Patient Safety: Not Hacking It
By Keith Loria
Radiology Today
Vol. 22 No. 6 P. 32

Radiology devices are vulnerable to hackers and cyberattacks.

As technological innovation continues to upgrade the tools radiologists use on a daily basis, the digital components that collect and transfer vital pieces of information from patients to computers and workstations grow more important. But these network connections are vulnerable to hackers, who are looking to break into hospital systems any way they can. With cyberattacks becoming more common, there is always some risk of a compromised system; all it takes is one vulnerable endpoint.

Due to the COVID-19 pandemic, a larger percentage of radiologists are working remotely. With employees working on less secure devices and unprotected wireless networks, hackers are more likely than ever to jump at the opportunity to breach private data. Studies show that cybercrimes cost the health care industry approximately $6.2 billion per year, and breaches are happening more frequently in 2021. Oliver Noble, a data encryption specialist at NordLocker, a file encryption software company, notes that the health care industry remains one of the most popular attack vectors.

“The threat has been significantly increasing since 2019 and reaching its peak amid the COVID-19 pandemic,” Noble says. “Hospitals have never been more vulnerable, as staff are overworked, more patient data circulate in the digital environment, more medical devices get connected to the network, and cybersecurity fails to be considered as a priority at the moment.”

All of these factors have been lures for hackers, who are opportunists exploiting any weak data access point.

“Unfortunately, medical equipment is known for lacking strong protection, thus attracting hackers who try to capitalize upon weaknesses to their advantage,” Noble says.

Hacked radiology equipment can cause a multitude of problems. For example, a compromised radiology device can allow hackers to tamper with exam results, potentially deceiving doctors into misdiagnosing patients, with life-altering consequences. Two years ago, cybersecurity researchers from Israel demonstrated how hackers can access medical scans of patients and add or remove malignant tumors from images, placing patients at risk.

Between 2009 and 2020, 3,705 health care data breaches of 500 or more records have been reported to the US Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 health care records.

Last fall, Universal Health Services (UHS), which has more than 400 health care facilities, suffered what was described as the largest medical cyberattack in US history when a ransomware attack caused the health system to suspend IT operations for weeks. The shutdown cost UHS $67 million.

In May, a ransomware attack on Ireland’s core patient management and radiology systems caused a country-wide shutdown of its services, the Health Service Executive (HSE). The HSE noted that all X-ray, MR, and CT scans across the country were halted, with radiation machines temporarily closed and treatment stopped at the country’s five radiology centers, St. Luke’s Hospital, Beaumont Hospital, St. James’s Hospital, Galway University Hospital, and Cork University Hospital. A breach such as this can endanger patients.

Mitigating Risks
Whether it’s radiology equipment or any other medical device, there are ways to limit hackers and cybercriminals.

“[One method is to adopt] zero-trust network access, meaning that every access request by a member of medical staff should be granted only after their identity has been appropriately verified,” Noble says.

Another method is to encrypt medical files to avoid data tampering or information leaks from ransomware. Yet another is better employee training as to what types of information are collected on what devices, how the information is stored, and what are the potential risks and threats to the data.

“Enabling encryption between PACS and the hosts in the hospital’s radiology network is vital,” Noble says.

He says this can be done by installing digital signatures to sign every critical action with a secure mark of authenticity; creating a centralized view of all devices connected to a network to monitor their expected behavior and look for red flags, if any of the activities deviates from the norm; and using a custodial provider to protect medical records.

“This means that an agency safeguards the data, and third parties like clinics need to request temporary access,” Noble says. “Another idea is to store data backups in an encrypted cloud, in case a ransomware hits. This ensures the data don’t get leaked and access isn’t lost.”

Limiting the number of personal devices connected to the network is also recommended so a health system can control access to information. Employees should be able to access only the information necessary to do their jobs.

“Investing in multilayer detection and recovery systems can also mitigate risk,” Noble says. “Installing such a system helps to identify and prevent malware installation.”

Preventing the use of file transfer protocol servers operating in anonymous mode is important, as well; malicious actors can use the anonymous flaw in such servers to steal sensitive information or launch a targeted cyberattack.

“Adding strong firewalls and using a [virtual private network] can offset some of the risks that come with additional connected devices,” Noble says. “The most important requirement should be for the network radiology devices that are connected to be properly protected against cyberattacks. Also, each device needs to have individual protection put around it, as different devices have different configurations, hence, different vulnerabilities.”

As hackers’ skillsets continue to grow, so does the number of cybersecurity companies who work diligently to protect against cyberattacks and ransomware. The board of a hospital or any other health care provider should understand the necessity of cybersecurity practices and dedicated funding to this area.

“A good start is adding security requirements to purchase agreements with vendors,” Noble says. “The latter should make sure the firmware is up to date and keep hospitals notified of the ways their equipment could be exploited. Also, there are AI-based security systems that can be implemented in a hospital to constantly understand patterns and protect data automatically, while anticipating and identifying any nefarious activity.”

— Keith Loria is a freelance writer based in Oakton, Virginia. He is a frequent contributor to Radiology Today.