Safeguarding Radiology Data

December 22, 2016
Whitney L. Jackson

Cybersecurity in radiology, from RSNA 2016.

It’s almost become old hat. Another year, another electronic data breach. You might not be surprised anymore, but you should still be worried. Not only is the number of patients affected when a health care facility is infiltrated growing, but the types of cyberattacks are also changing.

And according to industry leaders at RSNA 2016, health care isn’t paying close enough attention to how best to handle the problem.

“Health care IT security has the wrong mission and the wrong approach,” said James Whitfill, MD, chief medical officer for Scottsdale Health Partners. “It’s focused on medical records and compliance. It’s not worried about events. Regulations have been the only motivator, and it’s a lousy one. Regulations don’t work well because they only protect against the most unsophisticated attacks.”

The Threat
Over the past year, health care has seen an uptick in a new type of cyberattack called Ransomware. This attack infiltrates your system through an innocuous-looking email and installs software behind the scenes to encrypt data. Once it controls all your information, the system is locked, and hackers demand payment to release it.

More and more hospitals are falling victim, Whitfill said, and the problem is two-fold. Not only is your patients’ private health information – including diagnostic images – in jeopardy, but you’re also prevented from providing care because you can’t access medical records or any other programs.[[{"type":"media","view_mode":"media_crop","fid":"55302","attributes":{"alt":"James Whitfill, MD","class":"media-image media-image-right","id":"media_crop_6603239845501","media_crop_h":"0","media_crop_image_style":"-1","media_crop_instance":"6921","media_crop_rotate":"0","media_crop_scale_h":"0","media_crop_scale_w":"0","media_crop_w":"0","media_crop_x":"0","media_crop_y":"0","style":"height: 170px; width: 170px; border-width: 0px; border-style: solid; margin: 1px; float: right;","title":"James Whitfill, MD","typeof":"foaf:Image"}}]]

If you don’t pay to have your hijacked system unlocked, he said, it could be sold to the highest bidder. On the black market, the medical record for one patient costs approximately $50. Multiply that by the number of patients seen at a typical hospital, and the price tag balloons. Some electronic medical record databases can sell for more than $100,000.

Breach Impact
In the past, financial gain was the main impetus for stealing health data, Whitfill said. It could either be sold for identity theft, used for extortion among celebrities or politicians, or used for fraudulent billing. The danger has grown, though, to include attacks on public health.

It’s now possible for nation states and terrorists to gain access to large swaths of private health care data. The information could be used for both targeted and untargeted attacks.

This type of data breach is particularly dangerous because it grinds your ability to provide care to a halt. You can’t perform any diagnostic studies, and if the shutdown continues for an extended time, that could put patients’ lives at risk, he said.

Protecting Yourself
Once Ransomware infects your system, there’s virtually no way to uninstall it yourself. So, your priority must be preventing infiltration, Whitfill said. Unfortunately, it’s getting harder to identify the fraudulent emails hackers use to gain access to your records. The best defense might be to trick your own employees in the name of education.

“One of the primary things you can do is educate your employees by sending out your own false email to see who clicks on them, and then go talk with these folks,” he said. “The days of issuing the general warnings of ‘Don’t click on things that look funny,’ are over. These things are very difficult to figure out.”

As radiologists, you can help protect your institutions, though. Take and support anticipatory steps to lead the charge:

1. Assume you’ll be hacked at some point, and keep an eye out for any tracks that can show you how it happened.

2. Make the case for keeping your security and IT departments separate. They have different goals and should operate independently.

3. Don’t allow any unprotected USB devices to be used in your network.

4. Consider keeping your patient information on a separate network from any other information you use in your practice.