Daily Bulletin 2016

Radiology Should Take the Lead in Improving Cybersecurity

Monday, Nov. 28, 2016

Because medical imaging devices are increasingly vulnerable to attacks from hackers, radiologists should take a leadership role in ensuring that facilities and institutions are doing as much as possible to counter the threat, according to presenters at a Sunday session.

Threats to medical device security can come from many factors, said Kevin Hemsley, project manager for the Idaho National Laboratory supporting the Department of Homeland Security's Industrial Control Systems Computer Emergency Response Team.

Anthony Seibert, PhD

Anthony Seibert, PhD

Kevin Hemsley

Kevin Hemsley

Ideologically motivated "hacktivists" can break into systems in order to make a statement, while criminal elements sell medical data at a premium on the black market. Ransomware attacks, in which hackers take control of a system and demand money, have become increasingly common.

Imaging systems are not invulnerable, Hemsley said. Recently, a company hired to look for vulnerabilities in a hospital's MRI system discovered that the host system's firewall and automatic updates were off and there were 114 open ports.

"The company found out they could get into the imaging processor and controller and they did all of this from the guest WiFi system," Hemsley said.

Radiologists need to be more proactive in taking steps to mitigate threats, said J. Anthony Seibert, PhD, professor and associate chair of informatics at the University of California Davis Health System in Sacramento.

"We need to overcome our denial," Dr. Seibert said. "Security is an imaging system problem. Even in a secure subnet you can be extremely vulnerable."

Vulnerabilities on devices include hard-coded passwords and no encryption of patient data. A recent study determined that many facilities fail to change the generic usernames and passwords that are supplied with equipment software. The study found that among the most common passwords were "operator," "scan" and "service."

The biggest threats to an organization come from within in the form of disgruntled employees. Administrators should turn off accessibility as soon as employees are dismissed, he said.

"The fact is, security is a shared responsibility," Dr. Seibert said. "It's not just vendors but also users who have ultimate responsibility."

Fighting Back Against Hackers

Radiologists and managers can fight back against hackers in a number of ways, including educating staff on cybersecurity risks. On the technical side, firewalls, virtual private networks and encryption are essential tools. Physical measures include device isolation, access restriction and methods to back up data. Administrators should be sure to document security policies, maintain audit trails and enforce policies.

"We need to continue to work on this until we have 100 percent compliance," Dr. Seibert said.

He also recommends using a two factor authentication process, encrypted USB drives and biometric identification for access to imaging systems. Devices should not be directly accessible to the Internet, Hemsley said. Users can use Shodan.io, a search engine for Internet-connected devices, to search their IP space to see what devices others can see over the Internet. Hemsley showed results of such searches including imaging reports, prescriptions and other private information.

The best security systems are seamless to users, Dr. Seibert noted. Seamlessness will be achieved in the future through technological advances such as biometric scans to replace passwords and near-field communication devices which require physical proximity to operate a device.

"Security risk management is an ongoing process," he said. "You have to be proactive and maintain patient safety as an overriding objective.

"Cybersecurity is more than HIPAA," Hemsley added. "It equals patient safety."

Question of the Day:

What correction factors do I need to convert CTDIvol to dose?

Tip of the day:

Just because a device is MRI compatible does not mean it will remain so, if it is altered. For example, a neurostimulator may be MRI conditional, but if the base unit is removed (but leads remain in the patent) that patient is not necessarily safe to scan anymore.

The RSNA 2016 Daily Bulletin is owned and published by the Radiological Society of North America, Inc., 820 Jorie Blvd., Oak Brook, IL 60523.