SIIM: Are imaging vendors prepared for cybersecurity?

Erik L. Ridley
Jun 2, 2017
2017 06 01 10 11 07 128 Pittsburgh 400

PITTSBURGH - Medical imaging vendors often aren't prepared for cybersecurity provisions to be included in contracts for PACS and imaging devices, and it can take months to complete these negotiations, according to a presentation on Saturday at the Society for Imaging Informatics in Medicine (SIIM) annual meeting.

After recently incorporating new cybersecurity language into new contracts being negotiated for PACS and imaging devices, Penn State Health found that many vendors were unwilling to agree to requirements such as having cyber insurance or undergoing an annual third-party audit for compliance with data protection standards. Negotiations over cybersecurity provisions added an average of three months to the contracting process, according to presenter Dr. Jonelle Petscavage-Thomas.

"Your team should be aware that if you have a targeted go-live and you're going to include this language, expect that go-live to be pushed back a few months because you're going to have to get through this," she said. "It's not going to be quick."

A growing threat

Cybersecurity is a hot topic. There was a 63% increase in cyberattacks on healthcare targets in 2016, and in 2014, the U.S. Federal Bureau of Investigation (FBI) reported that at least 375 healthcare-related organizations had been seriously breached, Petscavage-Thomas said.

These large breaches are publicly reported and can negatively impact a hospital's reputation, she said. What's more, these breaches are extremely expensive and labor-intensive to remedy the loss of protected health information (PHI).

Earlier this month, the WannaCry ransomware hit more than 150 countries and affected radiological systems as well as medical devices. Some medical device vendors were refusing to accept patches because they didn't know if their devices would continue to work after the patches were applied, Petscavage-Thomas said.

Notably, 7% of cybersecurity breaches occur from radiology software. In response, the National Electrical Manufacturers Association (NEMA) published a white paper on cybersecurity for medical imaging in 2015.

Petscavage-Thomas said, however, that it's the healthcare organization's responsibility to ensure a vendor is meeting an institution's cybersecurity requirements. Accordingly, cybersecurity language is increasingly being placed into new contracts and worked through legal channels, she said.

"However, there is no standardized language, and it varies from very simple to more complex," she said. "Vendors may be unfamiliar with this language -- it's just being introduced."

Contracting delays

The Penn Health researchers hypothesized that this could result in an increased length of time to complete the contracting process.

"You may work with a vendor who is unwilling to acquiesce to your requirements, and you may have to part ways with that vendor and do a new search and find a new vendor," she said. "Additionally, you may have a vendor who you really need for Joint Commission requirements, and you have to sign off that you are willing to assume those risks because the vendor will not meet the requirements."

Over the past year, Penn Health negotiated five new contracts with imaging vendors that included new cybersecurity documentation. The researchers sought to report on the specific areas where the vendors had issues, the length of time for vendors to return documentation, the number of rounds of contract revisions of the cybersecurity language, the number of vendors with cyber insurance, and the number of vendors that were unwilling to meet their requirements.

The institution's chief information security officer created cybersecurity language and distributed it to the IT teams for use in contracting. The cybersecurity provisions had 19 different sections, including the following:

  • User security
  • System security
  • Physical access control
  • Data security
  • Encryption
  • Secure erasure of hard disk capabilities
  • Data center requirements
  • Access to internal network
  • Criminal background checks
  • Disclosure of security breach
  • Cyber insurance
  • Rights to data documents and computer software
  • Server timekeeping
  • Internal IT policies
  • Business associate agreement (BAA) terms

Each of the sections also had several subsections. The cybersecurity language was added to five new vendor contracts that were being negotiated by the medical image management team: one radiology PACS vendor, one ophthalmology PACS vendor, one vendor-neutral archive (VNA) vendor, one radiation dose management software vendor, and one imaging device vendor.

During 2015-2016, a Word document was attached to the contract and emailed to vendors with "track changes" enabled in the document. In 2017, Penn State Health began using the Modulo Risk Manager, which allows vendors and organizations to have access to this electronic tool to answer questions and provide clarifications, Petscavage-Thomas said. Areas of contention are rated as high, moderate, or low risk. The business owner must then acknowledge these risks to proceed with the contract.

All versions of the contract were saved, including redlines, comments, and other edits. The researchers then retrospectively reviewed the versions to determine what sections were completely redlined by the vendors and the reasoning for the redline. They also assessed what sections were edited and why, and noted which vendors confirmed they already held cyber insurance. In addition, the group determined the length of time to work through this new contracting language by recording the timeline for sending and receiving edits.

Redlines

The group found that an average of 6.75 sections were completely redlined out by the vendor (range, 3-9). The most common redlined sections were the following:

  • Cloud security
  • Insurance requirement
  • Wireless/mobile device security
  • User security
  • System security
  • Right to data documents and computer software
  • Data security

"Some of these made sense," she said. For example, cloud security or wireless/mobile device security may have been crossed out if those areas were not part of the vendor's platform.

Some vendors crossed out the insurance requirement if they didn't have cyber insurance. Petscavage-Thomas said that a lot of the vendors also did not want to agree to the data security requirement for annual third-party auditing of compliance with regulatory data protection methods. In addition, some vendors did not have the ability to provide all of the requirements for a system security audit.

"And a lot of vendors were not willing to allow vulnerability scanning [of their products]," she said.

Edited sections

The vendors edited an average of four additional sections (range, 3-6). The most commonly edited sections included auditing, encryption, cloud and mobile device security, and remote access (via the SecureLink remote access software).

