Q&A: Evgueni Loukipoudis on data, analytics and why hospitals are prone to cyberattacks
The security of patient data continues to be one of the biggest topics affecting healthcare providers today. How can these cyberattacks be stopped once they’ve been discovered? How can they be avoided altogether?
Evgueni Loukipoudis, CTO & CIO at McKesson Imaging and Workflow Solutions, has worked within the health IT industry for years and knows the importance of protecting patient data and provider computer systems. He spoke with imagingBiz about both the present and future of cybersecurity, and you can read the full conversation below.
What are the biggest security-related mistakes you see radiology practices and departments consistently making in 2017?
One of the biggest mistakes is related to system integration. Radiologists and radiology practices have to work with several systems at the same time, including PACS, RIS and the EMR. Sharing information between these systems can be a tricky thing. Instead of relying on established interoperability standards, some healthcare providers are using non-standard or proprietary interfaces between systems, which may be less secure. Usernames and passwords continue to be shared between systems as clear text in URLs rather than utilizing widely-recognized and secure mechanisms for single-sign on or context-sharing. I also feel it’s important to use industry standards to establish trusted relationships between systems for communication outside of a user context.
A second area where security mistakes may be found is in the area of analytics. Typically, data is extracted from systems such as PACS and EMRs and is placed into a virtual data holding location. The data extracted often contains the patient’s personal health information (PHI). This is an area where fewer standards and guidelines exist, so there is a potential risk to information security.
What are imaging vendors like McKesson doing to help correct these mistakes?
First, as a vendor, we must focus on interoperability standards. It is important to implement the standards and remain current with them as they evolve. We understand that our solutions must always be scrutinized from the point of view of a secure software development life cycle. Our software is subjected to continuous static and dynamic code analysis and extensive penetration test routines and must pass strict cyber security criteria at the time of release.
But that’s only part of the story. Systems can be secure and pass all penetration tests, but vendors must also do post-market monitoring of how the system is actually being used. At McKesson we understand every customer is different. Our professional services group, McKesson Medical Imaging Consultants, works directly with providers to design the right enterprise architecture and system integrations specific to their needs. This may include business continuity and disaster recovery plans as well as assessing security risks and providing options to mitigate them.
We want to help customers solve their security problems both through appropriate software deployment and working directly with customers to evaluate their constantly evolving environments. Healthcare providers need to understand that even after implementation any change to their technology ecosystem might create a new vulnerability.
Hackers are focusing more and more of their efforts on hospitals and other healthcare providers. Do you think this is a trend that will continue, or is there a chance it could slow down as health IT departments get better at preventing such attacks?
I think hospitals will continue to be subject to cyberattacks because healthcare IT is less mature than other industries. Healthcare as a whole is slower to adapt new platforms, technologies and standards. Hospitals will get behind in upgrading their technologies because doing so can be disruptive to user workflow and therefore to providing care. However, software and hardware that is outdated and has not been patched or upgraded can be easy prey to hackers who know how to exploit existing vulnerabilities. Cloud-based solutions are generally more secure, because upgrading those systems and keeping them up-to-date is an integral part of the way managed services are provided. Cloud-native platforms are also already designed with security in mind as they are relatively new.
On a smaller scale, are there any day-to-day things individuals who work for these healthcare providers can do to help improve overall security?
If you look at the areas where the most breaches are occurring, you see it’s often from stolen usernames and passwords. And that’s understandable, because we use so many different accounts on a daily basis, that the only way to remember them is to write them down, or reuse the same password for all systems. This is a user error, but there are technical ways to avoid it. A centralized identity manager that serves all systems across the healthcare enterprise is a first step. Having a centralized user manager that provides a mechanism for single sign-on, combined with very strict systems provisioning and structured auditing that allows for automatic monitoring and detection of abnormal use patterns, can certainly go a long way in securing health data.
Are there any security concerns that customers should be considering for the future, say 10 – 15 years from now?
Image exchange between healthcare providers will only increase with time. In the future there won’t be any physical images or a physical image location. In the future images will be in the cloud with metadata and associated context attributes that will help enable appropriate access by different users. I do feel that as we move forward data analytics will play a more significant role in imaging. As I previously mentioned, in order to have robust analytics you have to have a pool of data to analyze, and there are and will continue to be questions about how this data is accessed and utilized. With analytics it’s interesting because we may use data more granularly, accessing different attributes, so guaranteeing data integrity will be a challenge in the future much like PHI protection is today. At the end we might need another layer of security in order for data to be used in the correct way and to prevent it from being tampered with. Perhaps Bitcoin’s Blockchain is one answer, who knows?