Today, PACS and VNAs are at the center of almost all medical imaging departments. The growing use of diagnostic imaging, such as MRIs, CT scans, cardiology videos and nuclear medicine, has made images a common part of patient medical records.
A breach of an imaging system could expose sensitive and protected health information to a risk of being used for fraud or other criminal purposes. At RSNA 2018, the poor security of many enterprise imaging systems was a frequently discussed topic. It was said that security in these systems deserves more attention as they often contain information just as sensitive as patient records in the EMR. It is not an exaggeration to say that both healthcare providers and vendors need to address the cybersecurity of these systems to a higher degree than they are today.
To be completely transparent, there is no fully secure enterprise imaging system. But selecting a vendor that has the right knowledge in cybersecurity can provide a strong foundation for your efforts to mitigate the risk of breaches.
Patient data—the new “black market” currency
Access to and ownership of patient data has become a highly valuable currency in the criminal world, used to blackmail providers to pay significant amounts of money to get data back or to unlock infected systems. Today, a patient record is more valuable than credit card details on the black market. According to Forbes (1), credit card details go for about 25 cents, while a patient record can be worth hundreds or even thousands of dollars.
The scary part is that healthcare organizations in general seem much slower to discover they have suffered a breach than the average industry. Of 144 investigated providers, it took an average of 308 days for organizations to find out they had been breached (2), compared with the industry average of 99 days (3). For almost a whole year, on average, criminals had access to systems and most likely patient data without anyone’s knowledge.
Another striking aspect is that some enterprise imaging systems provided by well-established vendors have been reported by the ICS-CERT Advisory lately for severe vulnerabilities in their PACS and VNAs (4).
The costs of a breach could be destructive
The threat of a breach of enterprise imaging systems is real, and the resulting costs of a breach could be destructive for the provider. All security breaches in health records need to be reported by law and can lead to millions of dollars in costs for identity-theft protections, IT forensics and government fines for providers.
The cost for an average-sized breach in the US in 2017 can be estimated at USD 6.1 million (5), an amount that could cause severe problems for a provider. This sum does not include the average 64% increase in annual marketing costs (6) necessary to minimize patient loss to competitors.
Cybersecurity—top of mind for the CMIO
Today’s high risk of breaches and their consequences have put cybersecurity (or IT security) top of mind for those in charge of purchasing decisions within healthcare IT, according to a survey by TechTarget (7). The report states:
“The big university hospitals and IDNs are being attacked all the time […] At risk is increasingly valuable data that thieves can use for insurance fraud, identity theft, and copying trade and process secrets.”
In 2017, more than 5.6 million patient records were stolen or exposed in healthcare breaches in the US. These breaches are not usually performed by individuals, but rather are increasingly becoming organized activities carried out by large organizations and even governments. (2)
This has led to providers conducting a more careful evaluation of IT vendors in terms of how well their systems are designed and what skill set their personnel has.
How to evaluate the systems’ security
It is not easy to evaluate an IT system’s vulnerability against attacks. One source is the ICS-CERT Advisory (5), which provides information about security issues, vulnerabilities and exploits in medical systems. On its website, it is possible to find reports on specific enterprise imaging systems that are considered vulnerable towards security breaches and similar attacks. Examples of shortcomings range from hard-coded credentials for passwords, information exposure and code vulnerabilities to low skill level among the vendor’s employees.
The only real way of properly evaluating an IT system is to perform custom penetration tests of the system once it has been installed in its proper production environment. Automated scanning is one thing, but it will only get you so far. There are no silver bullets.
Vendor knowledge is key
As already mentioned, no system is fully secure, and insiders and the organization’s training and processes will always play a significant role in minimizing the risk of patient data theft.
When it comes to cybersecurity, it is all about creating an “onion” model of security safeguards where the imaging system’s security plays a crucial role. Therefore, it is important that your enterprise imaging vendor has the necessary skill set when it comes to cybersecurity. Without the right knowledge, a vendor’s system will not be able to provide a sufficiently high security level.
High empowerment among employees, including both the vendor and the provider, has also been a proven success factor. One example is the WannaCry ransomware virus incident in 2017, where the time to upgrade old Windows versions was crucial to preventing and mitigating the damage caused by hacker attacks. Thus, the vendor’s support capabilities and responsiveness play an important role along with continued monitoring of the system.
Your IT environment will never be safer than its weakest link. By making sure your enterprise imaging vendor has the right knowledge in cybersecurity, you will have one less thing to worry about.
Sources and inspiration
- Part of the “Industrial Control Systems Cyber Emergency Response Team”, https://ics-cert.us-cert.gov/