Now that vendor neutral archives and PACS are widely installed in big healthcare providers' data networks, experts say providers of all sizes should look to bolster the cybersecurity of their medical imaging systems.
The proliferation in recent years of digitized healthcare images such as CT scans, MRIs, cardiology videos and ultrasounds has increased anxiety about the privacy, security and integrity of those pictures, which often contain as much sensitive protected health information (PHI) as EHR records and can be used for Medicare fraud, identity theft and other criminal purposes.
"We want to utilize this information and not have it exposed," said Andy Riley, chief technology officer of data security consulting firm GBprotect Inc., which works with many healthcare industry clients.
Image sharing danger
More likely than outside hacker attacks and thefts, security vulnerabilities can arise when physicians and others share images extracted from vendor neutral archives (VNAs) and picture archiving and communication systems (PACS), two systems which are generally secure, Riley said.
When users modify reports or metadata that accompany the images for their specific specialty or purpose, "you magnify the number of locations and the risk," Riley said.
Scott Erven, associate director, health IT security practice for Protiviti Inc., said many medical imaging systems such as PACS have "poor security hygiene" because their default administrative architecture often isn't updated for PHI security.
Medical device vulnerabilities
As for medical devices connected to integrated delivery networks and hospital computer networks -- including image-producing hardware such as MRI machines -- they can pose both cybersecurity and patient safety concerns, Erven said.
"Many devices have poor security controls," he said.
Scott ErvenProtiviti Inc.
However, Erven noted, radiology machines are usually operated by technicians who need to hit a button to initialize the machine, making it difficult for an outside actor to control it.
Meanwhile, other connected devices, such as bedside infusion pumps, have been shown to be vulnerable to hacks that could harm patients by delivering lethal amounts of medication. Such attacks could also lead to unauthorized entry into larger health system data networks.
Erven noted that many people who are concerned about medical device security were encouraged by the FDA's recent publication of draft guidance for the cybersecurity of connected devices that are already on the market.
The post-market guidance calls on medical device vendors and users to more vigilantly monitor devices for security holes and to share information about known threats.
PHI cybersecurity tips
Erven, a frequent speaker on medical device cybersecurity, offers these tips to providers looking to better protect their medical imaging systems and improve cybersecurity in the healthcare industry:
- When looking to contract with vendors, make sure vendors have validated security controls for their devices before they are introduced into clinical settings
- Ensure that devices' firmware and software are continuously updated
- When turning in older equipment for resale, be sure to destroy any legacy data that resides on devices
"You can buy stuff off eBay that still have PHI on them," Erven said.
As for encryption, Erven recommends using known good cryptography that protects data both in transit and at rest. "I'd highly advise organizations not to build their own."
"Don't roll your own crypto," he said.
To cloud or not
Health IT and imaging communities are still debating cybersecurity issues associated with cloud-based medical imaging systems, including hybrid cloud-enterprise arrangements.
While experts agree that the financial imperatives of cloud technology's economies of scale are impossible to ignore and probably inevitable, they say many large provider systems remain wary of the cloud, especially public clouds.
"The pure public, Internet-facing cloud is definitely risky," Erven said.
For smaller providers, hosted environments provided by reputable cloud storage vendors "can be safer than organizations that lack the resources" to store and protect their own digital medical images, Erven said.
For Riley, the cloud question for large healthcare providers is less focused on security per se; it's more tied to a feeling of losing control of what they consider proprietary images and the integrity of those images.
"You sort of conjure up that you don't have control and that conjures up security issues," he said.
Indeed, Riley noted that many larger health systems are already seeing unauthorized use of the cloud by physicians employing public, consumer-oriented cloud products such as Dropbox and Box to easily get access to images, with security an afterthought.
"Doctors say 'I want to be able to access this,'" agreed Cameron Camp, a security researcher for cybersecurity firm ESET North America. "Everything takes a back seat to availability."
More imaging cybersecurity tips
Riley's key tips for mitigating threats to medical imaging ecosystems are the following:
- Clearly define the authorized use cases and data flows for medical imaging
- Ensure that authorized use cases have a secure mechanism for moving data and storing extracted data such as reports
- Use data discovery tools to identify image files stored in unauthorized locations
- Use data loss prevention tools to quarantine and alert on imaging file extensions
- Conduct user entitlement reviews and game-plan for how user roles could be abused
- Monitor user access to sensitive information and put alarms on suspicious activity
- Restrict large files leaving the network outside of authorized and expected data flows
For Camp, security weaknesses reside not so much in imaging cameras, sensors and other hardware, but in how the data they produce gets packaged.
For a criminal, state actor, or insider "snooper," it's "'how can I break into the containers and do something with it,'" Camp said.
He said the best way for providers to protect the sanctity of their data -- whether it's images, text or other metadata -- is to hire "white hat" hackers.
"I'd be open to third-party penetration testers," he said. "If you get diagnosed, you have a chance of fixing the problem. Right now, they don't know what their true state is from the attackers' perspective."
Healthcare data breach information available to public
Appropriations act clears the way for the formation of a healthcare security group
Poor interoperability preventing more exchanges of medical images