"Initially most of our vendors wanted to maintain a business VPN," Petscavage-Thomas said. "One [of our vendors] even said, 'Well, if you are going to make us use SecureLink [for remote access] we are going to increase the cost of your contract, because this [will require extra] resources for us.' "

Three of the five vendors had cyber insurance and were willing to assume the risk if there was a data breach. More recently, the institution negotiated an additional contract with a vendor -- its sixth within two years -- and it refused to provide insurance and payment if there was a leak, she said.

Ultimately, three vendors were unwilling to acquiesce with all of the security requirements, and a designated individual -- one department chair and two department administrators -- was asked to sign off on these contracts because it was believed the software was worth the risk and responsibility. All issues were considered to be moderate to low risk, she said.

Added time

The mean turnaround time for the initial vendor review of the cybersecurity language was 2.1 months (range, 2 weeks to 4 months).

"The main reason is that a different legal department within the companies was required to read the cyber documentation compared with the normal contract," she said.

On average, two more rounds of revisions were required, lasting an additional four weeks.

"Thus, the total contracting time with these vendors was increased on average by [3.1] months, with a range of one to six months," Petscavage-Thomas said.

Recommendations

Based on their experience, Petscavage-Thomas recommends that language be placed in the request for proposal (RFP) to help filter out vendors that are ill-prepared to meet cybersecurity requirements.

"Then you can always smooth things out [later] and expedite the process," she said.

She also recommends reviewing existing contracts and working with vendors to add on cybersecurity requirements.

"Those [contracts] are still at risk," Petscavage-Thomas said. "If you don't have that [cybersecurity] language in an addendum to your contract and there's a breach, you're the one who's going to be paying for all of that notification [to patients]."

Latest in PACS/VNA
Business Deal Handshake
InsiteOne acquires Brit Systems
November 30, 2023
Cyber Informatics 400
What are the benefits of using an AI server downstream of PACS?
November 28, 2023
Amy Thompson of Signify Research.
Enterprise imaging: What is the market opportunity beyond radiology?
October 18, 2023
Gamingmouse
How to hack a gaming mouse for PACS: Group offers guide for rads
October 6, 2023
Related Stories
2018 01 29 23 04 1748 Danger Hazard Exlamation Sign
IS
'Orangeworm' hacker group targets healthcare with virus
2018 03 03 00 49 6101 Pag2 Dicom Risk Map Large 20180303004840
2018
Cybersecurity threats pose challenge to radiology's future
2017 07 27 15 21 23 906 Computer Error 400
IS
Cyberattacks pose security risk to CT, MRI scanners
2017 11 21 21 52 3424 Rsna 2017 400
IS
Cybersecurity remains a problem in radiology
More in PACS/VNA
InsiteOne acquires Brit Systems
By AuntMinnie.com staff writers
Cloud-based clinical image management company InsiteOne will acquire BRIT Systems.
November 30, 2023
Business Deal Handshake
What are the benefits of using an AI server downstream of PACS?
By Liz Carey
Funneling image studies through a private AI server creates opportunities for big data research and speeds AI analysis time to reporting.
November 28, 2023
Cyber Informatics 400
Enterprise imaging: What is the market opportunity beyond radiology?
By Amy Thompson
Amy Thompson of Signify Research assesses the future prospects for the enterprise imaging market.
October 18, 2023
Amy Thompson of Signify Research.
How to hack a gaming mouse for PACS: Group offers guide for rads
By Will Morton
High-performance gaming mice offer radiologists multiple custom buttons and superior tracking features that can streamline radiology tasks.
October 6, 2023
Gamingmouse
Sectra posts growth in net sales, revenue in Q1
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra reported strong net sales and revenue growth in the first quarter of 2023, citing deployment of it cloud services for diagnostic imaging.
September 4, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
Rad AI to launch its Omni Reporting software
By AuntMinnie.com staff writers
Rad AI plans to formally launch its Omni Reporting software on September 27.
August 21, 2023
2018 08 01 23 13 1733 Artificial Intelligence Ai 400
Qure.ai and xWave establish strategic partnership
By AuntMinnie.com staff writers
Radiology AI software developer Qure.ai and xWave Technologies have established a strategic partnership focused on improving radiology workflows.
August 15, 2023
2022 06 28 17 16 2885 Hands Shaking3 20230509203239
Sectra inks $227M deal with U.S.-based health system
By AuntMinnie.com staff writers
Enterprise imaging firm Sectra said it has inked a deal valued at $227 million to provide its Sectra One Cloud subscription service for diagnostic imaging to a large U.S.-based health system.
August 15, 2023
2020 02 20 17 57 8385 Sectra Rsna 2019 400
US Radiology Specialists begins recruiting for Connexia
By AuntMinnie.com staff writers
US Radiology Specialists is beginning recruitment for US Radiology Connexia, the company's new teleradiology organization.
August 14, 2023
2022 07 06 17 35 0405 Computer Doctor Patient Video 400
Segmed platform passed 100M studies
By AuntMinnie.com staff writers
Data management vendor Segmed said its Insight cloud-based platform has now surpassed 100 million imaging studies
August 13, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Radsource deploys 10 new ProtonPACS
By AuntMinnie.com staff writers
Radsource completed 10 installations of its ProtonPACS software for new customers in the second quarter of 2023, the company said.
August 9, 2023
2016 08 24 09 43 13 537 Hands Shaking V3 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Page 1 of 775
Next Page