There is a lot of anxiety around cybersecurity, especially after the recent ransomware incidents whichbasically shut down several hospitals in the UK and affected several institutions in the US. The question is whether we should be concerned with potential cyber security breaches in our PACS systems and how to prevent, diagnose and react to them.
At the recent HIMSS security forum in Boston, a distinguished panel rated the security performance and readiness of healthcare IT systems at around 4 on a scale of 1 to 10. That is certainly very troublesome, and combined with the fact that breaches in healthcare systems are by far the most frequent as they are potentially more rewarding for hackers than trying to get access to, for example credit card information, that means that this industry still has a lot of catching up to do.
The problem is also that the vulnerabilities are increasing as the Internet of things (IOT) is expanding exponentially with as many as 10 million devices being added every day, and is estimated to reach 20 billion by 2020. Included in the IOT are medical imaging devices, which may put PACS in the high-risk category, as downtime could mean no access to images, which could directly impact patient care. However, there are even higher risk devices that have proven to be potential targets for intrusions such as IV pumps that administer drugs, implantable pacemakers, personal insulin pumps, etc. that can be immediately fatal to a patient. One can compare this threat with that posed to the controls of a self-driving car, whereby a hacker could turn the steering wheel so it goes towards the traffic, which can be as dangerous as increasing the morphine drip rate of an infusion pump.
Now getting back to PACS, if a hacker gains access to a patient imaging database, there is typically no Social Security numbers, addresses, credit cards or other potentially lucrative personal information stored in the PACS. A more likely scenario would be that the PACS is used to provide a “backdoor” into the EMR, or hospital information system to either shut that down and use it as a potential ransomware threat or get to the more extensive patient records in other systems. The prevailing opinion is that ransomware is probably the most likely scenario as it gives immediate rewards (pay $xxx or else….) instead of having to sell the patient records on the black market.
So, how can vendors and institutions prepare? First of all, no system can be made totally fool proof, just as no lock can be strong enough to protect against every type of attack. If someone is really motivated and wants to spend the time, there is always going to be a way to break in. The good news is that apparently a typical hacker is willing to spend, on average, a mere 150 hours on one attempt, after that he will move on to find another target that may be easier to break into.
This could be different if the attacker represents a nation-state that wants to access the records of military personnel served by a DOD hospital, they have all the time of the world, which is why the VA, DOD and other military healthcare institutions have a much higher set of cyber security rules. And the threat is real, according to the recent HIMSS security survey, more than 50 percent of the respondents reported that they had been subject of a known cyber-attack over the past 12 months. The emphasis is on “known” as it takes typically more than 200 days to detect an intrusion.
The key for preparation for every healthcare IT system is “basic hygiene,” analogous to hand-washing to prevent infections. Cyber security “hygiene” starts with updating your operating systems and implementing patches as they come out. Just as an illustration, the WannaCry ransomware attack exploited a flaw in the Microsoft OS for which a fix had been distributed two months prior to the attack, which affected about a quarter of a million computers in 230 countries. Basic “cyber hygiene” also includes password updates, three-way authentication, closing down unused ports, segmenting your network, disabling flash drives, using virus scanners and firewalls, etc. Also, make sure you have a backup and/or duplicated system so that as soon as your system goes down you can still operate.
A comprehensive cyber security program has to be in place that includes allocating resources. As an example, Intermountain Healthcare has an IT staff of 600 people to support its 22 hospitals and 180 clinics with 70 of those people (12%) dedicated to cyber security. This is an exception, the average IT budget allocated to cyber security is only about 6-8%.
There are lots of resources to get started, the best known and most used is the NIST security framework, there is also a very extensive certification that is becoming more popular called HITRUST. At a minimum, one can start by looking at the so-called MDS2 (Manufacturer Disclosure Statement for Device Security) form developed by NEMA and HIMSS. As a vendor, one should look at these resources and as an end user you might want to request the MDS2 and ask about HITRUST certification. There already are several vendors who are supporting this.
In conclusion, PACS is probably not the number one target for cyber attack, but they could be an easy backdoor to other systems, which can be used to access patient and personal information that is valuable to hackers, and/or even worse, can be used as a ransom. Basic cyber security hygiene is critical, and using the NIST and/or HITRUST framework can be very beneficial.