No less than the Federal Bureau of Investigation put the healthcare industry on alert after a 2014 report1 revealed that at least 375 U.S. healthcare-related organizations had been breached by hackers between September 2012 and October 2013—some unwittingly. Sifting through research from a global cybersecurity company, the author reported that 72% of the malicious traffic originated from providers and 7% from radiology software.

While the National Electrical Manufacturers Association (NEMA) had already published an extensive white paper on supply chain manufacturing best practices for preventing malware and virus infection, it did not specifically address medical imaging. At the close of 2014, NEMA’s medical imaging division, the Medical Imaging & Technology Alliance (MITA), began looking into the issue to see if further information was needed.

As chair of MITA’s medical imaging informatics (MII) section, Henri “Rik” Primo led the effort for MITA. “I didn’t consider myself an expert in cybersecurity, but I knew that among the manufacturers participating in MITA, we had some of the best in the medical imaging industry,” recalls Primo, director of strategic relationships in the medical informatics division of a global manufacturer. A MITA Cybersecurity Task Force (CTF) was formed and eight MITA member manufacturers dedicated resources to the CTF.

Several key vulnerabilities were identified in medical imaging, including unwanted disclosure of electronic protected health information (ePHI) and the potential to interfere with the correct functioning of medical imaging equipment. Because imaging devices are connected to the hospital intranet in an Internet of Things (IoT), these assets are vulnerable to malicious hackers.

In the past, when the CT scanning table approached the end of the scanning limit, the table would stop because it activated a switch. The start and end of an x-ray and  the beginning and end of a fluoroscopy session also were manually controlled.

“Today, these functions are all software controlled,” Primo says. “A hacker could override the end-of-limit switch on the CT scanner, and the table would try to continue to advance, possibly causing a fire. Cybersecurity in the imaging department is not only about information security, it’s about patient safety.”

Vulnerabilities exist from within as well—so-called white-hat hacking efforts like penetration testing are undertaken by the IT department, Primo adds.  If a patient is in the MRI scanner during one of these penetration tests, patient safety could be compromised.

After some months, the task force came to the conclusion that responsibility for cybersecurity in medical imaging extended beyond the manufacturing community and included the healthcare provider community. “It’s a matter of people, processes and technologies,” Primo says.

To loop in the primary user stakeholder, the CTF approached the ACR with its conclusion, and J. Raymond Geis, MD, then chair of the ACR Commission on Informatics, and his team agreed to provide input to the white paper. “Cybersecurity for Medical Imaging,”2 a NEMA/MITA white paper, was published in December 2015.

Shared ownership

The central tenet of the white paper is that manufacturers, installers, service staff and healthcare providers must accept shared ownership and responsibility to protect patients and assets from harm and prevent unappropriated disclosure of ePHI. To that end, the paper is divided into four sections: device security, external security, securing communications and the responsible user.

In the device security section, the authors explain the concept of assurance testing to defend against unintended or unauthorized operation and recommend that manufacturers work with developers to embed software assurance activities early in the development process. Vendors also are urged to make incident-risk mitigation a high priority by designing simple interfaces and robust but rapid multifactor authentication—and to be clear and transparent about the types of security software installed within devices.

External security considerations entail that providers implement the proper firewalls or other mechanisms to safeguard their medical devices; and suppliers document product-specific measures to minimize exposure on the network; close unused communications channels on their devices; and integrate whitelisting mechanisms on their devices to thwart malware. Virus protection also is recommended, but suppliers must insure that updates do not impact safe operations.

For secure communications, the white paper specifies the use of standards and itemizes those standards. It also warns that device manufacturers are considered business associates (BAs) by providers if their devices interact with patient data and therefore subject to Health Insurance Portability Accountability Act Security Rule requirements for BAs.

In the responsible user section, the authors remind providers that their intranets are in fact connected to the Internet, albeit through a firewall: “Within healthcare, medical imaging was one of the earliest implementations of the ecosystem now called the Internet of Things (IoT). Most, if not all, imaging technologies rely on digital technology, software, and hardware connected to the IoT, which also can make these systems vulnerable to cyberattacks.”

The report urges the use of best-in-class imaging IT processes for the safe operation of imaging modalities, image and report distribution and all forms of sharing and communications (including CDs). It highlights five practices:

1. audit logs for imaging equipment and informatics systems;
2. change management for updating processes;
3. formal participation by the imaging department in organization-wide cybersecurity planning;
4. operational communications processes with IT and cybersecurity resources (to avoid penetration-testing incidents, for example); and
5. incident patient information process.

Primo describes the white paper as a cookbook. “We not only ‘admired’ the problem, we gave very concrete advice to the manufacturers and the users of the equipment,” he says.

Building a defense

The paper concludes by referring those seeking to establish an effective HIPAA-aligned security program to an extensive list of resources, many of them freely available. A great first step is to study the risks.

“One of the things we recommend to imaging departments is to  perform a risk assessment,” Primo says. “You don’t have to reinvent the wheel; the IEC 80001-1:2010 standard was designed to address the risk management for IT networks incorporating medical devices and offers a risk assessment checklist that is perfectly applicable to the imaging department.”

A HIMSS/NEMA-MITA standard known as the Medical Device Security Update (MDS2) provides medical device manufacturers a framework for disclosing the security-related features of the medical devices they manufacture to healthcare providers. 

The standard specifies an updated five-page form for each piece of equipment that a vendor sells. Essentially, these documents, referred to as MDS2s, provide the device-specific answers to the risk assessment questions in the IEC 80001 standard.

“When starting a risk assessment project, you should ask your vendors to provide, free of charge, the MDS2 form for the different brands and models of imaging equipment installed in your department or enterprise,” Primo advises, adding that most forms can be found on a vendor’s web site. “Download the risk assessment and match the questions asked in ISO 80001 with the answers provided in the MDS2.”

In the end, this is a story that will have no end. “Hackers will find new ways and new, nasty mechanisms to infect or break systems or endanger patient security in general,” he believes. “The MITA CTF will continue to be observant and publish updates on the white paper whenever we think it is necessary.”

Nonetheless, the greatest threat that healthcare organizations face may be the one within. By far, the leading sources of data breach, Primo says, are the loss or theft of unencrypted PCs, passwords on Post-it notes, phishing and other exploits.  “Again, zero-breach cybersecurity is a matter of people, processes and technology,” he concludes.

References:

• Filkins B. Healthcare cyberthreat report: Widespread compromises detected, compliance nightmare on horizon. Sans Institute. Published 2014. Accessed January 5, 2016.
• Medical Imaging & Technology Alliance. Cybersecurity for Medical Imaging. National Electrical Manufacturers Association. Published December 2015. Accessed January 4, 2016.