Imaging Informatics: Six Best Practices for Radiology IT
By Clinton A. Pownall
Vol. 22 No. 8 P. 36
Radiology is one of the most IT-intensive disciplines within health care. Just about everything associated with imaging—from capture to storage, retrieval, reading, and reporting—happens across digital networks. Significant advances in IT have enhanced the efficiency of radiology to such an extent that it now plays a foundational role in supporting a radiology practice. This means your radiology IT infrastructure requires continual attention.
The idea of providing continual attention to IT might sound a bit onerous, as radiology practices already tend to invest large amounts of resources into their IT infrastructure. Unlike hospitals and other large health care organizations, which tend to count employees in the hundreds or thousands, internal IT support for radiology practices may be limited. This does not mean, though, that radiology organizations have to do without the 24/7 IT teams and support that are found elsewhere, nor do they need to incur significant costs.
Whether your practice has its own team of IT specialists or uses a third-party IT services provider, following best practices can ensure that your IT infrastructure remains solid.
Robust Backup Systems
In the early days of IT, backup systems were required in case a computer crashed, an application became corrupted, or a hard drive failed. Those were the good old days. Today, robust backup systems are required for all of the above plus the enormous threat of cyber criminals and other bad actors attacking your systems—including through ransomware attacks that encrypt all of your data and demand a ransom to unlock them. Robust backup is essential; if your backup drives are on the same network that was attacked, your backups will be corrupted along with everything else. By the way, while encrypting your files is good for all sorts of reasons, described below, encryption won’t protect you from a ransomware attack encrypting your encrypted files. This is why your radiology practice should verify with your internal IT or third-party IT service provider to ensure that you have multimodal backups, including to the cloud and to onsite resources not connected to your main network.
Server Virtualization for Efficiency and High Availability
If you haven’t already virtualized your servers, chances are good that you would benefit by doing so. Traditionally, IT architecture was based on a collection of dedicated boxes—an e-mail server, application server, storage server, PACS, and DICOM servers. Virtualization enhances efficiency and reduces costs by reducing the number of separate servers used, virtualizing the functions across a network of connected servers. This helps maximize central processing unit, memory, and storage utilization; makes for easier maintenance; and provides high availability. With virtualization, data are spread across multiple servers; therefore, if one server goes down, the others continue to function, sharing the additional load. Radiologists can continue reading images, accounting can continue with bookkeeping, and nobody is off e-mail. An alert is sent to IT, a new server is plugged in, and functionality continues uninterrupted.
Disaster Recovery Plans
Every radiology practice should have a current disaster recovery plan for their IT resources. If you lose servers from fire, theft, natural disaster, or a ransomware or other cyberattack, what steps would you take and in which order? Who would you call? How long would it take to recover? Consider this a due diligence check on either your internal IT staff or of your outside IT service provider. Ask to see the plan—and step through it (without bringing systems down): “You have backups? Great! Show me. Bring up yesterday’s data.”
Radiologists need plenty of storage. Practices have gone from measuring storage in megabytes to gigabytes to terabytes. Depending on how imaging technology evolves, we may see petabytes and beyond. However, you may not need it all today. Don’t purchase or subscribe to more storage than you need this year, but don’t ignore what you’ll need next year. Work with your internal or external IT resources to approximate anticipated yearly growth and provision accordingly. In short, don’t let someone sell you storage capacity you won’t need for another 10 years.
Use HL7 Interfaces
Health Level-7 (HL7) is an international set of standards used to connect medical systems and devices that might otherwise be incompatible. HL7 communications should be used whenever possible, including when transmitting images, handling referrals, sending reports, or communicating other sensitive information—especially where a patient’s personally identifiable information is involved. HL7 communication should always be protected through use of a virtual private network. Digital interfaces are not complex to set up, and they eliminate the need for manual intervention by health care staff that is often associated with faxing or hand-carried media, such as CD-ROMs or USB thumb drives.
Security is absolutely essential to protecting your practice. Year after year, health care organizations top the list of the most targeted by cyber criminals and other bad actors. Don’t assume that your practice is too far off the beaten track to be attacked. Hackers today have automated systems that search the global internet for applications with unpatched vulnerabilities. It isn’t as though a hacker is taking the time to search you out. The reconnaissance can be fully automated, as can the attacks. So, everyone is a potential hacking target. Radiology Today provides an excellent overview of security with its highly recommended March 2021 article “Open to Attack.”
The following is a quick look at some of the security elements you should review with your internal IT team or IT security provider to ensure they are in place.
Security needs to be a constant. Everyone in the organization must be aware of phishing attacks—in which bad actors send e-mails, texts, or other communications trying to trick a user into clicking on a link or opening an attachment. Spear phishing attacks are more sophisticated and targeted. If you received an e-mail asking you to speak at a radiology conference or consider taking a position elsewhere, would you click on the URL to learn more? This is what North Korea did with US aerospace workers. Of course, clicking that link downloaded software that allowed the bad actors to secretly gain entry to networks. Security awareness should be reviewed and updated on an ongoing basis.
Continual Software and System Security Updates
As noted above, automated bots can search the internet looking for systems running unpatched software. Ensure that your internal IT staff or third-party IT service provider has a system in place to continually monitor for, test, and apply security updates—from all vendors—to minimize attack surfaces.
System Monitoring and Intrusion Detection
Again, ask whoever provides your IT services about their system monitoring and intrusion detection. For example, employing end-point protection agents that use AI on all monitored devices greatly enhances protection. If ransomware is detected, for example, the AI will automatically back up files to a security-hardened hidden partition on the device, disconnect the node from the network, then issue an alert.
Regular Security Audits
On a regular basis, your practice should have someone work with your internal or external IT team to audit security basics and ensure proper firewall configuration; secure passwords for connecting devices; close unneeded ports; establish granular, least-privilege access to IT resources; verify the robustness of backup systems; and demonstrate the ability to recover from a disaster.
Employing these six best practices is a starting point, not the end. They will help radiology practices adopt a path toward achieving a culture of security in what is, unfortunately, an ever more threatening environment for businesses.
— Clinton A. Pownall is the president and CEO of Computer Business Consultants and has been in the IT field since 1990. He served in the US Navy for six years as a weapons systems technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications.