A ‘Whole Community’ Approach to Cybersecurity in Medical Imaging

Posted November 16, 2015

Cybersecurity best practices and standards by manufacturers and healthcare providers offer the clearest line of defense against attacks, according to a white paper published by the Medical Imaging & Technology Alliance (MITA), a division of National Electrical Manufacturers Association (NEMA).

According to the paper, Cybersecurity for Medical Imaging, as imaging devices become increasingly connected to networks, a lack of information technology (IT) security not only poses a significant risk to clinical and business continuity, but also to patient safety.

Within healthcare, medical imaging was one of the earliest examples of interconnected devices and technologies now referred to as the Internet of Things (IoT). According to MITA, most, if not all, imaging technologies rely on digital technology, software, and hardware connected to the IoT, which can make these systems vulnerable to cyberattacks.

In a presentation at last week’s HIMSS Cybersecurity Summit, cybersecurity researchers Scott Erven and Adam Brand, both associate directors at the consulting firm Protiviti, described security risks they had uncovered using Shodan, the search engine equivalent of Google for the IoT.

Using search terms such as “health,” “hospital,” and “medical,” they found hundreds of medical devices inside healthcare organizations, including 97 MRI machines. This means that by doing a simple search, hackers could know what type of systems and medical devices are inside a healthcare organizations and the hostname of all of these devices. Combining this with other information that is easily accessible online, they could create custom attacks that would only target a medical device, like an MRI, with known vulnerabilities.

Erven and Brand said that while there is no evidence of intentional targeted attacks on medical devices yet, these devices are absolutely being compromised due to unintentional attacks, potentially putting patient safety at risk.

According to the MITA white paper, “advancing cybersecurity measures within healthcare and public health relies upon a ‘whole of community’ approach, requiring manufacturers, installers, service staff, and healthcare providers alike to accept shared ownership and responsibility.”

“We need to work together to develop and understand promising new technologies, solutions, and approaches. Not only are users, enterprise IT departments, and manufacturers struggling to keep up with the current milieu, this will become even more challenging with the Internet of Things and demands for more interoperability and data exchange among disparate medical enterprises,” said Raymond Geis, the IT Commission vice chair for the American College of Radiology, in a press release.

The white paper outlined recommendations for manufacturers, as well as for the “responsible user.”

According to MITA, manufacturers should:

  • Define a way to continuously monitor vulnerabilities to detect patches and updates that will address functionality or repair vulnerabilities that might affect a particular device.
  • Validate all software changes that address cybersecurity before installation to ensure that the functionality of the device has not been compromised.
  • Consider options for multifactor authentication, including password fields allowing more easily remembered user-generated passwords and biometric identification.
  • Allow healthcare providers to know the type and status of security software installed within devices, as well as the current status of security upgrades.

Once installed, equipment operators and healthcare organizations should:

  • Deploy firewalls and make other provisions to safeguard their networked medical devices.
  • Be aware of cybersecurity threats and train personnel to mitigate risks.
  • Audit logs for imaging equipment and imaging informatics systems.

“Well-structured and governed collaboration in this complex ecosystem of people, processes, and technology is required to safeguard the patients’ protected health information and their physical safety,” said Rik Primo, chair of the medical imaging informatics section of the MITA Cybersecurity Taskforce, in the release.

For more information about cybersecurity, visit the AAMI Hot Topics page devoted to this subject.