Fighting Back
By Beth W. Orenstein
Radiology Today
Vol. 18 No. 11 P. 18

Radiology needs to beef up proactive measures to prevent security breaches.

Last year, the health records of almost 17 million Americans were exposed, due largely to lost or stolen devices, hacking, and unauthorized disclosures, according to data from the US Department of Health and Human Services. The number of security breaches in 2016—328—were an all-time high, according to Bitglass, a protection company based in Campbell, California.

Health care hackers appear to be busy worldwide this year as well. One of the largest breaches was in May: A large ransomware attack hit the National Health Service of England and Scotland. Within two days, the WannaCry ransomware attack had spread to health systems in 150 countries.

Cyberattacks on patients' health care information are scary enough, says Henri "Rik" Primo, chair of the medical imaging informatics section of the Medical Imaging and Technology Alliance (MITA), a division of the National Electrical Manufacturers Association (NEMA). Primo also manages strategic relationships for the digital health services department in Siemens Healthineers. However, he says, the threat is not just to patients' medical and financial information and Social Security numbers; it's to their safety.

"What if a hack interferes with the correct operation of equipment?" Primo says. "Think of a CT scanner. What if the hacker interfered with the correct functioning of the scanner? Patient safety could be compromised."

James Whitfill, MD, CIIP, CMO for Innovation Care Partners in Phoenix and an active member of HIMSS, agrees: "It is not just patients' information that's at risk of being compromised but their health itself."

Like Primo, Whitfill says he's "really frightened" about the potential for hackers to affect implantable devices and imaging equipment that could kill patients. The scene in a season two episode of the Showtime series Homeland in which a known terrorist was able to murder the vice president by accessing his pacemaker remotely, wasn't that farfetched, he says. Hacker groups have been known to want to punish hospitals, he adds. What greater revenge than killing patients?

"You can imagine dark situations within imaging because we have machines that can deliver potentially lethal amounts of energy," Whitfill says.

When it comes to protecting medical images and imaging equipment, it's not as simple as using common security practices, says Grant Cermak, chief security and information officer for NucleusHealth, which is in the business of storing, viewing, and interpreting medical images. He says medical imaging has an additional challenge that makes it harder to protect than other health care information: the size of its files.

"It becomes an even bigger challenge to protect because the files are often quite large," Cermak says. "If you employ security measures that impede your system performance, those needing to access medical images will become frustrated. If you deliver a solution that is very secure but not performing, then you have a big problem."

Keys to Cyberattack Prevention
Given this very real threat to patient safety, Primo, Whitfill, and Cermak recommend health care systems and their radiology departments do the following to best protect themselves from cyberattacks.

Focus on more than policy. Policy and being HIPAA-compliant is important, Whitfill says; however, organizations tend to put too much stock in having policies in place and don't pay enough attention to possible threats. Focusing on policy gives them too great a sense of security, he says.

"Even if the policy doesn't make sense or work, as long as you showed that you had a security policy, people were happy," Whitfill says. "We have to get away from these policy-driven approaches to one where we are actively thinking about threats that are realistically there and how to best mitigate them. We have to move away from the idea of saying, 'Here's what we will do if we are attacked.' Instead, assume that we are always under attack and know what to do to mitigate the damage."

Most organizations have limited budgets for security, Whitfill says. "If you put 80% of your budget into compliance and 20% into monitoring and dealing with penetration threats, you are out of kilter," he says, noting that, for the best results, it should be the other way around. "Have 80% to 90% of your security budget go to threat mitigation," Whitfill says.

Work with device manufacturers when purchasing equipment. "Cybersecurity is an ecosystem with shared responsibility between health care providers and manufacturers," Primo says. "It's all about people, processes, and technology."

In October 2013, NEMA and HIMSS jointly published a document, Manufacturer Disclosure Statement for Medical Device Security, known as MDS2. The form provides a comprehensive list of security questions that purchasers of imaging equipment and manufacturers should jointly address, Primo says. It also allows buyers to compare security features of the devices they are considering, he says.

"Manufacturers must make systems that are strong, not vulnerable, and offer their users advice on what the best practices are to prevent them from being hacked," Primo says.

Also, he says, make sure the radiology department has a good service contract with its manufacturers and that the software running its equipment is constantly updated. "You know there will always be new viruses, new bugs," Primo says. "It's not a question of what, but when, and you want your systems and equipment to be ready."

