4 cybersecurity best practices for radiology groups
Imaging experts are detailing four potential best practices radiology groups can undertake to prepare for a potential cyberattack.
Digitization of exams has made the imaging industry a “prime target” for cybercriminals, experts wrote Wednesday in the Journal of the American College of Radiology. Fueled by everything from the COVID-19 pandemic to the popularity of cryptocurrency, ransomware incidents increased by 356% between 2016 and 2021.
Radiology has not been immune, with one recent hack targeting Lexington-based Central Kentucky Radiology. The average ransom payment in healthcare is nearly $200,000, and millions more are likely incurred for many, due to downtime and data recovery.
“Radiology practices need processes and tools to better protect sensitive patient data and maintain resilient digital operations in the face of mounting adversity,” ACR Commission on Informatics members Po-Hao Chen, MD, MBA, and Christoph Wald, MD, PhD, MBA, with the Mayo and Cleveland clinics, respectively, wrote June 25. “This article provides frameworks, best practices, and actionable steps to help radiology professionals navigate cybersecurity and apply this knowledge.”
The pair urged practices to combine administrative, physical and technical safeguards, like the “CIA Triad” used to protect intelligence. This applies to imaging, ordering and reporting data, with any response aligning with emerging radiology industry trends, regulations and guidelines. Chen and Wald emphasized these suggestions are not comprehensive, but instead provide a few important examples unique to medical imaging:
1. Risk management and assessment: Practices must perform a thorough risk assessment to identify potential vulnerabilities. Possible steps may include cataloguing the organization’s assets, identifying threats, and evaluating the likelihood of a cyberattack.
“The goal is to prioritize resources to mitigate the most significant risks first, ensuring that the most critical components of the radiology infrastructure are protected,” the authors advised. “This new focus on governance means integrating cybersecurity measures into daily radiology operations and aligning these efforts with the hospital's overall risk management strategy,” they added later.
2. “Defense in depth” is a strategic approach employing multiple layers of security to ensure, if one is breached, others will still provide protection. ACR recommends this strategy when designing safeguards, Chen and Wald noted.
“By implementing multiple overlapping security measures, healthcare institutions can more effectively protect sensitive imaging data and patient records from unauthorized access,” they advised.
3. Incident response planning: Preparing for recovery after a cyberattack is just as important as preventive measures, the authors added. The National Institute of Standards and Technology’s guidelines emphasize the importance of having a well-documented incident response plan delegating roles, responsibilities and procedures for responding to a data breach.
“For radiology departments, this plan must address how to quickly isolate affected systems, recover lost or compromised data, and communicate effectively with patients and regulatory bodies following an incident,” the authors noted. “It also means building a deep understanding of how a ransomware attack affects a radiology practice and building recovery procedures for each service line impacted.”
4. Training and awareness: Experts underlined the importance of creating a “culture of security” in a radiology department. This includes appropriate training and the development of standard operating procedures, offering employees a blueprint for responding to the early stages of a cyberattack.
“Human error is a critical vulnerability in any cybersecurity framework, often serving as the entry point for breaches and attacks,” Chen and Wald advised. “Leading organizations in healthcare and security advocate for comprehensive, regular training and awareness programs to ensure that all staff members— radiologists, technologists, and administrative personnel—are consistently informed about the latest cybersecurity threats and best practices.”
Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic.