The Truth About Cyber-Security in Healthcare Imaging

Despite the recent increases in large-scale cyber attacks all over various industries, radiology has come out relatively unscathed. Still, experts state that providers need to remain vigilant or else they are next.

Cyber-security Dangers within Medical Imaging

Last year highlighted the need for strong cyber-security systems in this digital era as major cyber crimes such as WannaCry earned headlines across the globe. In particular, Wanna Cry produced major ripples due to the fact that various industries were influenced. Healthcare was just one of them. 


Major health practices in Europe and the U.S. had their information held hostage while ransomware swept over their systems in May of last year. However, data wasn’t the sole target of this widespread offense — numerous hospitals noticed the attackers possessed the ability to get into medical tools as well. 

There’s no denying, WannaCry indicated an attack of almost epic proportions for the healthcare industry. At the same time, it highlighted the potential consequences for radiology. However, as conceivably devastating attacks of this sort might have been, some specialists say radiology has been lucky thus far. 

“We are living on borrowed time,” mentioned David J. Harvey, chief technology officer and managing director of Medical Connections Ltd. based out of the UK. Such radiology protocols like DICOM and HL7 have only endured this long because of their relative obscurity. 

Even though this message can seem grim, Harvey and additional cybersecurity experts who were present at the 2017 meeting for the Radiological Society of North America (RSNA) stated that radiology departments can take steps to defend themselves and their subjects. But the cost includes constant vigilance. 

A Flawed Philosophy
The challenge in maintaining robust a cyber security network in healthcare, in general, is the effort is typically looked at as a zero-sum game. “We are continuously fighting the last war,” mentioned James Whitfill, M.D., president of healthcare information technology consulting agency Lumetis and chief medical officer of Innovation Care Partners. 

He described how much of healthcare IT ‘s approach focuses on patching understood vulnerabilities from the least complicated attacks as regulatory provisions are the guiding factor. 

What really should be at the forefront, Whitfill mentioned, are persistent advanced threats to client information. Sometimes this leads to what is known as zero-day strikes. Such strikes are exposures that go unrecognized until abused. 

Many vendors are well-intentioned but are simply not up to snuff about the security risks inherent in their products director of clinical information security for the Mayo Clinic, Kevin McDonald, relayed. 

“They are still attempting to acquire personnel with the proper experience and knowledge,” he let his RSNA audience know. In a well-known instance last year, FDA publicly scolded St. Jude Medical for failing to take care of known security problems with a few of its implantable electrophysiology devices. 

There weren’t any reports of cyber-tampering with the devices at St. Jude and the corporation responded to the message with an update to the firmware that was passed by the FDA last August. 

But the incident underscored the ongoing fight for the manufacturers of devices. 

While the FDA was able to act quickly in the St. Jude occurrence, the organization also demonstrated the philosophy of responding to known vulnerabilities. According to Whitfill, the reality is that device approval systems are still reacting to changing cyber-security demands as well. 

He pointed out that the FDA review isn’t typically required before a software patch’s implementation for the fixing of a cyber-security vulnerability. A fresh 510(k) submission is asked for with existing medical devices if the tool has an updated or changed indication for use. Additionally, if the submitted change significantly affects the effectiveness or safety of the medical device it’s also required. 

Identifying Cyber-threats

To start effectively creating a cyber-security plan, providers need to understand the risks they face. Cyber attacks can be classified in many different ways. It depends on the kind of information the hacker is looking to access and the outcome they want to obtain. The majority of data could be organized as untargeted, including personal health information or personally identifiable information.

While particular individuals can be the victim of these kinds of attacks, the attackers are more than not after larger quantities of data. In the healthcare field, more targeted strikes directly impact patient health. This is a scenario Whitfill hasn’t seen come about, but it still remains a possibility.

Providers should also think about the sources of likely attacks. While a lot of the largest attacks are perpetrated by external entities, internal players can pose an even larger threat due to the fact that they already have been granted access to the system. Solutions like sepStream are an affordable way to get the protection and security you need.