Radiology, HealthOps, and the question of cybersecurity
October 30, 2019
By Safi Oranski
A revolution is afoot. Besieged by thinning margins, increased competition, trends in big data, IoT, AI, predictive modeling, value-based care, as well as agile management and process strategies, traditional healthcare is in retreat. In its place, what I call HealthOps is rising.
While all aspects of a hospital are touched by the forces of change, perhaps no department feels the push and pull of modernization more acutely than the radiology department — where Watson-style artificial intelligence is already being used to great effect.
The bigger picture: why radiology is overexposed
All modernization efforts start the same way: with networking. Smarter machines and smarter processes always start with more and better data collection and enabling network communication. As the old phrase goes, two heads are better than one. The same principle applies to computing, which is why we create networks and enable network clients to speak with each other and with servers. It’s a way of not only sharing information, but of pooling resources, and delegating tasks. The end result is enhanced capabilities, faster turnaround, and greater dynamism.
The problem is that all the points of connection that form the weave on which our networks are predicated also allow for unwelcome guests.
Radiology has traditionally been considered healthcare early adopters, leading the charge of bringing new technology into medicine. Unfortunately, this also introduces the cyber risks associated with it. When you lead the charge, you’re unlikely to see what you drag in behind you. Among the technologies most vital to radiology are the picture archiving and communication system (PACS) and the digital imaging and communications in medicine (DICOM) protocol; both developed because there were no other standards or frameworks available at the time sufficiently robust to handle what radiologists were attempting. In other words, radiologists have been using networking techniques and technologies decades before most of the rest of us.
As time passed, though, new standards were introduced and the wider world of industrial technology caught up — bringing with them new threats and the challenge of interoperability. It also means that hospital radiology departments are saddled with legacy technology and deprecation challenges that simply don’t exist (or at least not to the same extent) for other departments.
The result? A disproportionate number of radiological devices rely on older more cyber-vulnerable systems, In fact. I've seen imaging equipment running Windows XP that administrators didn't even know was networked!
According to CyberMDX field data, around 55 percent of imaging devices run deprecated or otherwise unpatched versions of Windows ostensibly vulnerable to exploits such as BlueKeep or DejaBlue. Among those devices, roughly 25 percent have open RDP ports. These facts and the news that a usable exploit for BlueKeep has been published on Metasploit leave the world of radiology particularly exposed.
Similarly, DICOM processes, developed in an earlier technological era when today’s threat landscape could hardly be imagined, do not incorporate sufficiently robust authentication techniques or encryption. That’s on the technology level. On the management level, few administrators are implementing appropriate communication and port restrictions, which explains Greenbone Networks’ recent findings that 400 million medical radiological images are exposed on the internet.
Making matters worse, with so much AI innovation revolving around advanced pattern recognition and image analysis, radiology is not only the premier testing ground for the technology, but a battleground as well. Consider, for example, a recent study out of Ben-Gurion University, where researchers showed that hackers could intercept and materially manipulate CT and MRI images as they move through cyberspace.
The sophistication of cyberattacks is rising quickly and medical professionals must work diligently to keep patients safe from the consequences.
Best practices for securing connected radiology devices
The first step to protecting your equipment from cyber compromise is to reduce the attack surface. That means:
● Conducting staff-wide cyber education and training.
● Digitally inventorying your device fleet — including hardware, OS, software, and network configuration details.
● Mapping out and micro-segmenting the distinct use and risk groups within your network.
● Setting strong firewall/NAC policies to govern the communications between these micro-segments/security groups based on trust relationships
● Preemptively disabling or blocking traffic to ports that will not be used in the course of a device's intended operations.
● Employing MFA and sound password management
● Using end-to-end encryption.
● Cross-referencing your asset inventory against the NVD vulnerability feed to rapidly and confidently identify and locate all their affected devices
● Integrating with vendor support portals to automate the tracking and implementation of relevant software updates and patches
● Continuously monitoring network traffic for abnormalities or signs of danger.
● Enact strong, role-based access controls — both digitally and physically
In general, hospitals must inject cyber awareness and basic security training across the whole organization. Make sure staff know how to spot threats and what to do/whom to contact when they find them. Use regular brush-up sessions to re-enforce the principles.
More specifically to radiology, in addition to the above practices, you can use an internal network scanning tool or Shodan to see which of your imaging devices are open to the public internet and then reconfigure their communication settings accordingly.
And due to the huge amount of devices still operating on legacy systems, it’s imperative to ensure that all devices running Windows are patched for vulnerabilities like BlueKeep and DejaBlue.
Finally, because PACS and DICOM are not themselves sufficiently secure to prevent such an attack, you might also consider a devoted solution to stamp images at the point of creation with a unique signature confirming their authenticity.
There is no silver bullet when it comes to defending your technologies against cyber attack, but taken together, these steps should harden the soft underbelly of your infrastructure and lay down a strong first line of defense.
Network security can only ever be as strong as its weakest point and so eliminating the easiest access points for hackers is a great first step toward creating effective security.
For a more technical and more detailed review of the best practices for securing connected radiology devices, please refer to NIST’s recently published guide, Securing Picture Archiving and Communication System (PACS).
About the author: With more than 20 years of experience at technology companies both large and small, Safi is currently VP business development at CyberMDX where he drives global strategic programs. He joins CyberMDX from Centrica Business Solutions where he was head of business alliances and IoT. Safi can be found speaking at conferences around the world, discussing the value of healthcare cybersecurity.