Reframing cybersecurity as a patient safety issue at RSNA

December 03, 2021
by John W. Mitchell, Senior Correspondent
As hackers increasingly turn their attention toward medical facilities as targets of cyberattacks, the risks extend beyond hospital finances — when patient services are suspended, they could even lead to death.

Dr. Benoit Desjardins, Ph.D., professor of radiology at the Hospital of the University of Pennsylvania, addressed this grim possibility during an RSNA 2021 session titled Cybersecurity for Radiology Practices.

Desjardins, who is also an expert in information technology, referenced a New England Journal of Medicine study on the impact on mortality when healthcare is delayed even by minutes. Delayed care — for example, for cancer and stroke patients — is a hallmark result of cyberattacks when hospitals sometimes must close for weeks, forcing the transfer of critical patients. He also cited a recent government COVID-era study specifically on the effect of cyberattacks on outcomes. The researchers found that in hospitals that experienced a cyberattack, statistically more significant “excess" deaths occurred earlier and lasted longer.

He also referred to a 2019 incident involving a ransomware attack at an Alabama hospital that disabled the facility's central monitoring system. This resulted in a woman in labor losing her baby. The attending OB/GYN was not aware that the facility had undergone a cyberattack. The physician could not observe that the infant was in distress due to the umbilical cord wrapped around the baby’s neck. The mother is now suing the hospital for its failure to prevent the ransomware attack.

Medical devices, such as infusion pumps, are also at risk of cyberattacks.

"Through our overdependence on undependable IT, we have created conditions such that actions by any single outlier can have a profound and asymmetrical impact on human life [and] economic and national security,” said Joshua Corman in his capacity as a consultant in the cybersecurity of medical devices.

Corman spoke of a cybermed summit he organized in 2017. A team of mock hackers, including two medical school graduates, hijacked medical devices standard in hospitals. The devices included defibrillators, infusion pumps, and insulin pumps. These "good-guy hackers" were able to easily change the settings in the devices to deliver lethal doses of medicine and electric shock to patients.

A third speaker presented steps radiology practices can take to minimize the threat of cyberattack. Erik Decker, chief information security officer for Intermountain Healthcare, speculated that most of the practice radiologists in attendance likely did not have dedicated IT or cyber security staff. “Cybersafety is a patient safety problem. You look at this insurmountable challenge and think, "how am I supposed to defend against this?” he asked.

Decker had a host of suggestions, including:

– When working with your IT vendors, get guarantees that they apply robust cybersecurity practices. Don't assume they do. Someone in your practice needs to be knowledgeable about safe standards.

– Consult the Health Industry Cybersecurity Practices (HICP) playbook to create common standards across healthcare. It offers cyber defenses based on small, medium, and large practices, to manage and protect patients. Hand this document to vendors, Decker suggested, and insist they meet the standards in the manual.

– Email phishing is especially effective. Know the threats that hackers deploy. Practices should conduct mock phishing attacks every month to train and educate employees.

– Other common defenses include the use of multifactor authentication for any internet-exposed systems, antivirus protection in all workstations and laptops, and immediately removing access for any employees who leave the practice. Other suggestions include backing up data from the system to remove the information off-site, and regularly updating servers, workstations, and laptops.