With AI-mediated cyberattacks on the rise, radiologists can find it challenging to balance prompt patient access to diagnostic imaging while safeguarding sensitive healthcare data.
That's why prioritizing cybersecurity investments -- such as advanced network security systems supplemented by regular software updates, audits, and penetration assessments -- and offering staff training on keeping healthcare data and equipment safe can save radiology departments substantial expenses.
Radiology's operating model depends heavily on interoperability between different healthcare and imaging systems for efficient patient examination and diagnosis. However, with the growing number of cybersecurity incidents, healthcare providers are actively seeking to increase investments in safeguarding data in the ever-evolving digital landscape. In a cybersecurity survey conducted by Ponemon Institute in 2023, 88% of healthcare organizations experienced an average of 40 attacks in the previous 12 months, with an average cost of $5 million.
In response to the escalating number of cybersecurity threats, governments and regulators are urging healthcare providers to establish cybersecurity programs aiming to safeguard the personal information of all individuals involved. With the help of new cybersecurity framework and policies, radiology teams can focus on faster diagnosis and treatment for the patients without compromising privacy or safety.
Emerging challenges
Radiology practices possess a vast volume of valuable patient data that necessitates secure storage by eliminating departmental silos and transmission, to ward off cybersecurity threats. However, the evolving radiology informatics landscape in clinical practice presents an ongoing data breach security challenge. Investment in robust cybersecurity measures, embracing interoperable systems, and deploying efficient enterprise storage solutions are imperative to effectively handle the escalating volume of radiology data.
The recent suspected cyberattack at Consulting Radiologists in Eden Prairie, MN, halted radiology operations for their affiliated healthcare facilities disrupting patient care and resulting in routing critical stroke and trauma patients to other facilities, according to a report from Pioneer Press. With growing radiology practices and outpatient imaging facilities, we will see an increase in outsourced diagnostic imaging. Designing cybersecurity training programs for radiologists is vital in order to strengthen the overall security posture of radiology practices and small healthcare facilities.
The impact of such malicious attacks is far-reaching on health organizations, leading to legal, reputational, and clinical damage or even loss of lives. Furthermore, the notable pattern between the highest average data breach costs and soaring malware costs in recent years cannot be ignored. It only makes sense that leading institutions like the World Health Organization (WHO) have called for bolstering cybersecurity through operational approaches. Indeed, the road to improved cyber resilience is tough, presenting many challenges and concerns.
Furthermore, radiology imaging IT departments still operate with legacy systems that often lack the latest security features and underlying operating system updates. Underinvestment in healthcare information technology (HCIT) cybersecurity programs is another factor; legacy radiology systems should be part of an ongoing HCIT security risk-mitigation plan. Lack of risk prioritization, fragmented governance, and cultural behaviors are other factors that hinder organizational cyber resilience. An acute shortage of cybersecurity professionals with specific skill sets only adds to the challenge of radiologists and healthcare professionals encountering unprecedented threats.
As a result, numerous radiology departments lack the necessary resources and expertise to combat these threats effectively, resulting in inconsistent adoption of stringent cybersecurity measures throughout the organization. The situation is exacerbated by the surge in data volumes from advanced imaging technologies, such as 3D mammography (also known as digital breast tomosynthesis), which produce images that are 20 times larger than conventional 2D mammograms. AI research for advanced image analytics is also playing a role.
Remote sharing of Personally Identifiable Information (PII), sensitive health data, and reliance on outdated software present significant vulnerabilities, providing potential avenues for unauthorized access and exploitation by hackers.
Offense is the best defense
The key to discovering attack strategies is to weed out the source first. Interestingly, employees are no longer the primary culprits in radiology cyberthreats, according to the Verizon 2022 Data Breach Investigations Report. The prominence of the Basic Web Application Attack pattern here signifies a shift in threat dynamics, relegating insider threats to a lesser role.
Underscoring the urgent need for fortified security measures, radiology departments must have stringent cybersecurity strategies in place to safeguard patient data against such attacks. In recent light of events, a Cisco Security Outcomes study cites that 96% of executives across diverse industries prioritize security resilience. The criticality is evident; radiology departments must view cybersecurity as a strategic imperative rather than an afterthought.
