Daily Bulletin 2016

Beyond Imaging: Radiology's Solutions for Patient-centered Practices: McKesson Helps Protect Patients from Cyber Threats

Monday, Nov. 28, 2016

The role of the radiologist in a patient-centered practice sounds simple: Get the right data to the right person at the right time to assure the patient gets the right treatment.

If only it were that easy.

Evgueni Loukipoudis

Evgueni Loukipoudis

Technology provides opportunities for interoperability that would have been unimaginable even a few years ago. However, increased interoperability can bring with it increased risks. Although more information can be shared over wider networks than ever before, those "cyber" affiliations carry with them cyber threats.

Research by the Ponemon Institute indicates one out of four organizations will suffer a data breach in the next 24 months, with an average containment cost of $4 million – and health care is not immune to these breaches.

Evgueni Loukipoudis, CTO and CIO at McKesson Imaging and Workflow Solutions, points out that last year, for the first time, a hacker attacked an infusion pump and gained the ability to modify medications.

"More and more, healthcare systems are becoming the target of cybersecurity attacks," said Loukipoudis.

But when organizations place a priority on protection from cyber threats, they sometimes force compromises that make healthcare professionals uncomfortable.

Access to information is vital. Yet today, that information flows over potentially vulnerable internet and intranet channels. Creating a fortress attitude around this information flow could prevent it from reaching its destination in a timely manner.

"There is a very fine balance in dealing with these two components at the same time," Loukipoudis said.

While there is a need to assure that individuals have the appropriate authority to access information, the rigors of such a system can prove detrimental to patients.

"If you don't have authorized access to data, but you need that data because it is a matter of life or death for the patient, you need break-the-glass functionality," added Loukipoudis.

Practical challenges must be considered when trying to resolve this dilemma – and one of the most serious is cost.

As an example, most health care institutions today use IT infrastructures that were built and expanded over time, often with off-the-shelf platforms and components.

"Those components are often the target of the attack," Loukipoudis said. "They are readily available and used by the thousands."


Unfortunately, many healthcare institutions have various challenges when updating those components with the most recent patches that resolve newly discovered vulnerabilities. Newer IT infrastructure capabilities and features provide quicker remediation timeframes to reduce infrastructure detected risk.

Ironically, he pointed out, hosted public clouds have proven to be safer than private clouds when it comes to storing and sharing information. The number of serious incidents on public clouds is relatively small, compared to those on privately managed infrastructure.

Loukipoudis said that is because public cloud infrastructure has factored in the recurring investments required for cybersecurity-related updates while those who maintain their own have not.

"That could lead to a shift toward adopting public infrastructure," he said, "because the safety is, by fact, guaranteed."

Resolving these challenges is the reason for McKesson's focus on broader risk management frameworks, both pre- and post-market, that prevent the alteration of data or the context in which it is presented.

"We want to assure that data is presented correctly to that final physician who needs it to make a decision," Loukipoudis said.

Those new frameworks include the development of threat models and the ability to execute "ghost scans" and systems that incorporate incident reports, alerts and even recalls.

"Access to data is the thin ice that we all must walk on," Loukipoudis said.

For more information on the RSNA Technical Exhibits, see the RSNA 2016 Meeting App, RSNA.org/ExhibitingCompanies and the Technical Exhibits Guide.

Question of the Day:

What correction factors do I need to convert CTDIvol to dose?

Tip of the day:

Just because a device is MRI compatible does not mean it will remain so, if it is altered. For example, a neurostimulator may be MRI conditional, but if the base unit is removed (but leads remain in the patent) that patient is not necessarily safe to scan anymore.

The RSNA 2016 Daily Bulletin is owned and published by the Radiological Society of North America, Inc., 820 Jorie Blvd., Oak Brook, IL 60523.