We can no longer live by the old adage that an ounce of prevention is worth a pound of cure,” says Howard (Po-Hao) Chen, MD, MBA, chief imaging informatics officer for the Cleveland Clinic and chair of the ACR’s Informatics Advisory Council. “During a cyber attack, prevention cannot be your only line of defense. It is no longer enough to say that we’re going to try to avoid malicious emails. What will you do if (and when) a cyber attack breaches your defenses?”
And a potential breach is becoming more and more likely, according to the CyberPeace Institute, which released new data on cyberattacks on the healthcare industry. The report turned up 295 cyber attacks on the healthcare sector in the 18 months between June 2, 2020, and Dec. 3, 2021.1
During most attacks, cyber criminals have two primary goals: either to disrupt and disable the information in your network’s data management system or to steal it outright. Ransomware has seemingly become the weapon of choice for cyber criminals, Chen says. This form of malware involves malicious software designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware involves accessing a computer system, encrypting files to make them inaccessible, and demanding a payment for an encryption key to unlock files and restore access.
Ransomware is often the result of human error — and is almost always engineered to get money. A ransomware attack in a healthcare system can have catastrophic patient care consequences. The usual downtime processes in place at an institution might not address the breadth of such a disruption and timelines for recovery.2
If your system is the target of an attack, Chen notes that what you do during the first 48 hours following a cyber attack are the most important. During a cyber attack, everybody on your staff needs to know what is going on, what to do next, and what your capacity is to bring a network back.
Plan for the Worst
Cleveland Clinic affiliate Ashtabula County Medical Center reported a system outage in September of 2020 that lasted for more than 24 hours. The county hospital took several months to recover as a result of the ransomware attack before a full comeback, Chen says.
There are simple things you can do to stave off an attack — like not opening suspicious emails, says Namita Sharma-Gandhi, MD, MScHI, associate professor in radiology at Cleveland Clinic and co-author of a paper with Chen and another colleague in the Journal of Digital Imaging.2 “You can also ensure that all equipment has updated systems. Outdated systems are more accessible to hackers. Talk to your vendors about having the latest safeguards in place for your scanners,” Gandhi says.
“We were so dependent on our electronic systems that we could not maintain a workflow without them. We had to come up with new processes on the go — and everything had to go on paper,” Gandhi says. “Following the attack, we decided we needed a formal disaster recovery plan from ransomware — not just a standard downtime plan or more prevention awareness. These attacks are potentially life- threatening to patients.”
The paper’s authors discuss a plan to maintain radiology business continuity in the event of a catastrophic ransomware attack. The response and recovery plan is broken into what needs to happen in the short term (in the first 48 hours and the following three weeks) and in the longer term (rebuilding infrastructure and reconciling imaging data and reports with patients’ information in the EMR). The first two parts of the plan rely more heavily on the radiology operations and less on hospital IT because IT won’t know how to keep radiology’s operations running – they’d be busy figuring out what’s been disabled and what’s still running.1
“You should assume you’ll be faced with a worst-case scenario in which you have little to no technology available,” Chen says. “You are back to paper.”
In the event of a ransomware attack, do you have paper-based workflows to keep business going? Would you be forced to shut down operations until the issue is resolved? And keep in mind, paying the random is rarely the end of the crisis. “While the criminals might give you the password to unlock your data, they aren’t going to provide you PACS IT support to get everything going again,” Chen says. “They also aren’t going to help you eradicate the virus or malware that has infiltrated your systems.”
Choose A Response
When it comes to security breaches such as with ransomware, both prevention efforts and a response plan in place are important, says Benoit Desjardins, MD, PhD, FACR, professor of radiology at the Hospital of the University of Pennsylvania. Cyber defense has multiple elements: maintenance of computer systems and medical devices, proper off-site data backup, use of software tools like anti-malware and multi-factor authentication, and user training to recognize phishing and cyber attacks.
Still, no medical center can stop all breaches, and they are increasing in frequency. When an attack happens, the quality of your system backups and your response plan will become equally important, Desjardins says.
“Cybercriminals want to maximize their profits. Ransomware can lead to multi- million-dollar payoffs for one cyber attack, potentially much higher than selling stolen medical records on the dark web,” Desjardins says. “Although paying ever- increasing ransoms can be costly for medical centers, refusing to pay them can lead to even bigger losses.”
“Ransomware (sometimes referred to as crypto-locking) is a vector for cybercriminals because it is profitable,” says Matt Jordan, ACR’s senior director of IT infrastructure. “Rather than steal data and attempt to commit fraud, ransomware can have an immediate payoff. If the victim does not pay immediately, cyber criminals can release the medical data to others who will pay.” Attacks are becoming more sophisticated, the impact greater, and the payments larger, he says.
Cyber attacks on a hospital or healthcare group’s information management and operations systems can bring an entire network to an abrupt halt. The more recent ransomware attacks are often combined with breaches of confidentiality, with threats of releasing medical records into the wild if the ransom is not paid. “This provides an additional incentive for hospitals to pay,” says Desjardins.
