the evolving data security threats in order to implement security best practices.

New employee onboarding, including ongoing security awareness and education of all employees, is one of the most important investments a practice can make in data security. Providing security training above and beyond the "annual HIPAA education requirements" and frequently communicating security reminders are two effective means of building a workforce that is sensitized and responsive to data security threats. As an example, in order to sensitize employees to phishing attacks and provide additional training to employees as needed, companies might deploy customized employee phishing campaigns periodically throughout the year.

Technology and Processes
There are many data security technology solutions available in the market today that health care organizations can use to prevent, monitor, and respond to potential data security risks and threats. Technology tools, when coupled with prevention, monitoring, and detection processes executed by an information security team can create a multilayered network of defense against cybersecurity threats. These technology and processes may include the following:

  • intrusion detection and prevention tools;
  • endpoint and mobile device protection tools;
  • data transmission encryption tools;
  • security incident and event/log management systems;
  • internal threat detection and intelligence tools; and
  • robust patch and software update programs.

External Certification
External third-party examination and certification of security practices and those of business associates are a third way for radiology practices to enhance data security. The following are two common certifications:

  • The SOC-2 security certification is established by the American Institute of Certified Public Accountants in accordance with the Statement on Standards for Attestation Engagements 16 professional standards, and it focuses on a service organization's controls related to the security, availability, integrity, confidentiality, and privacy of information and systems. SOC-2 certification is designed to give a company's clients and stakeholders insight and assurances into the security controls of a service organization.
  • PCI DSS 3.2 compliance is a comprehensive card security standard regulated by the world's leading credit card companies, including American Express, Discover, JCB, MasterCard, and Visa. The standard evaluates data security of credit card payment applications and service providers by assessing a business's network architecture, technology platforms, security policies, and data protection procedures and is a critical certification for any organization that stores, processes, or transmits credit card data.

It's essential for radiology practices to be aware of the growing breadth and depth of health care cybersecurity threats and ensure their data security controls and methods are evolving to provide adequate protection to their patients' valuable data. Organizational commitment, technology and processes, and external certification may be important steps to consider for a practice. The resources, expertise, and data security practices are also important factors for radiology practices to consider with their revenue cycle management partners and other business associates to whom they entrust their patient data.

— Ned Campbell is the executive vice president of quality and compliance for Zotec Partners, a national provider of radiology revenue cycle and practice management. He has worked in the health care industry since year 1991, and is specialized in operations quality, coding and billing compliance, and information security. Ned serves on the Zotec Compliance and Security Committees.

1. Fourth annual 2017 data breach industry forecast. Experian website.

2. Is your organization compromise ready? 2016 data security incident response report. BakerHostetler website.

3. HIPAA breach costs. HIPAA Journal.