Experts discuss cybersecurity threats and tips at RSNA

December 11, 2017
by John R. Fischer, Senior Reporter
Revenue incurred from ransomware attacks has risen in the last year from $24 million to $1 billion.

The change reflects the growing acceleration of such attacks over the last 18 months, with an increase of over 2000 percent in the ransomware sales market from $250,000 to $6.4 million in one year.

“This just tells you that this is a maturing marketplace,” James Whitfill, chief medical officer at Innovation Care Partners, said in a presentation, Cybersecurity for Imaging Departments and Imagers, at the 2017 Radiological Society of North America (RSNA) annual conference. “There’s so much money and so much sophistication here that just like our PACS systems, which have become best of breed components with VNA versus worklist versus viewer, the ransomware world is going in the exact same direction.”

Cyberattacks in general can pose harm in health care in many ways, from fraud and exploitation to threats against patient lives.

Here is an overview of some of the most common situations that can arise from cyber attacks in health care today:

Fraud and Theft
An electronic medical record (EMR) contains almost everything about a patient, from their demographic to their billing information, making it a coveted treasure among hackers.

With information acquired from here, anyone can potentially steal identities, open up charge accounts to ring up debt or start false claims.

This is known as direct economics, and though still prevalent, it is now beginning to be overshadowed by indirect economics.

Exploitation
Indirect economics involves the theft of information from sources such as an EMR with the hacker providing the information to another group or individual in exchange for money or resources.

This creates difficulty in stopping the spread and abuse of patient and provider information and determining the full extent of risks. A popular place for the selling of information is the dark web.

“There is an open market for information,” Whitfill said. “The smartest people in the security world are looking on the dark market for their information. They’re not assuming that their defenses are strong. They’re trying to find where their information has leaked out.”

Extortion
Whether the information is used by the hacker or someone who bought it, extortion is always a possibility, with many providers often being forced to pay ransoms in exchange for preventing disclosure of sensitive information.

Threats to patients
Hackers can easily access and manipulate the inner workings of various medical devices. Infusion pumps are one example, with hackers able to take control and dispense medicine, potentially administering an overdose that could seriously harm or kill patients.

The possibility of such an attack has led to the recall of many devices over lack of or inefficient security measures.

How to stop them
Part of the reason that providers are vulnerable to cyberattacks is due to the present mindset of focusing on past experiences rather than thinking about ones that have yet to occur, according to Whitfill.



“We focus on untargeted attacks that are very much not sophisticated,” he said. “We’re very much fighting the last war, focusing on attacks from three years ago, five years ago. We need to be focused on what these people are planning next week and next month. We tend to be very shortsighted as physicians.”

Kevin McDonald, director of clinical information security in the office of information security at Mayo Clinic, says there are many flaws in security operations that can lead to breaches, including the presence of default passwords, application issues such as the inability to run anti-virus ware, not applying upgrades to old systems, poor management of support panels and lack of effective encryptions.

His suggestions for providers is to have a comprehensive security program internally with standards and minimum requirements. He encourages the evaluation of new purchases during the buying process and to work in conjunction with health technology managers, vendors and stakeholders in assessing the security of medical devices. He also advises that administration staff be trained on security protocols as well as report incidents and document accountability.

“The thing that you need to do with all of these is push that security to the front of the device decision-making process,” he said.

However, Whitfill says that one of the main reasons imaging departments fall victim to such attacks has to do with the attitude of radiologists.

“Radiologists say we don’t have to worry about this because we treat our information differently from everyone else,” he said. “I don’t think that’s the case. It’s clear that there are many examples for those of us in radiology [where] we are just as guilty, we’re just as human as everybody else.”