In this first part of a two-part Q&A, Nick Merkin, CEO of healthcare regulatory consulting firm Compliagent, discusses the major security risks to medical imaging systems, such as MRI or CT scanners, and what hospitals or healthcare organizations should do in case of a cyberattack. In part two, Merkin emphasizes the importance of employee education and training to prevent cyberbreaches.
What are the major security concerns with medical imaging systems?
Nick Merkin: Just about every medical imaging system is connected to the Internet in some way. And that's as it should be because connecting medical devices and systems and allowing healthcare professionals to communicate and share health information across different platforms is good for the quality of care. But what this means is that a cybercriminal or even an employee doing something inadvertent can expose the data and information that passes through or that's stored on a medical imaging system or any kind of medical device. So the bad news is that cybercriminals know that. It's kind of an open secret that healthcare data is very valuable on the black market. And that's proven by statistics I've seen that over 90% of healthcare organizations have been victims of cyberattacks at some time. But the good news is that the good guys, so to speak, are working hard every day to mitigate those risks.
What should a hospital or healthcare organization do if one of its medical imaging systems has been compromised?
Merkin: The most important thing you need to do is get the right people involved from the outset. A cybersecurity breach is an event that cuts across a lot of areas of corporate hierarchy. Obviously, your IT department needs to be involved and, at the most basic level, whatever vulnerability in your system that has been exposed needs to be fixed quickly. Now that may be simple but also may be complex, and you might need to hire outside security experts to help. The legal department needs to be involved, the general counsel. There may be questions of liability to consider and there may be reporting requirements of the breach to the government. [And] healthcare organizations are a business like any other and they need to have their marketing communication staff involved. Data breaches are bad for PR, and organizations that have a breach need to get out in front of them to ensure that their customers, their patients feel secure and continue to trust the organization. And maybe most importantly, this all has to be quarterbacked by an accountable person who is coordinating this and typically, that's the CEO.
How can healthcare organizations prevent a breach from happening again?
Merkin: Like anything in the business world, it's important to learn from your mistakes. And that means conducting a real postmortem in figuring out where breakdown has occurred in retrospect and even holding the right people accountable. Something that's becoming more and more common in healthcare organizations generally is that there was a time when whoever you were in the organization, even if you were an owner or a high-level executive, you could say, "Well, it's a big company, it's not my fault. I don't have any personal responsibility or liability." That's changed, and whether it's private litigation from a class action lawyer, for example, or the government, they're starting to look at holding individuals accountable [more] than organizations and that means C-level executives, that means officers and directors.
Nick Merkin, CEO, Compliagent
So it's very important for those people to play an active role [in] really doing their fiduciary duties as to cybersecurity compliance and making sure that they have the right checks and systems in place to prevent a cyberbreach. The truth is, without a holistic cybersecurity plan that's going to include some of the things I talked about, like effective policies and procedures, robust education and training, careful auditing and monitoring, it's going to happen again. And the last point I'd make on that, and what I like to tell people when I'm talking about cybersecurity and implementing an overall cybersecurity program for an organization, is that good cybersecurity compliance is a shield and a sword. On one hand, it's a sword in the sense that you're going to be able to proactively identify risks that you have and proactively mitigate them and solve problems before they blow up and become a breach or some kind of event that might give your organization liability. That's really important and that's one aspect of things. But secondly, a good cybersecurity program in your organization is also a shield. What I mean by that is, there are always going to be mistakes because there's human error and you could have the perfect policies and procedures, you could train everyone really well, you could audit and try to find your problems but you're not going to be able to prevent everything. … Cyberbreaches are going to happen, and there are unfortunately cyberhackers out there who are looking to exploit opportunities. So, bad events are going to happen.
But if you've put into place and you can show that you've put into place by documenting, documenting, documenting all you've done to try to make a good faith effort to put in those robust cyberdefenses, that's going to go a long way even if there is a breach. Because whether it's the government or a situation with a plaintiff's lawyer, that's going to come up in terms of mitigating your liability and showing that you're going to get mitigation on fines and penalties, you're going to get mitigation on damages because you're going to be able to show, for example, "Hey, look at these policies and procedures. We review them with a multidisciplinary team from my general counsel, my head of HR, my CEO, my head of IT. We review them every quarter to make sure they're adequate. Look at how good our training program is. We do all sorts of trainings, we do skills testing, we bring up people's proficiency in IT security when we make decisions about bonuses and promotions and employee discipline, and we audit and try to find out the areas where we need to do better. We've done all that and look at how much time and resources we're spending on that." That's going to go a long way to somebody saying, "Hey, I know this happened, but I do appreciate and see all that you've done to try to prevent this."
More cybersecurity needed to protect medical imaging systems
Considerations for upgrading or replacing imaging systems
Medical imaging vendors display new systems at RSNA conference