The technological complexities of medical imaging technology, followed by integration gaps with diverse IT systems, leave radiology departments further exposed to vulnerabilities.
Securing radiology units
Surging costs associated with data breaches have radiology executives investing in robust cybersecurity infrastructure and conducting regular vulnerability assessments to mitigate threats.
Despite the foreboding threat techniques, many radiology operations tend to adopt a passive "wait-and-see" stance, however. Such a lax approach can neither safeguard patient data nor preemptively thwart security breaches. Fortunately, there are actionable measures that all radiology leaders can implement to bolster their defenses and uphold operational integrity. These steps include:
- Encourage organization-wide training: Phishing is cyberattackers' primary technique for ransomware. Radiology departments can significantly reduce the damage of such attacks with proper training and awareness. Making leaders and employees aware of phishing and associated risks, the importance of strong passwords, and other cybersecurity issues can help mitigate attacks greatly.
- Actively ensure compliance: Modernization projects such as interoperable systems and APIs can expose IT departments to potential vulnerabilities. Radiology departments should regularly audit old systems and check whether new ones comply with the latest global regulatory standards. This can help them enhance overall compliance and cybersecurity.
- Explore Cloud-native security: By deploying cloud security solutions, radiology executives can store medical data in an encrypted format. These solutions are fortified by multiple protective layers and incorporate enterprise-grade security measures, real-time monitoring capabilities, and scalable storage capacity. Organizations can achieve two-way benefits by securely storing sensitive health data and driving robust security protocols.
- Safeguarding patient consent management and privacy: Patient consent is a pivotal element in ensuring the privacy and protection of patient data. Radiology departments must be upfront about how patients' data is collected, utilized, and accessed with due diligence. With patient consent at the heart of operations, radiology staff can demonstrate their commitment to upholding patient privacy standards and adhere to ethical practices regarding data handling.
- Proper scrutiny of third-party vendors: Radiology departments rely heavily on third-party vendors, including cloud, value-added service, and managed service providers, to fulfill their IT service needs. It is crucial to vet these vendors by reviewing their security protocols, evaluating their credentials, and assessing their compliance standards. For example, cloud vendors should have successfully undergone a HIPAA audit and obtained HITRUST certification. By selecting vendors through stringent cybersecurity measures and relevant certifications, radiology departments can ultimately safeguard patient data and uphold industry best practices.
- Implementing zero-trust architecture: Zero-trust architecture strategy views every user or device attempting system access as potentially malicious until authentication and trust are established. How can radiology professionals safeguard their systems and data amid potential risks after architecture deployment? By employing top-tier encryption mechanisms to protect data in transit and at rest. This added layer fortifies security measures, reducing the risk of breaches or cyberattacks. Thus, organizations can bolster their overall cyber posture while shielding sensitive data from potential threats.
- Viewing the security layer through a third-party expert lens: Are regular assessments enough to identify vulnerabilities and weaknesses in the security posture of radiology operations? A reputable third-party security firm can provide valuable insights about existing security measures and areas that need improvement. Tests are carried out to evaluate the organization's cybersecurity, penetration, and compliance standards.
- Continuous monitoring: Radiology departments must regularly review and update cybersecurity policies and procedures. They must also conduct security assessments and offer advanced training on threats and prevention techniques. Executives must foster an environment where employees feel empowered to report suspicious activities.
By implementing these measures, radiology executives can transcend from a reactive to a more proactive approach, significantly enhancing their cyber posture.
Conclusion
With medical imaging centers facing aggressive attacks by the minute, it’s imperative to embrace a mindset shift – starting from cultivating a cybersecurity awareness culture to implementing proactive defense strategies and hiring experts with unique skill sets to help radiologists and department leads safeguard against cyber adversaries. Thus, with a collective approach to cybersecurity that combines people, mindset, and technologies, healthcare can win the war against cyberattacks.
Dhaval Shah is executive vice president and market head, MedTech, and Shujah Das Gupta is vice president, MedTech, at CitiusTech.
The comments and observations expressed are those of the authors and do not necessarily reflect the opinions of AuntMinnie.com.