Imaging Informatics: Securing the Future of Imaging
By Dhaval Shah and Shujah Das Gupta
Radiology Today
Vol. 24 No. 2 P. 6

Radiology operations are increasingly on the tip of the spear in the battle to provide patients with fast access to diagnostic imaging while simultaneously safeguarding patient data. There are realistic steps they can take to accomplish both.

In radiology, there is a feeling of fatigue as the cyberthreat landscape continues to grow, driven by an ever more bold community of sophisticated criminal syndicates and hackers. The constant stream of warnings and headlines can be overwhelming for anyone who handles patient data or is tasked with safeguarding the systems they reside in.

A quick search of recent news demonstrates the scope and breadth of the problem: a radiology firm reported a data breach to Montana’s Attorney General on September 2. Another in New Mexico informed its patients of a data breach on October 12, just days before a similar operation in Hawaii began to turn away patients on October 20 because personal data were compromised.

Radiology operations are attacked with frightening frequency, even as the Cybersecurity and Infrastructure Security Agency, the FBI, and others go to great lengths to warn health care organizations of evolving threats and provide expert advice to evade them. Now, in a new year, more threats are likely to emerge.

We all know what is at stake. Any data breach results in public scrutiny and, in most cases, legal action. Clinical care will be interrupted, and most importantly, patient outcomes may be impacted, particularly if diagnostic scans are delayed while radiology departments grapple with post breach investigations.

Perhaps that’s why it comes as no surprise that cybersecurity resilience is a top priority among executives. A recent report by Cisco Security Outcomes Report, Volume 3—found that 96% across all industries consider security resilience a high priority.

Verizon’s 2022 Data Breach Investigations Report puts this reality in context for clinical environments, noting that “Health care has increasingly become a target of run-of-the-mill hacking attacks and the more impactful ransomware campaigns.” Notably, the report’s authors confirmed 849 data breach incidents in health care over the past year, with 571 resulting in “confirmed data disclosure.”

The report also found that employees, who most commonly expose networks by accident, are no longer the key offenders. As the report notes, “With the rise of the Basic Web Application Attacks pattern in this vertical, those inside actors no longer hold sway. Move over, insiders; the big dogs are here.”

For radiology departments, the sheer breadth of the resulting cybersecurity challenge and these more sophisticated attacks can be particularly problematic. On the front lines of patient engagement, many are under immense pressure to deliver the results of diagnostic scans faster than ever before. Patients, even those in areas where broadband constraints make delivering sophisticated images difficult, increasingly want to see their results right away.

It’s a reality that tasks radiology departments not only with safeguarding patient data within the confines of their network but also while sharing them in patient portals and hubs and through physicians’ and patients’ mobile devices—all of which exposes patient data to far greater risk from data breaches.

Additional challenges, among them the dramatic increase in data volumes created by today’s more sophisticated imaging technologies, further strain technology infrastructure. Three dimensional mammography images, for example, are 20 times larger than their two-dimensional predecessors—a reality that pushes the on-premises resources of many radiology operations to their limits.

Best Practices
In light of these challenges, many radiology operations simply hope they will not be the next target. Fortunately, though, there are realistic steps all leaders can take to strengthen their defenses, such as:

Advocate for cybersecurity awareness and ongoing training among employees, colleagues, and leadership. Phishing remains the most common attack vector for ransomware attacks despite the fact that it can be the easiest to prevent with adequate training. There is no one perfect defense in today’s highly integrated health care ecosystem, but awareness is the first step in creating a culture that values and encourages secure operations. By staying informed of the government’s alerts and setting aside a few minutes each day to review cyber security related news, radiology leaders can help foster the situational awareness and overall vigilance that is crucial to protect any organization.

Make sure your department is in compliance with the latest standards. IT developers are now required to make Fast Healthcare Interoperability Resources–based application programming interfaces (APIs) available to their customers—a requirement that reflects the dramatic increase in API use in health care as well as the reality that outdated APIs are an open door for hackers. While department leaders may not understand the technical side of various standards, it is imperative that they confirm whether the proper ones are in use. This same premise applies to all hardware and software. Audit your department for legacy IT systems that pose a security risk and address them.

Look to the cloud. All of the major hyperscalers, including Amazon Web Services, Google Cloud, and Microsoft Azure, now offer cloud instances designed specifically for health care. Few on-premises networks or data centers can offer the robust security safeguards they feature or economically provide the same level of computational performance or storage capacity.

Manage patient consent. As patient data are increasingly being accessed beyond the walls of the hospital, integrating patient consent into clinical workflows is becoming increasingly important. For providers, evaluating how consent is handled across products should become a more significant factor for evaluating new technology solutions and enhancements.

Fully vet your vendors. Notably, when looking at partners, including value-added resellers and managed service providers, it is imperative to work with those who have demonstrated experience in health care. Make sure that they too are compliant. For cloud vendors, this increasingly includes not only demonstrating that they passed their HIPAA security audit but have also earned the HITRUST certification. For cloud-native products that handle protected health information data, ISO 27018 compliance is also growing in importance.

Embrace a zero-trust architecture and use best-in-class encryption. Architect the infrastructure that shares, analyzes, and stores medical images and scans to assume that no person, device, or application can be trusted. Just as importantly, use military grade encryption for all scans and images at rest and in transit to patient portals and mobile devices.

Hire a trusted third-party to find your weaknesses. Some radiology operations hesitate to hire an expert third-party to conduct cybersecurity, penetration, and compliance testing out of fear they won’t be able to fix any issues uncovered. Knowledge is the best defense. It is imperative to know your weaknesses.

Remain vigilant. Cybersecurity demands constant learning. Make sure a member of your team attends an industry event annually. For example, during RSNA 2022, the session “Artificial Intelligence and Cybersecurity in Healthcare” explored how bad actors could manipulate medical images by manipulating AI algorithms.

There is no silver bullet that will protect radiology operations from cyberattacks in today’s ever expanding threat landscape. But with knowledge and proactive action, radiologists and department leaders can make it far more difficult for those who intend to do harm.

Dhaval Shah, executive vice president at CitiusTech, has more than two decades of experience in health care IT, including senior-level roles in engineering, research, software development, IT architecture, and management roles serving pharmaceutical companies, physicians’ practices, and health insurance companies.

Shujah Das Gupta, vice president of medical technology at CitiusTech, has 18 years of experience in health care technology with a focus on medical imaging, interoperability, and the digital transformation of health care IT for pharmaceutical companies, providers, payers, technology hardware and software vendors, and service providers.