In the second part of a two-part Q&A, Nick Merkin, CEO of healthcare regulatory consulting firm Compliagent, discusses how end-user awareness is a major factor in protecting medical imaging systems from cyberattacks, and he explains why hospitals and healthcare organizations shouldn't rely on a one-size-fits-all approach to training staff members. In part one, Merkin outlines the main security concerns surrounding medical imaging systems.
What contributes to the risks to medical imaging systems? Is it lack of end-user awareness, or outdated or unpatched systems?
Nick Merkin: The answer really is it's all of the above. As far as outdated systems, what's interesting is that for all the digital advances in healthcare in the last decade, you'd be shocked at how antiquated the IT systems are that many healthcare provider organizations have in place. And I'm not only speaking about a mom-and-pop skilled nursing facility in some rural area, I'm talking about a large hospital chain in a major urban area. So with that antiquated system typically comes weak cybersecurity defenses, like outdated and unpatched systems as you mentioned.
But you also mentioned lack of awareness, and I think lack of awareness is possibly even a greater culprit than problematic technology. I mean the fact is, and I see this all the time, healthcare organizations can spend millions of dollars on technology and hire cybersecurity experts and consultants for high fees, but if their staff training and education is inadequate, both in its content and its frequency, it's not going to help all that much. In my experience, most data security issues, take a HIPAA breach for example, take place because of human error. Of course, you can't create a perfect organization, but a well-trained staff is going to give you a lot of return on investment in terms of cyber risk mitigation.
How can hospitals educate end users about the security risks to medical imaging systems?
Merkin: What I would say is it's not only about training on a basic level. … If your organization's staff -- and by staff I mean all the way from entry-level to the C-suite in the boardroom -- is going to make good decisions and perform correctly regarding information privacy issues, there needs to be a robust written roadmap for them to reference when a question arises and that's the adequate policies and procedures.
So the next thing is training. … Regular training is definitely necessary and something that's important is it can't be one-size-fits-all. There's a lot of sort of off-the-shelf, off-the-rack kind of products and a lot of organizations say, "Oh, I went online and I watched some video." But there really isn't a one-size-fits-all. For example, a new hire in the radiology department is going to have very different training needs than the hospital chief of staff simply because their job functions are different and their education and experience levels are different. ... To do it right, you have to have different kinds of trainings at different frequencies, and you have to test employees' knowledge, but in a large organization that may be a few different kinds of trainings to different types of staff members. … You have to keep working to identify and remediate the cybersecurity risks in your organization proactively because they're going to change pretty frequently, not only on a yearly basis but even on a weekly or monthly basis. So you're going to have to be able to respond to new challenges and new problems.
Health IT executives prioritize spending for health data security
More work needs to be done to secure medical devices
Cloud medical imaging storage provides several benefits