The year 2017 underscored the importance of strong cybersecurity practices in an increasingly connected world, as major cyberattacks like WannaCry made headlines around the globe for the number of people and businesses they touched. WannaCry in particular caused major ripples as it targeted various industries, including healthcare. Major health systems in the U.S. and Europe found their data held hostage when the ransomware swept through their systems last May. But data was not the only target in this widespread attack — several hospitals found the attackers were able to get into their medical devices as well.
here is no denying that WannaCry represented a breach of near epic proportions for healthcare, and it highlighted the possible consequences for radiology as well. But as potentially devastating as this and other attacks may have been, some experts say radiology has gotten lucky so far. “We’re living on borrowed time,” said David J. Harvey, managing director and chief technology officer of U.K.-based Medical Connections Ltd., adding that radiology protocols like DICOM and HL7 have only survived so far due to their relative obscurity.
While the message may seem ominous, Harvey and other cybersecurity experts who present at the 2017 Radiological Society of North America (RSNA) meeting in November said radiology departments can take steps to protect themselves and their patients — but the price is constant vigilance.
A Flawed Philosophy
The difficulty with maintaining strong cybersecurity in radiology, and healthcare in general, is that the effort is often viewed, consciously or not, as a zero-sum game. “We’re always fighting the last war,” said James Whitfill, M.D., chief medical officer for Innovation Care Partners and president of healthcare information technology (IT) consulting firm Lumetis. He said much of healthcare IT ‘s strategy focuses on patching known vulnerabilities from the least sophisticated attacks because regulatory requirements are the guiding principle. What should really be top-of-mind, Whitfill said, are advanced persistent threats to patient information that can lead to what are known as zero-day attacks — vulnerabilities that go unrecognized until exploited.
From the vendor side, many vendors, while well-intentioned, are simply naive about the risks and security of their products, according to Kevin McDonald, director of clinical information security for the Mayo Clinic. “They’re still trying to find personnel with the right experience and knowledge,” he told his RSNA audience. In one high-profile instance last year, the U.S. Food and Drug Administration (FDA) publicly blasted St. Jude Medical for failing to address known security issues with some of its implantable electrophysiology devices.[1] There were no reports of cyber-tampering with any St. Jude Medical devices, and the company responded to the letter with a firmware update that was approved by the FDA last August.[2] But the episode highlighted the ongoing struggle for device manufacturers.
While the FDA acted quickly in the St. Jude event, it also demonstrated the same philosophy of reacting to known vulnerabilities. The reality, according to Whitfill, is that device approval processes are still adapting to changing cybersecurity requirements as well. He noted that FDA premarket review is usually not required prior to implementation of a software patch to address a cybersecurity vulnerability. A new 510(k) submission is required for an existing medical device if the device has a new or changed indication for use, or the proposed change could significantly affect the safety or effectiveness of the medical device, “so it is possible but unlikely that a software patch will need a new 510(k) submission,” Whitfill said.
Identifying Cyberthreats
To begin effectively building a cybersecurity strategy, providers must first understand the threats facing them. Cyberattacks can be categorized in several ways, beginning with the type of information the hacker wants to access or the result they want to achieve. Much information could be classified as untargeted, such as personally identifiable information or personal health information. While specific individuals can be the target of these types of attacks, more often cyberattackers are after large quantities of such data. In healthcare, more targeted attacks could directly impact patient health — a scenario Whitfill says has not played out yet but remains a possibility. A 2015 Wired article, for instance, detailed how security flaws in modern infusion pumps that could allow hackers to raise the dose limits for the machine, an action that if not caught could lead to patient harm.[3]
Providers must also consider the sources of potential attacks. While many of the largest attacks are carried out by external parties, internal actors may pose an even greater threat because they already have trusted access to the system. External attacks are typically motivated by financial gain or general malice toward an individual or organization. Internal threats, however, can be more difficult to guard against as they can be done out of malice or simple negligence, according to McDonald. Common internal security gaps and concerns include:
• Operational security gaps (loopholes in processes);
• Authentication (user log-in credentials);
• Applications;
• Configuration (the way the system is set up);
• Unpatched software; and
• Lack of encryption.
