CMS Imaging's Response to COVID-19
RSS Feed

Artificial Intelligence

The Importance of Cybersecurity for Medical IOT Devices

Rise of the Machines

Previously, we wrote about the growing importance of cybersecurity and the ever-increasing threats to our internet-based computers and equipment (Cybersecurity) and how Artificial Intelligence will soon affect the medical imaging industry (Artificial Intelligence and Machine Learning). Today, I would like to explore a threat that will soon be on the horizon and combines these two topics, cyber-terrorism.

According to Black Book Research*, 90% of healthcare organizations have had some form of data breach since July 2016, with almost 50% of these organizations recording five or more breaches. The same report revealed that 96% of IT professionals believed that data attackers are outpacing their medical enterprises, putting these healthcare organizations at a continued disadvantage.

As the equipment in today's medical imaging facilities and hospitals continue to become more sophisticated, the threat level for digital breaches rises with alarming sophistication. As early as twenty years ago, the overwhelming majority of medical imaging equipment was mechanical in nature. Meaning, any repairs or upgrades were made with screwdrivers, wrenches, and tubes. However, the medical imaging equipment that today's healthcare professionals rely on is essentially an internet-connected computer with few moving parts. These machines are part of the Internet of Things or IoT.

Just as our email accounts are subject to malicious computer viruses, so are these IoT-based medical imaging machines, and they are ripe for the taking. Here's why.

With the advancements in Artificial Intelligence (AI) and Machine Learning (ML), it is only a matter of time before we as an industry start to see AI and ML as part of our everyday routine. The ability of a radiography system to analyze an x-ray and provide information on anomalies based on comparisons to other, similar scans already exists. This ability can assist radiologists in the early detection of cancer and can be the difference between life and death for some patients.

The same technologies that can detect a mass so small that the human eye cannot recognize it, also expose us to the threat of cyber terrorists. When we as a community think of cybersecurity, we think of the dangers of ransomware. While ransomware is the primary threat to a hospital, imaging facility, physician’s office, and our personal computers, sometime soon we may wish for the simplicity of a locked hard drive and a crashed network server.

A cyber terrorist with access to a facility's DICOM, PACS, and or RIS systems can spread repercussions beyond the infamous 2017 attack on England's National Health Service which affected 70,000 IoT devices and computers and cost over $100 Million**. The same computer code that can recognize a cancerous tumor could be altered into a virus to plant false images in patients' scans or remove a tumor from a patient's x-ray. These actions on a large scale can lead to a catastrophic lack of trust in the medical industry.

What would happen if the cyberterrorists targeted a candidate for President or Vice President of the United States? What impact do you think a cancer diagnosis will have on a political candidate? Sounds far-fetched? Hollywood has sampled some of this thinking in Showtime's series Homeland. In one scene a terrorist has accessed the pacemaker of the vice president of the United States, who later suffers a cardiac episode as a result.

Throwing away the doom and gloom crystal ball, what can be done to prevent these nightmare scenarios?

On a personal level, every one of us can implement the basics of cybersecurity in our daily lives:

  1. Use unique passwords for each of your personal and work email accounts.
  2. Do not use the same password for your facility's software network and email account.
  3. Avoid providing personal information when answering emails.
  4. If you receive a suspicious email, report it immediately to your IT department.
  5. Set a calendar reminder to change your passwords (if your company doesn't mandate password change.)
  6. Acknowledge that changing your password from "password1" to "password 2" is lazy and puts both your personal information and your organization's information at risk.

From an equipment perspective, many medical devices run on older versions of Microsoft Windows. Keeping these older operating systems secure has led to a cultural phenomenon known as "Patch Tuesday" (the second Tuesday of every month dedicated to Microsoft vulnerability updates.) Upgrading these medical devices or at least keeping the software up to date is essential to preventing these nightmare scenarios.

"The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data," said Doug Brown, founder of Black Book. "Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet." The result is that 88% of hospital representatives surveyed stated that IT budgets have been flat since 2016, and the cybersecurity portion of that same IT budget has decreased by 3%*.

Lastly, if you are in a position to influence your cybersecurity budget, you must look to the future. While it is essential to secure your facility against today's threats, it is more important to secure that same facility against future threats. Tomorrow's offenders may be after money but are more likely to be acting for an entity that has a vested interest in bringing down our healthcare system or government.

“...some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.” ***