How radiology groups can contain damage from future cyberattacks

Imaging experts are sharing advice on how practices can contain damage stemming from future cyberattacks. 

Radiologists with Harvard Medical School gave guidance to peers in a perspective piece published Tuesday in Academic Radiology. They used the July 2024 CrowdStrike incident—stemming from a faulty software update issued by the cybersecurity firm—as a springboard for their discussion. 

Radiologists were reportedly forced to transcribe reports by hand and delay nonurgent cases during the nationwide IT outage. 

“The scale, scope, and intensity of the Crowdstrike incident have led many observers to term it a ‘digital pandemic.’ Such a description may not be misplaced,” Vrushab Gowda, MD, JD, with Massachusetts General Hospital in Boston, and co-authors wrote Feb. 18. “On an industrywide level, the outage underscored healthcare’s sheer reliance on technology—a feature so ubiquitous that it is easily taken for granted. Modern radiology practice would be inconceivable without PACS, DICOM and EHR integration.”

Gowda and colleagues cautioned that certain countermeasures in response to a cyberattack “may prove damaging in their own right.” Intentionally disrupting internet connectivity, for instance, would “paralyze [a] radiology practice, especially those relying upon cloud-based PACS.” Meanwhile, a centralized network relying on a server could present a “single point of failure for an entire radiology department.” 

The authors offered guidance on how to prepare for future cyberattacks, including what to do before, during and after an incident. Their advice comes after several recent IT disruptions at radiology practices, including Arizona-based SimonMed Imaging. 

Pre-event priming: Possible “action items” before a hack would include: 

• Establishing strategic redundancy. 
• Designing and maintaining training protocols, including the use of multiple PACS. 
• Conducting targeted cyberdrills to simulate disruption in a controlled setting. 
• Creating formal channels of communication between staff radiologists and IT personnel. 

“Contact between IT and radiology staff should not be limited to crises,” the authors advised. “Regular training events, quality improvement initiatives, and shared procedures can forge a culture of open dialog. This presents a key role for the departmental chief informatics officer.”

Responding during the incident: Gowda and colleagues suggested four possible action items to execute once a cyberattack occurs. They include: 

• Assessing the scope of the incident and identifying unaffected systems. 
• Activating a departmental crisis team utilizing procedures inspired by the incident command system (a centralized forum for coordinating crisis response and streamlining communications). 
• Establishing clear lines of communication both externally to hospital and institutional stakeholders, along with internally to staff radiologists and IT personnel. 
• Triaging cases by acuity. 

“A radiology-specific crisis team can moreover establish detailed operational protocols during a disruptive event, such as a checklist for radiologists, technologists and administrators to follow during an outage, with a level of granularity that an institutional [incident command system] cannot match,” the authors wrote. 

Post-event analysis: There are a few key steps radiology organizations should take following a cyberattack: 

• Developing a departmental root-cause analysis. 
• Collating the findings from vendor, institutional and public agency analyses. 
• Communicating findings to staff. 

“Even if the provenance of an incident can be attributed to an external entity, a radiology [root cause analysis] should not fail to identify department practices, methods or individual decisions which failed to mitigate disruption,” the authors noted. “Lastly, it should be made available to all staff radiologists on a timely basis, rather than be retained for internal review; transparency and candor contribute to a safer, more collaborative and more efficient working environment.”

Bottom line: Radiology groups must adopt a multitiered response, one that’s divided across the institution, spread out over time and “synthesized into a coherent risk management strategy.” 

“The Crowdstrike incident serves as a poignant reminder of medicine’s reliance on computerized systems, as well as a practical lesson in adaptability when they fail,” the authors concluded. “This is critical not only for IT personnel and enterprise leadership but for the radiologists who daily utilize these systems themselves. July 19 may have proven a sentinel event; it is very likely not to be an isolated one.”