Cybersecurity Challenges for PACS and Medical Imaging

Cybersecurity in radiology: Cautionary Tales, Proactive Prevention, and What to do When You Get Hacked

To improve awareness and understanding of cybersecurity threats to radiology practice and better equip healthcare practices to manage cybersecurity risks associated with medical imaging, this article reviews topics related to cybersecurity in healthcare, with emphasis on common vulnerabilities in radiology operations. This review is intended to assist radiologists and radiology administrators who are not information technology specialists to attain an updated overview of relevant cybersecurity concepts and concerns relevant to safe and effective practice of radiology and provides a succinct reference for individuals interested in learning about imaging-related vulnerabilities in healthcare settings. As cybersecurity incidents have become increasingly common in healthcare, we first review common cybersecurity threats in healthcare and provide updates on incidence of healthcare data breaches, with emphasis on the impact to radiology. Next, we discuss practical considerations on how to respond to a healthcare data breach, including notification and disclosure requirements, and elaborate on a variety of technical, organizational, and individual actions that can be adopted to minimize cybersecurity risks applicable to radiology professionals and administrators. While emphasis is placed on specific vulnerabilities within radiology workflow, many of the preventive or mitigating strategies are also relevant to cybersecurity within the larger digital healthcare arena. We anticipate that readers, upon completing this review article, will gain a better appreciation of cybersecurity issues relevant to radiology practice and be better equipped to mitigate cybersecurity risks associated with medical imaging.

Cybersecurity considerations for radiology departments involved with artificial intelligence

Radiology artificial intelligence (AI) projects involve the integration of integrating numerous medical devices, wireless technologies, data warehouses, and social networks. While cybersecurity threats are not new to healthcare, their prevalence has increased with the rise of AI research for applications in radiology, making them one of the major healthcare risks of 2021. Radiologists have extensive experience with the interpretation of medical imaging data but radiologists may not have the required level of awareness or training related to AI-specific cybersecurity concerns. Healthcare providers and device manufacturers can learn from other industry sector industries that have already taken steps to improve their cybersecurity systems. This review aims to introduce cybersecurity concepts as it relates to medical imaging and to provide background information on general and healthcare-specific cybersecurity challenges. We discuss approaches to enhancing the level and effectiveness of security through detection and prevention techniques, as well as ways that technology can improve security while mitigating risks. We first review general cybersecurity concepts and regulatory issues before examining these topics in the context of radiology AI, with a specific focus on data, training, data, training, implementation, and auditability. Finally, we suggest potential risk mitigation strategies. By reading this review, healthcare providers, researchers, and device developers can gain a better understanding of the potential risks associated with radiology AI projects, as well as strategies to improve cybersecurity and reduce potential associated risks. CLINICAL RELEVANCE STATEMENT: This review can aid radiologists' and related professionals' understanding of the potential cybersecurity risks associated with radiology AI projects, as well as strategies to improve security. KEY POINTS: • Embarking on a radiology artificial intelligence (AI) project is complex and not without risk especially as cybersecurity threats have certainly become more abundant in the healthcare industry. • Fortunately healthcare providers and device manufacturers have the advantage of being able to take inspiration from other industry sectors who are leading the way in the field. • Herein we provide an introduction to cybersecurity as it pertains to radiology, a background to both general and healthcare-specific cybersecurity challenges; we outline general approaches to improving security through both detection and preventative techniques, and instances where technology can increase security while mitigating risks.

Artificial Intelligence in Breast Imaging: Challenges of Integration Into Clinical Practice

Artificial intelligence (AI) in breast imaging is a rapidly developing field with promising results. Despite the large number of recent publications in this field, unanswered questions have led to limited implementation of AI into daily clinical practice for breast radiologists. This paper provides an overview of the key limitations of AI in breast imaging including, but not limited to, limited numbers of FDA-approved algorithms and annotated data sets with histologic ground truth; concerns surrounding data privacy, security, algorithm transparency, and bias; and ethical issues. Ultimately, the successful implementation of AI into clinical care will require thoughtful action to address these challenges, transparency, and sharing of AI implementation workflows, limitations, and performance metrics within the breast imaging community and other end-users.

Sicherheit medizintechnischer Protokolle im Krankenhaus

Medizinische Einrichtungen waren in den letzten Jahren immer wieder von Cyber-Angriffen betroffen. Auch wenn sich diese Angriffe derzeit auf die Office-IT-Infrastruktur der Einrichtungen konzentrieren, existiert mit medizinischen Systemen und Kommunikationsprotokollen eine weitere wenig beachtete Angriffsoberfläche. In diesem Beitrag analysieren wir die weit verbreiteten medizintechnischen Kommunikationsprotokolle DICOM und HL7 sowie Protokoll-Implementierungen auf ihre IT-Sicherheit. Dafür präsentieren wir die Ergebnisse der Sicherheitsanalyse der DICOM- und HL7-Standards, einen Fuzzer (“MedFUZZ”) für diese Protokolle sowie einen Schwachstellenscanner (“MedVAS”), der Schwachstellen in medizintechnischen Produktivumgebungen auffinden kann.

Cybersecurity Protection for PACS and Medical Imaging: Deployment Considerations and Practical Problems

Cybersecurity is increasingly affecting the healthcare sector. In a recent article, the authors analyzed specific attacks against picture archiving and communications systems (PACS) and medical imaging networks and proposed security measures. This article discusses issues that require consideration when deploying these proposed measures and provides recommendations on how to implement them. Hospitals should deploy virus scanners on systems where permitted, with high priority on devices that are part of the central IT infrastructure of the hospital. They should introduce a systematic management of software updates on operating system, application software and virus scanner level and clarify the provision of security updates for the intended duration of use when purchasing a new device. They should agree with the PACS vendor on a long-term strategy for implementing access rights, and enable encrypted network communication where possible. This requires an agreement on the encryption algorithms to be used, and a public-key infrastructure. For most of these tasks, standards and profiles exist today. There are, however, some gaps: Implementation of cybersecurity measures would be facilitated by integration profiles on certificate and signature management, and access rights in a PACS environment.

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed^®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.