Previously, we wrote about the growing importance of cybersecurity and the ever-increasing threats to our internet-based computers and equipment (Cybersecurity) and how Artificial Intelligence will soon affect the medical imaging industry (Artificial Intelligence and Machine Learning). Today, I would like to explore a threat that will soon be on the horizon and combines these two topics, cyber-terrorism.
According to Black Book Research*, 90% of healthcare organizations have had some form
of data breach since July 2016, with almost 50% of these organizations recording
five or more breaches. The same report revealed that 96% of IT professionals
believed that data attackers are outpacing their medical enterprises, putting
these healthcare organizations at a continued disadvantage.
As the
equipment in today's medical imaging facilities and hospitals continue to become
more sophisticated, the threat level for digital breaches rises with alarming
sophistication. As early as twenty years ago, the overwhelming majority of
medical imaging equipment was mechanical in nature. Meaning, any repairs or
upgrades were made with screwdrivers, wrenches, and tubes. However, the medical
imaging equipment that today's healthcare professionals rely on is essentially
an internet-connected computer with few moving parts. These machines are part of
the Internet of Things or IoT.
Just as our email accounts are subject to
malicious computer viruses, so are these IoT-based medical imaging machines, and
they are ripe for the taking. Here's why.
With the advancements in
Artificial Intelligence (AI) and Machine Learning (ML), it is only a matter of
time before we as an industry start to see AI and ML as part of our everyday
routine. The ability of a radiography system to analyze an x-ray and provide
information on anomalies based on comparisons to other, similar scans already
exists. This ability can assist radiologists in the early detection of cancer
and can be the difference between life and death for some patients.
The
same technologies that can detect a mass so small that the human eye cannot
recognize it, also expose us to the threat of cyber terrorists. When we as a
community think of cybersecurity, we think of the dangers of ransomware. While
ransomware is the primary threat to a hospital, imaging facility, physician’s
office, and our personal computers, sometime soon we may wish for the simplicity
of a locked hard drive and a crashed network server.
A cyber terrorist
with access to a facility's DICOM, PACS, and or RIS systems can spread
repercussions beyond the infamous 2017 attack on England's National Health
Service which affected 70,000 IoT devices and computers and cost over $100
Million**. The
same computer code that can recognize a cancerous tumor could be altered into a
virus to plant false images in patients' scans or remove a tumor from a
patient's x-ray. These actions on a large scale can lead to a catastrophic lack
of trust in the medical industry.
What would happen if the
cyberterrorists targeted a candidate for President or Vice President of the
United States? What impact do you think a cancer diagnosis will have on a
political candidate? Sounds far-fetched? Hollywood has sampled some of this
thinking in Showtime's series Homeland. In one scene a terrorist has
accessed the pacemaker of the vice president of the United States, who later
suffers a cardiac episode as a result.
Throwing away the doom and gloom
crystal ball, what can be done to prevent these nightmare scenarios?
On a
personal level, every one of us can implement the basics of cybersecurity in our
daily lives:
- Use unique passwords for each of your personal and work email accounts.
- Do not use the same password for your facility's software network and email account.
- Avoid providing personal information when answering emails.
- If you receive a suspicious email, report it immediately to your IT department.
- Set a calendar reminder to change your passwords (if your company doesn't mandate password change.)
- Acknowledge that changing your password from "password1" to "password 2" is lazy and puts both your personal information and your organization's information at risk.
From an equipment perspective, many medical devices run on older versions of
Microsoft Windows. Keeping these older operating systems secure has led to a
cultural phenomenon known as "Patch Tuesday" (the second Tuesday of every month
dedicated to Microsoft vulnerability updates.) Upgrading these medical devices
or at least keeping the software up to date is essential to preventing these
nightmare scenarios.
"The dilemma with cybersecurity budgeting and
forecasting is the lack of reliable historical data," said Doug Brown, founder
of Black Book. "Cybersecurity is a newer line item for hospitals and physician
enterprises and budgets have not evolved to cover the true scope of human
capital and technology requirements yet." The result is that 88% of hospital
representatives surveyed stated that IT budgets have been flat since 2016, and
the cybersecurity portion of that same IT budget has decreased by
3%*.
Lastly, if you are in a position to influence your cybersecurity
budget, you must look to the future. While it is essential to secure your
facility against today's threats, it is more important to secure that same
facility against future threats. Tomorrow's offenders may be after money but are
more likely to be acting for an entity that has a vested interest in bringing
down our healthcare system or government.
“...some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.” ***
- * 2018, blackbookmarketresearch.com/uploads/pdf/2018 Black Book State of the Cybersecurity Industry & User Survey Results.pdf.*
- ** Brunau, Chris. “Ransomware News: WannaCry Attack Costs NHS Over $100 Million.” Business Continuity, Networking & Business Management, Datto, 18 Oct. 2018, www.datto.com/blog/ransomware-news-wannacry-attack-costs-nhs-over-100-million.
- *** Nolan, Christopher, director. The Dark Knight. Warner Brothers, 2009.
Comments
Leave a Comment