While these vulnerabilities can exist on any single device, the real danger is that technology in a hospital today lives in what McDonald calls an internet of medical devices. According to McDonald, there has been a 62 percent increase in the number of devices per patient bed between 1995 and 2010, with an average today of 13 devices per bed.
Assessing Device Security
Despite the daunting prospect of protecting patient information against all of these threats, there are plenty of steps providers, vendors and other parties can take to hold off cyberthreats.
One of the most important things a department or institution can do to protect its medical devices, according to J. Anthony Seibert, Ph.D., professor and associate chair of informatics at University of California, Davis, is imaging system acceptance testing. This is a process that should be undertaken in partnership with the device vendor to assess all possible vulnerabilities, such as:
• Does the system use default user names and passwords? (These can be easily found on the internet, according to Seibert.) Can they be changed?
• Who maintains/updates antivirus and antimalware protections?
• Can the vendor gain remote access? How secure is that process?
• Are there unsecured USB/CD/DVD ports?
While it is important to conduct these types of assessments periodically over the life of the equipment, Seibert stressed that security evaluations should be an integral part of the initial procurement process. To help guide these interactions between providers and vendors, the National Electrical Manufacturers Association (NEMA) offers several guidance documents related to cybersecurity, including PS3.15 of the DICOM standard, which provides specific guidance on security and system management profiles, and the Manufacturer Disclosure Statement for Medical Device Security (MDS2), a form that manufacturers can use as a tool when performing risk assessment for a customer.
Seibert understands the importance of these and other security measures all too well — UC Davis Health was itself the victim of a major phishing attack in 2015 that may have compromised the personal health information of 15,000 patients, according to Healthcare IT News.[4] The attack was reportedly initiated when an employee responded to a phishing email with their account login credentials. Once into the email account, the hacker used it to send emails to other staff members requesting large bank transfers. The attack was quickly shut down, and investigators found no evidence that the hacker actually viewed sensitive information, but they could not rule out the possibility either.
Some of the steps Seibert said the health system has taken since include:
• Replacement of most of their Windows XP-based image acquisition devices (an
operating system with known vulnerabilities);
• Radiology picture archiving and communication system (PACS) and imaging systems are on their own non-routable IP network (separated from the rest of the health system to minimize
exposure);
• Interfaces and data are encrypted at all points (both “in flight” and “at rest”); and
• Ongoing cybersecurity training for all employees.
The last element may be the single most important aspect of any cybersecurity strategy to defend against the advanced persistent threats of today. Security safeguards generally fall into three categories, according to Siebert:
• Technical (the establishment of firewalls, secure data transmission, encryption, etc.);
• Physical (isolating devices from each other and outside networks, backing up and restoring data, proper device disposal);
• Administrative (documenting security policies, training staff, maintaining audit trails and logs, adhering to incident reporting, etc.).
While failures in the first two categories are often the open door that allow hackers into a device or system, it is often the failure to pay attention to administrative safeguards that leads to disaster, Seibert said.
According to McDonald, one of the key administrative-level safeguards provider organizations must practice is to set minimum standards for maintaining secure data policy, prioritizing the high-risk attributes of their systems. He stated that the six most common high-risk attributes that healthcare systems should focus on maintaining are:
• A supported operating system;
• The ability to upgrade operating systems;
• The ability to upgrade third-party/open source applications;
• Ability to use whitelisting (creating a list of the entities that are allowed to access a device or network);
• No hard-coded or default passwords; and
• Ensuring a device meets account use best practices — meaning it has no non-expiring passwords, no accounts with elevated administrator privileges and so on.
“It’s a balancing act between security and being able to do your job,” Seibert concluded.
References
1. FDA Safety Communication: Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter. Jan. 9, 2017. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm
2. FDA Safety Communication: Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers. Aug. 29, 2017. https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
3. Zetter, K. “Drug Pump’s Security Flaw Lets Hackers Raise Dose Limits,” Wired, April 9, 2015. Accessed Dec. 18, 2017.
4. Davis, J. “Phishing attack on UC Davis Health breaches data on 15,000 patients,” Healthcare IT News, July 17, 2017. Accessed Dec. 10, 2017