“WannaCry,” the most recent ransomware attack in the United Kingdom, was yet another reminder of how dependent modern healthcare is on networked technology. The National Health Service experienced ambulances piling up outside hospitals, appointments were canceled, surgeries were delayed and there was the frightening possibility that patient records could be deleted unless a ransom was paid.
Radiology is particularly vulnerable to the fallout from such an attack. Losing access to stored medical images could delay patient care decisions and being locked out of network-enabled scanners could force clinicians to make diagnoses without the best information. The kicker? These attacks are on the rise. According to a report from the Department of Health and Human Services there were 112 million health information security breaches in 2015 alone, up from just 1.8 million in 2014. However, many imaging departments are missing even the simplest security measures that can make all the difference in a hacking attempt, according to an RSNA 2016 presentation. A cybersecurity firm hired to explore vulnerabilities in a hospital’s MRI machines found deactivated firewalls, automatic updates turned off and 114 open ports, said Kevin Hemsley, project manager for the Idaho National Laboratory. The firm was even able to access the imaging processor and controller, a major red flag for a machine capable of throwing lethal amounts of radiation. Solutions like closing unused ports and masking imaging devices on shared networks are simple, low-cost ways to properly manage the risk that comes with networked medical technology.
These simple security lapses are emblematic of the industry as a whole: human error is involved in 95 percent of all successful cybersecurity attacks, according to IBM’s Cyber Security Intelligence Index. That’s a scary statistic, to be sure. And it shows why providers must act immediately and be prepared for the worst.
One of the biggest steps imaging departments can take is hiring dedicated IT staff to keep a close eye on cybersecurity issues. This way, the department is better positioned to respond and take corrective measures in the event of an attack. In-house staff can maintain audit logs of imaging equipment and informatics software, lead department-wide cybersecurity training, and have established processes for responding to penetration-testing attacks like phishing.
While Benjamin Franklin was referring to fire safety when he wrote that “an ounce of prevention is worth a pound of cure,” I think it works well for cybersecurity as well.