Medical imaging devices have greatly improved patient care and become a critical part of modern medical treatment. But, these devices weren’t always connected in ways they are today. Today’s tools are digital, networked with other devices and can be reached through a computer workstation. As such, more cyber threats can pose harm. So how can equipment makers and users build better cybersecurity for healthcare into imaging equipment?
One problem that prevents inclusion of security in the early stages of these machines’ creation is the length of their lifecycle. Medical imaging equipment, such as MRI, ultrasound and CT scan machines, are built to last at least 10 years. Many units remain in operation well beyond 10 years. New medical imaging devices take many years to develop and are subject to regulatory approval along the way. The typical development cycle can span three to seven years, and often the makers of the machines do not build with cybersecurity in mind.
Cyber threats, however, evolve rapidly. And, healthcare is a major target for threats. Attackers have tried ransomware, distributed denial-of-service attack (DDoS) attacks, insider threats, data breaches, email-based scams and phishing attacks. In addition, healthcare data breaches are ranked as the costliest in the 2020 IBM Security Cost of a Data Breach report. Furthermore, the human cost of a cyberattack is key; patients and their electronic medical records have been directly affected as a result of cyberattacks on healthcare organizations.
The Problem With PACS
Medical imaging devices rely on picture archiving and communications systems (PACS) to store and transmit patient medical images. These replaced film and file folders as a more efficient means to produce, store and share patient images. PACS servers store medical images along with personal patient data, and typically connect to digital health records.
PACS allows healthcare workers to remotely view patient images from within the hospital or medical practice, as well as outside its walls. Some may do so from personal devices. Because of their role in medical practice, attackers could target PACS for direct attack or to be used to gain access to other networked systems. These systems are also vulnerable to healthcare privacy breaches because users tend to set them up using system defaults and leave them unsecured. One billion medical images were exposed in 2019 due to this poor security practice.
Patient Care and Cybersecurity for Healthcare
Hospitals are at risk more than other tech-heavy entities because they use older equipment that may be running outdated software. Often working with limited resources to manage network and software updates, they face major obstacles to keep pace.
Updating medical imaging equipment can be a complex task. It can involve both a trained device maintenance worker and a member of medical staff to ensure software upgrades are working well. This process can be very time consuming, and users may delay it without incentive to perform such updates. Keeping these machines running well tends to be of a higher priority. Other computer workstations not connected to medical equipment are at risk as well.
In 2017, EternalBlue struck unpatched Windows-based computers and servers. Among the machines affected were hospital computers and medical devices that weren’t updated often. In this case, updates existed to secure serious openings, but were not applied in time. Microsoft had issued a patch to protect against EternalBlue months before the attacks.
Cybersecurity for Healthcare Step 1: Separate Networked Devices
Securing digital medical images to make sure a threat actor can’t grab electronic medical records right out of the MRI data requires a multi-layered approach. Vulnerable devices can be better protected if they’re cut off from other equipment on the network. Ensuring vulnerable devices are unreachable from unapproved applications helps protect patient privacy.
Step 2: Further Segregate Attached Workstations
Imaging equipment and workstations should be kept on different networks from regular office computers, which are more open to attack. First, prevent access to PACS from outside, allowing only pre-approved network connections. Next, consider deploying a virtual private network (VPN) for this server only. Lastly, ensure workstation operating system updates are applied often.
Step 3: Secure PACS Servers
Secure PACS servers and limit applications and user access to only those required. This means to avoid using default settings and leaving PACS servers open for anyone to access. In addition, limit access by requiring a password from authorized users. Encrypt data during storage and transmission, and monitor access logs for such devices for suspicious changes.
Culture of Awareness Tailored to Hospital Cybersecurity
Offer cybersecurity awareness training tailored to meet the time and attention requirements of healthcare workers. Healthcare practitioners, in particular, view risk differently than cybersecurity professionals. Ensure electronic health record security training is short and relevant.
Building Better Cybersecurity for Healthcare
Cybersecurity for healthcare is a complex issue. Securing medical imaging devices and associated workstation servers requires considerable attention to a number of technical and cultural issues.
But members of the healthcare community do want to improve overall cybersecurity. A new cybersecurity-focused medical conference, the CyberMed Summit, aims to reach technical and medical staff to find solutions to securing healthcare. The theme for the 2019 gathering focused on what they call the “Last Mile” cybersecurity awareness problem: how to reach clinical staff and patients to a meaningful degree despite limited interactions.
In January 2019, a coalition of hospitals released a joint security plan to address cybersecurity risks in health care. The Medical Device and Health IT Joint Security Plan is a voluntary framework for the management of medical device security. This document includes guidance for device design and development as well as assessment of cybersecurity program maturity. The plan also addresses risk management over the device life cycle.
Securing healthcare data and protecting patient privacy is possible, though it may be a while before the entire sector catches up fully. There are, however, steps healthcare groups can take to secure equipment even with limited resources. Members of cybersecurity and health care can work together to meet the needs of patients without sacrificing security.