The healthcare industry is a prime target for cyberattacks, and medical imaging systems such as MRI and CT scanners are no exception.
Cybersecurity has become increasingly critical for medical imaging systems because the protected health information (PHI) that images such as CT scans contain can be used for illegal activities, including Medicare fraud and identity theft. Many medical imaging devices are also connected to the Internet and store images in the cloud, which can make them vulnerable to a number of threats.
Before a hospital can focus on securing these devices and the data that resides on them, it should implement a healthcare asset management program to determine what devices exist in the organization. Asset management is comprised of acquiring, tracking and disposing of enterprise software and hardware assets, said Mike Meikle, CEO of SecureHIM, a healthcare security consulting and education company.
But while healthcare asset management is an important step toward securing medical imaging systems and other devices, too many hospitals and healthcare organizations don't know what assets they have.
"A lot of healthcare is still pretty far behind in IT, 15, 20 years behind the financial industry when it comes to maturity in regards to managing IT assets," Meikle said. Not only that, but since different departments often have their own budgets and buy what they want, it can be difficult for an organization to keep track of its overall assets.
"Understanding what you have is a big step in the right direction to protecting it [and] protecting the data on it," Meikle said. "Having a robust asset management program so you know what you have [is important], then you can start taking steps to protecting that infrastructure."
A healthcare asset management program should include a depreciation schedule and a set date for when a device or piece of equipment will be sent for disposal, Meikle added. The disposal process should include wiping all of the data storage components on the device so that PHI isn't compromised.
Mobile device and application management
The proliferation of mobile devices that can be used as "de facto medical devices" is another consideration healthcare organizations need to keep in mind. Depending on what kind of data the mobile device receives, it may be considered a medical device under FDA regulations. Implementing a mobile device or application management program can mitigate some security risks, but organizations should use a "phased approach" to rolling out new procedures.
"You can't do everything all at once," Meikle said. "If you go from kind of lawless, Wild West approach to now everyone must toe the corporate line, it's not going to work."
Asset management components
According to Mike Meikle, CEO of SecureHIM, a healthcare security consulting and education company, an asset management program should consist of the following components:
- Device/software request and approval process
- Procurement management
- Life cycle management
- Redeployment and disposal management
Meikle also said a mobile device management program is a step in the right direction, but won't solve all of the problems associated with the use of mobile devices. However, it provides some risk management.
"Smarter companies are saying, 'If you bring in your personal device to do corporate work, in order to gain access to the network, you have to register your device with our mobile application management solution where any corporate data will reside in a little sandbox, and so if you ever leave or you're terminated or you lose your device, we can remotely brick your device or remotely destroy the corporate data on it,'" Meikle said.
Enterprise tools are key to medical image exchange
Healthcare providers considering VNA integration with EHRs
How to choose the right VNA