Today’s healthcare systems operate in a mostly digital world. Vast, interconnected networks enable the myriad services that make up the healthcare continuum and enable the accurate and efficient delivery of care. This digital connectivity has allowed some amazing technological advances to come to light. Things like telemedicine, wearable technologies and artificial intelligence could not exist without it.
For imaging providers, it would be difficult to imagine the practice of radiology without these transformative new technologies, many of which have led to improved efficiencies, higher diagnostic quality and better-informed, life-changing medical treatments.
A Number One Priority for Health Entities in 2022
Dependence on this highly digital infrastructure comes with important considerations for healthcare organizations. In fact, cybersecurity (and the challenges of ensuring patient safety, privacy and security) has emerged as the number one technology hazard for health facilities in 2022, according to the ECRI Institute.
This #1 ranking comes with good reason.
Last year, cybersecurity breaches were at their highest ever recorded, with more than 45 million individuals impacted by attacks on healthcare organizations. These breaches often included exposure of patients’ protected health information (PHI), representing more than a 30 percent increase from reported incidents in 2020. Cyberattacks were counted separately from ransomware attacks, which themselves showed a 59% increase in reported incidence by healthcare organizations between 2020 and 2021.
The risks for health organizations are far-reaching and come at an extremely high price. Unlike other industries that may be impacted by security breaches, a healthcare-related cyber event has the potential to not just affect business operations and revenue (which can be devastating in itself); it may also disrupt care delivery and put patients at serious risk of physical harm.
To further put this in perspective, healthcare organizations in 2021 lost nearly $21 billion in revenue caused by downtime and other operational costs related to a cyber incident. Of course, this number doesn’t include the costs that come with the erosion of patient confidence and the impact of stress on staff in the wake of a disruptive breach.
Why Cybersecurity is so Important in the Medical Device Industry?
As medical devices become more advanced and the Software as a medical Device (SaMD) industry booms, it is crucial to make sure your medical devices are cyber-secure. Like all technologies, anytime a medical device has software, vigilance is required as they can become vulnerable to cybersecurity threats and attacks. The healthcare industry has long been targets of cyber attacks because of their vast amounts of health information and data such as patient health, product performance, or data from other devices connected to the same network.
A bit of background:
With COVID-19 and the whole of our healthcare industry being under immense stress during these challenging times, it has become more crucial to ensure cybersecurity in our medical devices and reduce vulnerabilities in our healthcare infrastructure.
The lack of cybersecurity in medical devices took center stage when the healthcare industry was attacked on the NHS in 2017. “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” said Amyas Morse, head of the National Audit Office.
This cyberattack used Microsoft’s Windows system to target computers globally by encrypting people’s data and demanding payments in the cryptocurrency Bitcoin before allowing access to it. Because of events like this, regulatory bodies like the FDA are finally taking the problem of cybersecurity more seriously. In 2019, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators.
Why is healthcare a target for cybersecurity attacks?
- Private patient information is worth a lot of money
- Healthcare facilities are a target because they act as storage for an immense amount of confidential patient data which can be sold for large sums of money.
- Outdated technology means the healthcare industry is unprepared for attacks
- Because of budget limitations and the hesitance to learn/teach new systems, many healthcare facilities have outdated technology.
- Medical devices are an easy entry point for attackers
- Medical devices and SaMD play a critical role in modern healthcare. But for those in charge of online security and patient data protection, new devices open-up more entry points security breaches.
- Healthcare staff aren’t educated in online risks
- Because of time, budget, and resource restraints, medical professionals are not trained to deal with online threats and it is a difficult task for healthcare industry staff to be fluent in cybersecurity best practices.
- The number of devices used in hospitals makes it difficult to stay on top of security
- Healthcare organizations are responsible for large amounts of patient data and more often than not, an extensive network of medical devices all acting as potential security threats.
Tips for Keeping Imaging Systems Secure
Cyberattacks can create interruptions for healthcare entities — from simple appointment scheduling and check-in processes to online payment systems. Cyberattacks can also impact network-connected medical devices and the data networks they rely on to deliver time-sensitive care to patients.