Recognize Your Role
“Cybercrime is big business in healthcare. While some malicious groups are out for disruption and recognition, the vast majority are in it for money,” says Daniel Reardon, MPA, CHPC, chief compliance officer for the ACR. “Given the technology and digital sharing in imaging, radiology departments and practices should recognize that they are at risk.”
“I would advocate for anyone that has the passion and time to champion cyber security and/or incident response best practices at their organization to do so,” Reardon says. “Progress is certainly needed, and you could be the one to initiate a ‘first follower’ response at your organization. What you want to avoid is the double whammy of missing the basic preventative technical aspects and having no plan to respond to an incident.”
“Radiologists should integrate and work with the larger hospital plan for both defense and for incident response plans,” Jordan says. “Radiologists are subject matter experts in their areas, and they know the criticality of the data and their content management systems. They must work with their hospital network during an all-hands-on-deck event.”
While radiologists may not be involved in cybersecurity matters at every institution, all hospital staff have a role to play in keeping their patients safe, Desjardins says. “Everyone should be educated at recognizing phishing attempts, the usual cause of an initial breach leading to a ransomware attack. And, of course, they should constantly maintain proper cyber-hygiene, such as using encrypted laptops and VPNs,” he says.
The IT security staff of a hospital needs the assistance of the radiology department when it comes to the identification and classification of the systems and the business impact analysis. Radiologists are also critical to contingency planning and recovery aspects, just as they would be in the event of a disaster, Jordan says. If they are not presently engaged, they should reach out — teamwork will lead to stronger and more robust recovery programs, he says.
Have A Playbook
“Incident response playbooks are mostly administrative in nature and can be accomplished with relatively fewer resources than it would take to implement technical or physical controls,” Reardon says. “Your response plan depends largely on your organization, and cyber security may be out of the direct hands of radiologists working at larger institutions, whereas smaller practices may be wholly responsible for security efforts.”
If a small practice handles its own imaging data, a looming attack should be top of mind. Some small clinics have been forced to permanently shut down after a ransomware attack. Practices that align with hospitals most likely rely on their hospital to maintain imaging and health information data — and to periodically back up these systems, Chen says.
“Copying data regularly means you won’t have to rely on cyber criminals to give it back — you would be able to restore your data from the copy while negotiations with the bad actors continue,” Chen says. “It should be a full copy of data that is isolated from the main network but can be activated and accessed locally when necessary.”
“As a radiologist, you cannot pass cybersecurity off to IT and hope they will take care of it,” Chen says. “Your IT department consists of soldiers at the door, if you will. Once the enemy is in, soldiers have limited effect.”
It literally can come down to office supplies, Chen says. It may have to last you weeks or months. “You might run out of CDs or DVDs or pens or toner. These things are part of a recovery effort that needs to happen before an attack.”
Two levels of documentation can be helpful. One is a process guide designed for you and other departments that use radiology. This document should outline which services will no longer be available. Some services might be disabled by the ransomware, but other services might be electively shut down by the hospital or radiology practice to make capacity for the emergent studies that still have to happen. Remember in a ransomware scenario, you’d need more people to do the work for a radiology study, work that used to be done by computers.
Then there is the more granular downtime playbook for use within your radiology department. This outlines what you should do by the hour — especially zero through two hours following a breach, Chen says. This playbook consists of checklists of things you need to do beyond 24 and 48 hours as well. The checklists should be written out by modality. “We have built those into each of our imaging sites since our attack. When something goes wrong, you might not have the Internet to quickly determine what you should be doing,” Chen says.
Negotiate To Restore
Once a cyber breach becomes public knowledge, communicating and visually managing the situation is critical. A quick reference guide from the FBI’s Internet Crime Complaint Center outlines what to do in the event of a ransomware attack.
What happens next can vary, Chen says. Insurance companies, for instance, are beginning to get into the ransomware/malware space to mediate the response process, he says.
And not all data breaches need to be immediately reported to the federal government. In fact, even breaches affecting more than 500 patients only require reporting to the government no more than 60 days from discovery of the breach.3
“You may be able to get insurance for an attack — after which the insurance company would negotiate with the cyber criminals on your behalf for the release of data,” Chen says. Essentially you would file a claim, and the insurance company arrives at a rate it will pay out. “This is not an uncommon process,” he says.
“Criminals only have control of the key that unlocks your data,” Chen says. Getting that key, a password to unlock your system, is not the end of the game, he stresses. “Cyber criminals don’t provide tech support. They won’t come to your site to help undo the ransomware they released into your system. You are still going to be stuck with the fallout from the attack.”
“It was surprising how much effort it took to recover and the impact it had,” Gandhi says. “It was different than usual downtimes — when you can recover things much faster because you have a plan around those things you can rely on and those systems that may be unavailable to you.”
“I let everyone know that the threat is real, and that it impacts lives,” Gandhi says. “Everybody should be aware of it and be taking steps to mitigate it in the first place. Beyond that, you must have a detailed recovery plan in place.”