Medical imaging devices have greatly improved patient care and become a critical part of modern medical treatment. But, these devices weren’t always connected in ways they are today. Today’s tools are digital, networked with other devices and can be reached through a computer workstation. As such, more cyber threats can pose harm. So how can equipment makers and users build better cybersecurity for healthcare into imaging equipment? 

One problem that prevents inclusion of security in the early stages of these machines’ creation is the length of their lifecycle. Medical imaging equipment, such as MRI, ultrasound and CT scan machines, are built to last at least 10 years. Many units remain in operation well beyond 10 years. New medical imaging devices take many years to develop and are subject to regulatory approval along the way. The typical development cycle can span three to seven years, and often the makers of the machines do not build with cybersecurity in mind.

Cyber threats, however, evolve rapidly. And, healthcare is a major target for threats. Attackers have tried ransomware, distributed denial-of-service attack (DDoS) attacks, insider threats, data breaches, email-based scams and phishing attacks. In addition, healthcare data breaches are ranked as the costliest in the 2020 IBM Security Cost of a Data Breach report. Furthermore, the human cost of a cyberattack is key; patients and their electronic medical records have been directly affected as a result of cyberattacks on healthcare organizations.

The Problem With PACS

Medical imaging devices rely on picture archiving and communications systems (PACS) to store and transmit patient medical images. These replaced film and file folders as a more efficient means to produce, store and share patient images. PACS servers store medical images along with personal patient data, and typically connect to digital health records.

PACS allows healthcare workers to remotely view patient images from within the hospital or medical practice, as well as outside its walls. Some may do so from personal devices. Because of their role in medical practice, attackers could target PACS for direct attack or to be used to gain access to other networked systems. These systems are also vulnerable to healthcare privacy breaches because users tend to set them up using system defaults and leave them unsecured. One billion medical images were exposed in 2019 due to this poor security practice. 

Patient Care and Cybersecurity for Healthcare

Hospitals are at risk more than other tech-heavy entities because they use older equipment that may be running outdated software. Often working with limited resources to manage network and software updates, they face major obstacles to keep pace.

Updating medical imaging equipment can be a complex task. It can involve both a trained device maintenance worker and a member of medical staff to ensure software upgrades are working well. This process can be very time consuming, and users may delay it without incentive to perform such updates. Keeping these machines running well tends to be of a higher priority. Other computer workstations not connected to medical equipment are at risk as well. 

In 2017, EternalBlue struck unpatched Windows-based computers and servers. Among the machines affected were hospital computers and medical devices that weren’t updated often. In this case, updates existed to secure serious openings, but were not applied in time. Microsoft had issued a patch to protect against EternalBlue months before the attacks. 

Cybersecurity for Healthcare Step 1: Separate Networked Devices

Securing digital medical images to make sure a threat actor can’t grab electronic medical records right out of the MRI data requires a multi-layered approach. Vulnerable devices can be better protected if they’re cut off from other equipment on the network. Ensuring vulnerable devices are unreachable from unapproved applications helps protect patient privacy. 

Step 2: Further Segregate Attached Workstations

Imaging equipment and workstations should be kept on different networks from regular office computers, which are more open to attack. First, prevent access to PACS from outside, allowing only pre-approved network connections. Next, consider deploying a virtual private network (VPN) for this server only. Lastly, ensure workstation operating system updates are applied often.

Step 3: Secure PACS Servers

Secure PACS servers and limit applications and user access to only those required. This means to avoid using default settings and leaving PACS servers open for anyone to access. In addition, limit access by requiring a password from authorized users. Encrypt data during storage and transmission, and monitor access logs for such devices for suspicious changes.

Culture of Awareness Tailored to Hospital Cybersecurity

Offer cybersecurity awareness training tailored to meet the time and attention requirements of healthcare workers. Healthcare practitioners, in particular, view risk differently than cybersecurity professionals. Ensure electronic health record security training is short and relevant. 

Building Better Cybersecurity for Healthcare

Cybersecurity for healthcare is a complex issue. Securing medical imaging devices and associated workstation servers requires considerable attention to a number of technical and cultural issues.

But members of the healthcare community do want to improve overall cybersecurity. A new cybersecurity-focused medical conference, the CyberMed Summit, aims to reach technical and medical staff to find solutions to securing healthcare. The theme for the 2019 gathering focused on what they call the “Last Mile” cybersecurity awareness problem: how to reach clinical staff and patients to a meaningful degree despite limited interactions. 

In January 2019, a coalition of hospitals released a joint security plan to address cybersecurity risks in health care. The Medical Device and Health IT Joint Security Plan is a voluntary framework for the management of medical device security. This document includes guidance for device design and development as well as assessment of cybersecurity program maturity. The plan also addresses risk management over the device life cycle.

Securing healthcare data and protecting patient privacy is possible, though it may be a while before the entire sector catches up fully. There are, however, steps healthcare groups can take to secure equipment even with limited resources. Members of cybersecurity and health care can work together to meet the needs of patients without sacrificing security.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…