Earlier this year, the FDA issued a draft of cybersecurity guidance for healthcare organizations. In addition to presenting preliminary recommendations, the FDA is seeking stakeholder feedback and recommendations for keeping digital and data breaches at bay. “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” aims to prioritize the safeguarding of medical devices throughout their intended cycle of use.
Aside from the extensive practices and network IT safety measures most hospitals have already implemented, such as running anti-virus software, employing a virtual private network (VPN) and fortifying firewalls, there are some simple yet important steps imaging departments can take to further protect themselves from a cyber attack.
- Recognize that this is not simply an IT issue. Place high importance on cybersecurity among all stakeholders in the healthcare delivery process. This includes healthcare leaders, providers, device manufacturers and frontline employees. It takes everyone’s diligence to keep integral systems and patient data safe.
- Replace outdated equipment. All equipment (especially equipment that relies on technology interfaces to operate) comes with an expiration date. This date may not be clearly marked and will vary depending on the extent of use, maintenance and other factors. Using equipment that was designed to meet the needs of another era is an invitation for a security issue. Legacy products that cannot be updated and secured to today’s standards must be transitioned out of use.
- Conduct an equipment audit. Engage in a deep evaluation of all networked radiology equipment, placing special focus on software, open but unused ports, and older CD drives. Report any concerns to your IT team or imaging partner. Raising the concern, even if there turns out not to be one, is better than letting potential vulnerabilities continue.
- Keep systems separate. Schedule time with your IT department to verify that all essential radiology systems and their data are kept separate from office operations or other hospital departments. Only those who have security clearance to access radiology network systems should have access. There should be no personal or employee email communication connected to the imaging services network. This is an open invitation to hackers or other data infiltrators.
- Update software religiously. One of the simplest ways to keep your imaging networks and equipment safe from a cyberattack is to keep all software updates current and to apply patches in a proactive and timely manner. Lean on your equipment service providers to make sure essential updates are kept current. If a service can be added to ensure software is updated consistently, such a service is a wise investment.
Emerging Security Requirements for Internet-Connected Devices
The American Hospital Association recently issued support for the Healthcare Cybersecurity Act (S.3904), legislation that seeks to boost training related to cybersecurity in the Healthcare and Public Health (HPH) field.
“We appreciate that the bill calls for an analysis of cybersecurity risks to the HPH sector with a focus on impacts to rural hospitals, vulnerabilities of medical devices, and cybersecurity workforce shortages, among other important issues,” the AHA said in its letter to senators.
Lean on Your Trusted Vendors and Equipment Providers
Vpmimaging customers have the double assurance of a diligent local service team . Our customers benefit from a state-of-the-art portfolio of products, cybersecurity management processes, and ongoing diligence and attention to cybersecurity issues to counteract the threats of today and those yet unknown.
What does a cyber security do?
Cybersecurity analysts protect computer networks from cyberattacks and unauthorized access. They do this by trying to anticipate and defend against cyber threats, and responding to security breaches when they do happen. In this job, you play a key role in protecting your organization's valuable data.
What qualifications do you need for cybersecurity?
In general, a cybersecurity engineer must have the following qualifications: Degree in Computer Science, IT, Systems Engineering, or a similar field. Two years of work experience in cyber security-related duties such as incident detection and response, and forensics
What security threats exist in the medical device technology?
From an IT perspective, connected medical devices can be subject to additional cybersecurity risks, including denial-of-service and patient data theft. Computer viruses and malware also have the potential to jeopardize a patient's treatment and privacy.
Can medical equipment be hacked?
A 2015 report showed that hackers are using medical devices as back doors to break into healthcare networks and steal medical data. Experimental hacker Jay Radcliffe demonstrated how simple it is to take control of a connected insulin pump and trigger a lethal dose to the patient.
What is the most important aspect of cybersecurity in healthcare?
Cybersecurity in healthcare involves the protecting of electronic information and assets from unauthorized access, use and disclosure. There are three goals of cybersecurity: protecting the confidentiality, integrity and availability of information, also known as the “CIA triad.”
How important is cybersecurity in healthcare?
Aligning cybersecurity and patient safety initiatives not only will help your organization protect patient safety and privacy, but will also ensure continuity of effective delivery of high-quality care by mitigating disruptions that can have a negative impact on clinical outcomes.