3 wise cybersecurity investments for private radiology practices

Experts are highlighting three wise investments private radiology practices can make to help head-off a potential cyberattack. 

The specialty, and healthcare in general, has faced a seemingly growing threat from hackers, with recent victims including Northwest Radiologists, a 50-year-old independent imaging group in Bellingham, Washington. Leaders with fellow Strategic Radiology member Radiology Associates of North Texas are sharing their own advice, publishing an opinion piece Tuesday in JACR. 

“Cybersecurity might seem like an abstract, virtual battlefield, with black hat hackers and white hat defenders using terms out of a sci-fi movie,” Valeria Makeeva, MD, RANT’s medical director of informatics, and Matt Long, the Fort Worth, Texas-based practice’s chief information officer, wrote May 6. “However, many of the most powerful defenses are surprisingly straightforward, concrete, and easy to understand. Best of all, they are cost-effective. For private practices, focusing on a few key areas can significantly reduce risk without overwhelming your resources.”

The pair offered three “strategic investments” in infrastructure and personnel, which they believe offer a high ROI. In brief, they are: 

1. Cybersecurity insurance: Anecdotally, there have been reports of radiology groups seeing their insurance premiums double over the last three years, due to the increasing number of successful breaches. (Long also is chair of Strategic Radiology’s IT/AI R&D Committee.) Costs of these plans often is tied to the volume of files stored, but practices can reduce expenses by keeping a strict records-retention policy.

“While insurance won’t prevent a breach, it can mitigate the financial impact,” Makeeva and Long write. “Partnering with an experienced broker can help you navigate the complexities of these policies, which should be reviewed annually,” they add later. 

2. Managed detection and response: Private practices often lack the funds for a full-time cybersecurity team, the authors note. However, MDR vendors offer monitoring and threat detection at a “fraction of the cost of building an in-house team.” 

Inking a contract with a security services provider requires practices to employ a security engineer on staff to be able to monitor alerts and block threats. Some MDR companies even offer more comprehensive solutions such as breach response plans with legal and forensic support. 

“While not a complete solution, [managed detection and response] services add an essential layer of security by detecting and responding to threats before they cause significant damage,” the authors write. “Overall, MDR remains a practical choice for practices looking to stay ahead of threats without extensive internal resources,” they added. 

3. Personnel: The National Institute of Standards and Technology has developed a cybersecurity framework to help organizations manage and reduce risk. It outlines key functions and categories, the authors note, adding that role diversity on a team is “vital.” NIST does not detail specific job titles, instead emphasizing the need to address unique needs in each organization. 

Some examples of potential roles could include a chief security officer to oversee strategy, and a security engineer tasked with defense and managing systems. 

“While technology is crucial, having skilled personnel to manage and respond to cyber threats is equally important,” Makeeva and Long write. “Manpower is often the biggest challenge, especially for private practices with limited budgets, but even hiring one dedicated security professional paired with an MDR vendor can make a significant difference,” they add later. 

The opinion piece also offers further advice on risk assessment along with possible preventive measures. The latter includes multifactor authentication, “least privilege” (giving users the minimum access necessary to do their jobs), vendor vetting, and encryption. RANT leaders believe these investments will pay off in the long run. 

“The financial, reputational, and operational consequences of a cyberattack can be catastrophic, but private practices can navigate these challenges by following a clear, actionable strategy,” the authors conclude. “By prioritizing both preventive and responsive strategies, private practices can transform cybersecurity from a daunting challenge into a manageable and controlled aspect of their operations,” they add later. 

Read much more in the Journal of the American College of Radiology.