Medical imaging devices have greatly improved patient care and become a critical part of modern medical treatment. But, these devices weren’t always connected in ways they are today. Today’s tools are digital, networked with other devices and can be reached through a computer workstation. As such, more cyber threats can pose harm. So how can equipment makers and users build better cybersecurity for healthcare into imaging equipment? 

One problem that prevents inclusion of security in the early stages of these machines’ creation is the length of their lifecycle. Medical imaging equipment, such as MRI, ultrasound and CT scan machines, are built to last at least 10 years. Many units remain in operation well beyond 10 years. New medical imaging devices take many years to develop and are subject to regulatory approval along the way. The typical development cycle can span three to seven years, and often the makers of the machines do not build with cybersecurity in mind.

Cyber threats, however, evolve rapidly. And, healthcare is a major target for threats. Attackers have tried ransomware, distributed denial-of-service attack (DDoS) attacks, insider threats, data breaches, email-based scams and phishing attacks. In addition, healthcare data breaches are ranked as the costliest in the 2020 IBM Security Cost of a Data Breach report. Furthermore, the human cost of a cyberattack is key; patients and their electronic medical records have been directly affected as a result of cyberattacks on healthcare organizations.

The Problem With PACS

Medical imaging devices rely on picture archiving and communications systems (PACS) to store and transmit patient medical images. These replaced film and file folders as a more efficient means to produce, store and share patient images. PACS servers store medical images along with personal patient data, and typically connect to digital health records.

PACS allows healthcare workers to remotely view patient images from within the hospital or medical practice, as well as outside its walls. Some may do so from personal devices. Because of their role in medical practice, attackers could target PACS for direct attack or to be used to gain access to other networked systems. These systems are also vulnerable to healthcare privacy breaches because users tend to set them up using system defaults and leave them unsecured. One billion medical images were exposed in 2019 due to this poor security practice. 

Patient Care and Cybersecurity for Healthcare

Hospitals are at risk more than other tech-heavy entities because they use older equipment that may be running outdated software. Often working with limited resources to manage network and software updates, they face major obstacles to keep pace.

Updating medical imaging equipment can be a complex task. It can involve both a trained device maintenance worker and a member of medical staff to ensure software upgrades are working well. This process can be very time consuming, and users may delay it without incentive to perform such updates. Keeping these machines running well tends to be of a higher priority. Other computer workstations not connected to medical equipment are at risk as well. 

In 2017, EternalBlue struck unpatched Windows-based computers and servers. Among the machines affected were hospital computers and medical devices that weren’t updated often. In this case, updates existed to secure serious openings, but were not applied in time. Microsoft had issued a patch to protect against EternalBlue months before the attacks. 

Cybersecurity for Healthcare Step 1: Separate Networked Devices

Securing digital medical images to make sure a threat actor can’t grab electronic medical records right out of the MRI data requires a multi-layered approach. Vulnerable devices can be better protected if they’re cut off from other equipment on the network. Ensuring vulnerable devices are unreachable from unapproved applications helps protect patient privacy. 

Step 2: Further Segregate Attached Workstations

Imaging equipment and workstations should be kept on different networks from regular office computers, which are more open to attack. First, prevent access to PACS from outside, allowing only pre-approved network connections. Next, consider deploying a virtual private network (VPN) for this server only. Lastly, ensure workstation operating system updates are applied often.

Step 3: Secure PACS Servers

Secure PACS servers and limit applications and user access to only those required. This means to avoid using default settings and leaving PACS servers open for anyone to access. In addition, limit access by requiring a password from authorized users. Encrypt data during storage and transmission, and monitor access logs for such devices for suspicious changes.

Culture of Awareness Tailored to Hospital Cybersecurity

Offer cybersecurity awareness training tailored to meet the time and attention requirements of healthcare workers. Healthcare practitioners, in particular, view risk differently than cybersecurity professionals. Ensure electronic health record security training is short and relevant. 

Building Better Cybersecurity for Healthcare

Cybersecurity for healthcare is a complex issue. Securing medical imaging devices and associated workstation servers requires considerable attention to a number of technical and cultural issues.

But members of the healthcare community do want to improve overall cybersecurity. A new cybersecurity-focused medical conference, the CyberMed Summit, aims to reach technical and medical staff to find solutions to securing healthcare. The theme for the 2019 gathering focused on what they call the “Last Mile” cybersecurity awareness problem: how to reach clinical staff and patients to a meaningful degree despite limited interactions. 

In January 2019, a coalition of hospitals released a joint security plan to address cybersecurity risks in health care. The Medical Device and Health IT Joint Security Plan is a voluntary framework for the management of medical device security. This document includes guidance for device design and development as well as assessment of cybersecurity program maturity. The plan also addresses risk management over the device life cycle.

Securing healthcare data and protecting patient privacy is possible, though it may be a while before the entire sector catches up fully. There are, however, steps healthcare groups can take to secure equipment even with limited resources. Members of cybersecurity and health care can work together to meet the needs of patients without sacrificing security.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today