Friday, September 29, 2017

Vendor Neutral PACS Administrator training

A red light on my dashboard suddenly came on saying “no charging.” The battery indicator showed still at least 12 Volts, so I chose to continue my errand and take care of it when I got back home. That was a mistake, which I found out when my car stalled at a red light in a busy intersection. I should have turned around right away and/or gone to a garage to take care of my alternator which was broken. This event caused me to think that all of us are taught to drive a car before getting a license, but we aren’t taught basic troubleshooting of issues that might occur, hence these kinds of events could happen to anyone.

The same can be said of training as a PACS administrator. Similar to when a car salesman explains where to find the blinker and light switch, and possibly even how to set the clock on your car, there is little vendor training about how a PACS functions, what can go wrong, and how to interpret the “error messages.”

The good news is that cars have gotten pretty reliable, you don’t need to be a part-time mechanic anymore to be able to operate them. The bad news is that is not the case with supporting a PACS system. These are complex software applications, which definitely can have bugs, and are subject to many user errors and/or integration issues, which can cause images and related information to be unavailable or incorrectly presented to a physician.

Even though one is trained on a PACS system from a specific vendor of a particular release, it does not mean that you are taught the fundamentals. For example, what happens if the PACS rejects an image because it has a duplicate Accession Number, Study Number, Series UID, or SOP Instance UID?

Vendor-specific training does not cover what could have been the cause and how to fix it? Nor does it cover a “DICOM error,” or how to interpret the log files, or what to do if a modality does not display a worklist. What if images are randomly “dropped” when sending from a modality to the PACS? The easy answer is: call the vendor, but what if there is finger-pointing going on between the modality, RIS or PACS vendor, or what if the vendor is not going to be on-site for another 4 hours and your PACS is refusing to display any images?

I can go on-and-on listing many reasons and situations that are not covered by a vendor-specific PACS training program; but that is what you are taught by Vendor Neutral PACS Administrator (VNPA) training. That is why many PACS administrators search for “neutral” training providers that do teach the fundamentals.

The generic or neutral training is also a great track for healthcare imaging professionals who would like to get into this field, or want to cross over from a related career such as healthcare IT or clinical specialties such as radiological technologists.

The PACS fundamentals training covers subjects such as DICOM and HL7 basics and troubleshooting, and also covers new developments such as Vendor Neutral Archives (VNA), how to implement enterprise image archiving, what to look for when you get the new breast tomosynthesis modality or IV-OCT in cardiology, and the characteristics of the new encounter-based specialties such as surgery, endoscopy and in the future digital pathology.

As an additional bonus, you can even consider getting certified as a PACS administrator, where you might consider the basic, advanced and DICOM certifications.
So, even though you might have had the vendor-specific PACS administrator training, you might want to consider the Vendor Neutral PACS administrator training as well, to teach you the fundamentals which will empower you to be a mediator between vendors who are finger-pointing each other and blaming “the other” as the culprit, and to be able to perform basic trouble-shooting yourself without having to wait for your vendor to show up, and to be prepared for new developments in PACS and modality technology.

Thursday, September 21, 2017

PACS and Cyber Security.

There is a lot of anxiety around cybersecurity, especially after the recent ransomware incidents which
basically shut down several hospitals in the UK and affected several institutions in the US. The question is whether we should be concerned with potential cyber security breaches in our PACS systems and how to prevent, diagnose and react to them.

At the recent HIMSS security forum in Boston, a distinguished panel rated the security performance and readiness of healthcare IT systems at around 4 on a scale of 1 to 10. That is certainly very troublesome, and combined with the fact that breaches in healthcare systems are by far the most frequent as they are potentially more rewarding for hackers than trying to get access to, for example credit card information, that means that this industry still has a lot of catching up to do.

The problem is also that the vulnerabilities are increasing as the Internet of things (IOT) is expanding exponentially with as many as 10 million devices being added every day, and is estimated to reach 20 billion by 2020. Included in the IOT are medical imaging devices, which may put PACS in the high-risk category, as downtime could mean no access to images, which could directly impact patient care. However, there are even higher risk devices that have proven to be potential targets for intrusions such as IV pumps that administer drugs, implantable pacemakers, personal insulin pumps, etc. that can be immediately fatal to a patient. One can compare this threat with that posed to the controls of a self-driving car, whereby a hacker could turn the steering wheel so it goes towards the traffic, which can be as dangerous as increasing the morphine drip rate of an infusion pump.

Now getting back to PACS, if a hacker gains access to a patient imaging database, there is typically no Social Security numbers, addresses, credit cards or other potentially lucrative personal information stored in the PACS. A more likely scenario would be that the PACS is used to provide a “backdoor” into the EMR, or hospital information system to either shut that down and use it as a potential ransomware threat or get to the more extensive patient records in other systems. The prevailing opinion is that ransomware is probably the most likely scenario as it gives immediate rewards (pay $xxx or else….) instead of having to sell the patient records on the black market.

So, how can vendors and institutions prepare? First of all, no system can be made totally fool proof, just as no lock can be strong enough to protect against every type of attack. If someone is really motivated and wants to spend the time, there is always going to be a way to break in. The good news is that apparently a typical hacker is willing to spend, on average, a mere 150 hours on one attempt, after that he will move on to find another target that may be easier to break into.

This could be different if the attacker represents a nation-state that wants to access the records of military personnel served by a DOD hospital, they have all the time of the world, which is why the VA, DOD and other military healthcare institutions have a much higher set of cyber security rules. And the threat is real, according to the recent HIMSS security survey, more than 50 percent of the respondents reported that they had been subject of a known cyber-attack over the past 12 months. The emphasis is on “known” as it takes typically more than 200 days to detect an intrusion.

The key for preparation for every healthcare IT system is “basic hygiene,” analogous to hand-washing to prevent infections. Cyber security “hygiene” starts with updating your operating systems and implementing patches as they come out. Just as an illustration, the WannaCry ransomware attack exploited a flaw in the Microsoft OS for which a fix had been distributed two months prior to the attack, which affected about a quarter of a million computers in 230 countries. Basic “cyber hygiene” also includes password updates, three-way authentication, closing down unused ports, segmenting your network, disabling flash drives, using virus scanners and firewalls, etc.  Also, make sure you have a backup and/or duplicated system so that as soon as your system goes down you can still operate.

A comprehensive cyber security program has to be in place that includes allocating resources. As an example, Intermountain Healthcare has an IT staff of 600 people to support its 22 hospitals and 180 clinics with 70 of those people (12%) dedicated to cyber security. This is an exception, the average IT budget allocated to cyber security is only about 6-8%.

There are lots of resources to get started, the best known and most used is the NIST security framework, there is also a very extensive certification that is becoming more popular called HITRUST. At a minimum, one can start by looking at the so-called MDS2 (Manufacturer Disclosure Statement for Device Security) form developed by NEMA and HIMSS. As a vendor, one should look at these resources and as an end user you might want to request the MDS2 and ask about HITRUST certification. There already are several vendors who are supporting this.

In conclusion, PACS is probably not the number one target for cyber attack, but they could be an easy backdoor to other systems, which can be used to access patient and personal information that is valuable to hackers, and/or even worse, can be used as a ransom. Basic cyber security hygiene is critical, and using the NIST and/or HITRUST framework can be very beneficial.