Starting a week with the news that talk about patient data breach from a radiology interface is not comforting to many imaging centers or radiology departments. The total cost could easily get into millions of dollars considering tens of thousands of patient records at stake and average cost per breached record to be around $400. Clearly, cyber risk management is certainly not the one that imaging center or hospital leadership should take it lightly or delegate down in the organization. Radiology departments and Diagnostic Imaging centers in general, are more susceptible to cyber-events because of (a) equipment exposure to many interfaces, (b) vulnerabilities in the equipment, (c) criticality of the equipment and (d) underdeveloped/unenforced processes and policies.
Medical imaging equipment such as CT, MRI, Ultrasound, X-ray, etc. and supporting computers are increasingly connected to the hospital’s Enterprise IT network and outside world via internet. The interfaces are supported by Digital Imaging and Communications in Medicine (DICOM) standard. According to a publication in 2017 RSNA, about 3,000 DICOM servers worldwide remain open and unsecured. In fact, a large percentage of those are fully open to DICOM communication with outside computers, significantly increasing the risk of cyber-attacks.
Diagnostic Imaging equipment are expensive; hence, these systems are expected to be in operations for 10 – 20 years. At times, they operate with end of life/support operating systems. For example, there are many imaging systems in operations today with the Windows XP operating system, even though Microsoft ended support for WS XP in 2014. It is scary when you couple this with the fact that 120 million new malware are discovered each year! Not managing these vulnerabilities via tools, processes and policies exposes the radiology departments and/or imaging centers to potential cyber-attacks.
Medical Diagnostic imaging plays a critical role in the patient care. If an imaging equipment were unavailable, it would cost a lot in terms of lost revenue. A system malfunction could lead to patient safety concerns directly or indirectly. For example, a patient could potentially get hurt if s/he is under a procedure when the device functions improperly. Defects in images could potentially lead to wrong diagnosis/therapy. In fact, researchers from the Ben-Gurion University of the Negev have performed cyber-attacks on CT system to demonstrate (i) disruption in configuration files, (ii) mechanical disruption of device’s motors, (iii) disruptions of image results and (iv) DoS. The criticality along with the potential vulnerabilities and broad exposure make the imaging systems interesting targets for ransomware.
It is important to note that human errors contributed in 81% of the healthcare cyber-events. This typically speaks to either underdeveloped or unenforced processes and policies. It isn’t surprising to find deactivated firewalls, automated updates turned off, open ports or default credentials in many of the imaging systems.
In general, imaging centers and radiology departments need a holistic approach to cybersecurity focusing not only on medical devices but also on the associated medical IT networks, processes, policies, training and governance methods. Small to medium size enterprises may not have all the in-house resources to manage cyber-risks. For these organizations, MediTechSafe offers both professional services and software tools, as outlined below, under MediRisk Solution umbrella.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at info@MediTechSafe.com.