Use phrases, not complex passwords. The problem with complex passwords is that people can't remember them so they write them down, Whitfill says. They might write the password on a sticky note and post it on the equipment—where anyone can see it and gain access to the system. "We have to get away from routine password changing with characters and numbers because it's doing a lot more harm than good," Whitfill says. Longer passphrases such as "Jim Whitfill wears tinfoil" are harder to hack than using eight-character passwords where perhaps S is a 3 and O is 0, Whitfill says.

It's good practice to have strong unique passwords for every user in every system that radiologists and others in the department need to access, Cermak says. Reusing passwords makes them easier to remember but also much more vulnerable, he notes. Using a password management system is the recommended best practice, something such as LastPass or Dashlane, Cermak adds.

The three also say users should be aware of the new US National Institute for Standards and Technology guidelines for password policies. These include the following:
• Make password policies user friendly and, when possible, put the burden on the verifier.
• Passwords should be a minimum of eight characters and a maximum of 64. They should allow all special characters as well as emojis.
• Don't require password changes unnecessarily. They should only be reset if they are forgotten or if they have been phished or stolen. Changing complicated passwords too often puts too much stress on users to remember them, making users more likely to write them down and put them in places where they are easily accessible.

Keep encryption access keys separate from the systems they secure. Many systems don't have a proper process for placing encryption keys far away from the lock, but it's good practice to do so, Cermak says. "You should have your keys managed off site with separate security policies to determine who can get access to those keys," he says, adding that regular audits of key usage—who accessed the keys and when—ensures that they are being used properly.

Match access to responsibility. Not everyone needs to have the highest-level credentials, Cermak says. "Don't give out high-privilege credentials when that person doesn't need high-privilege credentials," he says, adding that new people in the organization should be given the least possible privileges to function in their job. "You don't know them as well as people who have worked for the organization for a long time, which adds an additional level of scrutiny."

Additionally, credential hygiene is critical. "High-privilege credentials must never be used on systems where security is not tightly controlled," Cermak says.

Appoint a chief security officer (CSO). The security landscape is rapidly changing, Whitfill says. Ransomware was showing up on the radar a year and a half ago. Today, it's an epidemic, he says, and health care systems and medical imaging have been proven vulnerable. Having someone who is in charge of cybersecurity is becoming a necessity in many places, he says. The CSO can take command, make the imaging staff aware of potential cybersecurity threats, and see to it that the best technology and practices are in place.

Embed IT staff in radiology. At most health care systems, the IT staff is charged with building firewalls to keep out hackers. That's important and a good protection, but it's not enough, Primo says. Rather than having to call on IT staff when a problem arises, it is best to embed IT staff members in the radiology department to prevent problems, he says. The IT staff in the department can also suggest improvements and coach staff through security procedures.

IT staff should routinely test the system to see whether the security features are indeed working, Primo adds. They just have to be sure that the CT scanner, for example, is not in use at the time and that the manufacturers are aware of the testing when it's done, he notes.

Whitfill also recommends intrusion detection systems or honeypots. "These two technologies sit inside your network and look for canaries in the coal mine to tell you when you've been compromised," he explains. "They are able to give you a heads up should an attack be imminent."

Isolate imaging from the system network. It is important that the radiology department have its own internal intranet that is separate from the health system's and has up-to-date firewalls, Primo says. "It really isn't a burden to have a vertical network," Primo says. Not only is it more secure if it is isolated but it also speeds the transfer of images. "It is a positive for performance, given the size of most imaging files. A CT study can make 1,000 or more slices, and you're generating several gigabytes when it comes to it," he says.

Use open-source software. On one hand, this advice may seem counterintuitive because open-source software has a large community of users. But it's that large number of users looking for potential vulnerabilities that is protective, Cermak says. "With open-source projects, large communities are constantly looking at these systems and trying to ensure they are secure and that there aren't malicious things inside them," he says. "When you use proprietary software, you are at the mercy of the vendor to patch the software and keep your system solid."

And don't forget the basics: All staff needs to be trained on tasks such as how to identify phishing attacks, not clicking on suspicious or malicious links, and avoiding sites that may be compromised, Cermak says. "Sometimes it's small things that you do incorrectly that can lead to really big problems," he says.

In its 2016 NEMA/MITA white paper, CSP 1-2016 Cybersecurity for Medical Imaging, NEMA concludes that the axiom, "An ounce of prevention is worth a pound of cure" rings true. "It is much more critical to take a proactive, rather than a reactive, position," NEMA says.

— Beth W. Orenstein, of Northampton, Pennsylvania, is a freelance writer and regular contributor to Radiology Today.