© 2019 SourceMedia. All rights reserved.

Imaging devices, soft security practices are a ‘weak link’ in protecting data

Security concerns for imaging professionals are on the rise, as hackers view digital radiological devices—increasingly connected to IT systems—as a weak link that can be broken to access medical information.

Healthcare organizations aren’t spending enough on hacking defenses anyway, and imaging systems represent a potential playground for hackers who want to crack defense perimeters of healthcare organizations.

Those weaknesses range from outdated operating systems on imaging devices to sloppy use of usernames and passwords to misguided efforts to make it easy to exchange image files, said speakers Monday at a session describing best cybersecurity practices for radiologists at the annual meeting of the Radiological Society of North America in Chicago.

Seibert-Tony-CROP.jpg
J. Anthony Seibert

“Healthcare environments remain on of the greatest substantial risks to protected health information, and connected medical devices, including medical imaging systems, are particularly susceptible, because they often incorporate software that is vulnerable to threats,” said J. Anthony Seibert, professor of radiology at the school of medicine for University of California Davis in Sacramento.

There’s growing awareness of vulnerabilities that could affect medical devices that link to hospital networks, but healthcare organizations traditionally haven’t spent much on protection technology—about 5 percent of IT budgets, vs. 12 to 15 percent of IT budgets spent by other industries, Seibert said.

Meanwhile, hackers have easy access to information on how to crack into networks, free or low-cost tools to do so, and increasing financial motivation to attack. As a result, some 94 percent of healthcare organizations say they’ve been a victim of a cyberattack, Seibert said, referencing a recent study.

Providers often make it easier for them. Some imaging systems are still operating on Windows XP, for which Microsoft is no longer providing security updates. Some imaging IT systems have weak defaults or hard-coded credentials that are easy to crack, and usernames and passwords are often generic, and typically poorly guarded or plastered on machines with Post-It Notes, he added.

Other vulnerabilities are not as obvious. For example, DICOM files—standard-based images that are intended to be easily shared by imaging systems—were found to have a 128-byte “preamble” intended to hold file metadata in which hackers could insert malware code that could enable access to systems. And recently, a study by ProPublica found that 187 servers containing images were not protected by any security, enabling anyone to access the image studies of millions of Americans.

Provider organizations need to take additional steps to harden defenses around imaging devices and systems, Seibert said. At UC Davis, for example, radiology systems and PACS are located on non-routable IP networks to prevent easy access through the Internet. In addition, USB interfaces on all image viewers have been disabled—both to prevent images from being taken from the system, and to prevent the introduction of malware that any USB-based memory devices might contain.

Training staff and testing them frequently on security practices are an important bulwark against cyberattacks, said Christopher Roth, MD, associate professor of radiology and vice chair of information technology and clinical informatics at Duke Health.

Duke also hypes security “wins” that prevent illegitimate access to its networks, and offers staff tools that bring benefits both to them as individuals as well as the organization, said Roth, who also serves as director of imaging informatics strategy for Duke Health. For example, it touts a password manager that handles an individual’s passwords and protects them more securely. Staff can bring in their phones, but the devices need to have personal device manager software from Duke that ensures security.

“If they don’t want it on their device, it’s OK for them to bring their phone in, but they can’t access the data-rich network” on which Duke runs its information systems, he says. “We’ve tried to highlight that we are protecting ourselves this way, as well as their patients’ data, as well as their family’s records.”

For reprint and licensing requests for this article, click here.