Creating a ‘culture of security’ in radiology
Radiologists are becoming a little less in “denial” about the need for imaging security, according to J. Anthony Seibert, PhD, professor and associate chair of informatics in the radiology department at the University of California Davis Health System, Sacramento. But he still sees plenty of room for improvement.
Seibert’s refresher course on the subject, “Knowing if Your Imaging Systems are Secure and Keeping Them That Way,” will be presented Sunday, Nov. 27, at RSNA 2016 in Chicago. Creating some level of security among users of an imaging system can begin with the simplest of tasks: not using a common, easy-to-guess password.
“I could probably find several imaging systems that use default passwords, and you could get in them right away,” Seibert said.
The assumptions from radiologists, according to Seibert, can include thinking firewalls will stop hackers from entering imaging systems or the systems themselves aren’t in need of security, despite containing protected health information (PHI).
In reality, these systems can be easy and valuable prey, acting as a backdoor entrance for identity thieves and would-be fraudsters. A June 2016 report from TrapX Security noted cyberattacks carried out this year have included targeting “a variety of capital equipment and imaging systems, including a radiation oncology system, an x-ray machine and a picture archiving and communication system (PACS).”
Shutting such backdoors involves a focus on both internal and external security.
“Even though we might have a very, very strong exterior, inside is actually very vulnerable, very mushy and very weak,” Seibert said. “It’s accessible if you don’t have the appropriate training and/or administrative processes in place.
Everyone should also be made aware of potential security issues. Radiologists could follow the lead of the University of California system, which requires all employees to take a cybersecurity training course.
“It’s really important to understand how individuals outside, the hackers, are trying to get information and they find it’s easy to get information from medical imaging systems,” Seibert said.
Creating a culture of security in radiology can be impeded, however, by one problem: security software that slows down the network.
Seibert said so-called “crawlers” and anti-malware have slowed down systems even at his own health system. To get around those issues without sacrificing security, a subnet had to be created for all diagnostic review workstations, which in turn led to complaints from radiologists about not having internet access at every computer.
The best kind of security software suites wouldn’t be noticeable to users, but Seibert said most practices must craft a compromise between convenience and image protection.
“Everyone expects to have instantaneous access to everything, and that’s opened up these issues with security,” Seibert said. “You have to find an appropriate balance, no doubt about it. You can’t be overzealous in providing security because it will have a negative impact on the ability to get your jobs done.”
What Seibert hopes radiologists take away from his presentation is they have some responsibility in protecting health information.
“It’s not the manufacturer of the imaging systems, it’s not referring physicians,” Seibert said. “It’s them and the healthcare enterprise that, without appropriate administrative, technical and physical security methodologies, [that will] be at risk … for potential litigation and other issues when a breach occurs.”