While the world turned its attention to the healthcare urgencies created by COVID-19, the global pandemic presented increased opportunities for cyber attackers targeting the healthcare industry. The US Department of Health and Human Services reported an increase in healthcare cyberattacks during the COVID-19 crisis[i]. Today’s healthcare delivery infrastructure is heavily dependent on the digital connectivity of medical devices. Protecting this infrastructure with cybersecurity measures should be a top priority. Specifically in radiology, medical imaging devices and enterprise imaging systems play a significant role in the healthcare delivery infrastructure. Effective cybersecurity is critical in helping to ensure the security of such devices and healthcare networks, as well as patient privacy and health information.
With the significant rise in the use of connected medical devices, despite their potential for positively impacting care, there is a growing risk that malicious threat actors could modify or control connected devices and access patient data, creating risks for patient privacy or otherwise adversely impact patient care. It is important that radiology administrators understand that cybersecurity is a shared responsibility. Their collaboration is integral in helping to mitigate cybersecurity risks.
Medical imaging devices deserve a seat at the cybersecurity table
Medical imaging devices have not historically been included in a hospital’s cybersecurity risk framework. But these, and other connected medical devices, are part of a hospital’s enterprise network, and securing any potential entry points needs to be part of that overall cybersecurity risk framework.
Modern healthcare infrastructure and cybersecurity protections are most effective when departments such as radiology, clinical engineering (biomed), and IT have an early seat at the table to collaborate with, educate and inform the cybersecurity team about any potential vulnerabilities specific to connected medical devices within radiology. Such collaboration enables healthcare providers to manage risks and protect healthcare networks from cyber threats. Unfortunately, there is no “silver bullet” or guaranteed solution that will protect any healthcare system 100 percent, which is why it is such an important area of growing concern within healthcare industry today.
Improving risk posture is critical
One of the most important ways to address cybersecurity in radiology and in the overall healthcare environment is to be proactive. Improving the status of the overall cybersecurity program within a given healthcare facility or network is critical to protecting that organization from breaches, safeguarding data and reducing risk. To do this, each connected medical device needs to work in tandem with the healthcare organization’s overarching security plan. Security controls should be embedded at technical, operational, and management levels to help protect the devices, data, and the network.
Human error, external access can lead to healthcare security breaches
While some cybersecurity breaches are the result of business email attacks, basic human error, such as unauthorized access, poor management of accounts or weak password protection, accounted for 22 percent of healthcare industry breaches in 2019, according to Verizon's most recent Data Breach Investigations report.[ii]
Despite the security embedded within each connected device, and a healthcare network’s security measures, attention needs to be paid at the departmental level to the development of access protocols and device operator training. Strong passwords and data encryption are examples of technical security controls that are often used with medical imaging devices and enterprise imaging systems. Further, standard operation practices and controls should be in place through protocols outlining who can access, manage and audit information from these connected medical devices. At the organizational level, security protocols should articulate personnel and training controls to help protect the integrity of the data and privacy of patients. The roles and responsibilities of any personnel who access connected medical devices in every organization should be well defined with respect to how security is maintained at every level so the cybersecurity team can monitor the network and connected medical devices and easily identify where protocols have not been followed, especially in instances where a breach is suspected or has occurred.
Minimize vulnerabilities with proper device maintenance
All too often, budget constraints, growth opportunities, healthcare consolidation or other projects redirect funding that would otherwise be utilized for medical imaging upgrades. And because many medical imaging devices continue to be operational despite outdated serviceability, these devices continue to be used by hospitals, which can create exploitable weaknesses for cyber attackers. In order to try and mitigate the exploitable weakness in these devices, hospitals and healthcare facilities should maintain updated inventory records on all medical imaging devices and consistently conduct security assessments to continually monitor risk. The end goal is to minimize the vulnerabilities that can exist in medical imaging device connectivity with a system of consistent monitoring, effective security controls and risk management tools at each point in the life of the device to help ensure device security.
Ensuring patient security and safety
Ensuring the security of a hospital’s network and connected medical devices is an area where full engagement should be seen across a healthcare facility. Cybersecurity and radiology administrators, radiologists and patients alike should have a high level of trust in the overall security of healthcare devices. Collaborative discussions and participation in cybersecurity efforts by radiology administrators can result in a better understanding of the cybersecurity infrastructure of the health facility, as well as an expanded understanding of the unique cybersecurity needs for medical devices and enterprise imaging platforms.
For more information on GE Healthcare’s comprehensive digital cybersecurity solutions for networked medical imaging systems, click here.