The scary part about cyberattacks is that they’re no longer news, according to Howard (Po-Hao) Chen, MD, MBA, chief imaging informatics officer for the Cleveland Clinic, chair of the ACR’s Informatics Advisory Council and a member of the ACR Bulletin Advisory Group. “It’s like when the first case of COVID-19 made the news, and now no one thinks twice when hearing about new cases,” he says. “Organizations are learning to live with it rather than treat it as a one-off crisis.”
You can’t be too careful, he says, but it’s also important not to overreact. “If everything is locked down, you might feel confident in your cyberattack defense system, but caregivers might be locked out of necessary data to do their jobs,” Chen says. “Staff still need privileges to make the right choices. It can become really hard to deal with.”
TRAIN ON PHISHING
Malicious internal attacks aside, the ACR Commission on Informatics encourages all practices to include staff training on phishing, or incidents involving impostors who try to trick email recipients into clicking links, opening attachments or sharing passwords and other critical information. “We are telling people that you should definitely have a phishing email training program in your practice or radiology group,” Chen says. “If you don’t have one, you can contract with numerous companies that help by sending employees phishing emails. This can help prevent unsuspecting employees
from clicking on a link that leads to malicious actors stealing your information and putting patients at risk.”
The object is to encourage employees to see themselves as attractive targets — because they are, says former FBI cybersecurity analyst Hope Palmer, a member of the ACR Commission on Informatics’ Cybersecurity Work Group. “Phishing training is a great way to increase awareness of threats, particularly different types of threats using a variety of methods to trick and deceive,” she says. “I see it as the cornerstone of cyber hygiene and the building block for security awareness. And this training shouldn’t be just a one-and-done milestone that you check off annually.” It needs to
be meaningful, periodic and tailored training, she says.
“The ultimate goal through trainings like these is to reduce risk through broader cultural change that incorporates standard cyber hygiene into daily practices across the enterprise,” Palmer says. “This space — a fully engaged, educated and security-aware community — is where we’ll make the most progress in defending against malicious actors.” As a bonus, she says, this awareness will also reduce risk posed by accidental, negligent or intentional activity by employees.
“Like most things, there is not a one-size-fits-all solution, even for small versus large practices or institutions,” says Daniel Reardon, MPA, CHPC, chief compliance officer for the ACR. “Outsourcing cybersecurity is certainly an option, and there are many service and solution options in the market.”
Knowing that most cyberattacks start with phishing, even small practices can focus on educating their workforce, Reardon says. “Phishing awareness training and simulated phishing tests can provide protection for small practices at low or no cost. Of course, if there are technical vulnerabilities, attackers may not need to use phishing or social engineering to wreak havoc on your systems and information.”
This is why the topic of cyber-readiness must be a strategic, holistic discussion, Reardon says. Strategy should be based on an assessment of risks — and risk profiles will be different for every organization.
For instance, some data is not stored locally on laptops, phones and tablets, so cross-contamination may be less of an issue. Many organizations at this point have established a policy or position on “bring your own device,” regulating the use of private mobile phones, tablets and computers for work-related tasks. Regardless, there are good solutions to help with data governance issues. Mobile device management, data loss prevention and multi-factor authentication can all help mitigate data risk.
“At the end of the day, it’s just a numbers game,” Reardon says. “Even small practices will receive hundreds, if not thousands of emails every day. It only takes one click to potentially expose the organization — and this is what the bad actors are banking on. Much like COVID-19 and other mass healthcare threats, cyberattacks are not going away. They are something that we need to recognize as a persistent and real threat.”
But just as with COVID-19, there are some practical and preventive steps all organizations can take to reduce risk. There is a cyber-readiness equivalent to wearing a mask and washing your hands, he says.
Cyberattacks are primarily about two things — money and disruption. Radiology and healthcare in general are prime targets for both. Radiology is one of the most technology-driven fields in medicine. This presents more complex technical risks with regard to system configuration, ongoing vulnerability and patch management, Reardon points out.
Disruption to radiologic services can greatly impact patient care, Reardon says: “We have already seen a few cases where cyber incidents have been tied to patient deaths.”
USE OUTSIDE VENDORS
“Educating staff is of utmost importance,” says Paige Nierengarten, associate IT project manager at the ACR. “Provide training and procedures to help staff identify suspicious emails and avoid unsafe downloads. When you start using a computer for purposes other than patient care or patient-related work, you increase the risk of opening yourself up to malware.
“If you don’t feel like your small practice can afford protection, move to cloud-based software, which may require hiring an outside vendor,” Nierengarten suggests. “Cloud-based healthcare is typically more protected than traditional server-based infrastructure — as radiologists are able to control the movement of protected data across numerous devices using the one solution.”
The ACR Commission on Informatics’ Cybersecurity Work Group meets quarterly and includes cybersecurity specialists from industry leaders, such as Philips and Siemens. The group has launched the Cybersecurity Resource Hub to better equip radiologists with the necessary tools and knowledge to keep doctors, patients and organizations safe. Cybersecurity amounts to patient care, Nierengarten says.
According to Nierengarten, “Hackers are only getting smarter.” With the digitization of the profession, the risks associated with cyberattacks have increased significantly for radiology departments. Many radiologists still work remotely because of COVID-19, and hackers are more likely to target these individuals if they are using wireless networks and mobile devices that aren’t secure.
“There is a silver lining,” Nierengarten says. “Healthcare workers are getting better at recognizing phishing emails, and most radiology groups aren’t writing off security as a non-issue anymore.”
HAVE A PLAN
Ransomware and similar types of attacks hit about 66% of healthcare organizations in 2021. That represents a 94% increase from the previous year, when the figure was 34%. In 2022, healthcare data breaches reported to the HHS Office for Civil Rights impacted as many as 48 million people at almost 600 organizations.1 “As people say, it is not a question of if but when you and your organization and patients might be affected,” says Christoph Wald, MD, PhD, MBA, FACR, chair of the ACR Commission on Informatics and chair of the department of radiology at Lahey Hospital and Medical Center.
It only takes one click to potentially expose the organization — and this is what the bad actors are banking on.
“This is a job for all of us — every person who works in and touches digital infrastructure,” Wald emphasizes. “Cybersecurity is not just for IT experts. We all need to participate.” Most cyber incidents are related to human behavior — human error enables attacks.
Picking up the COVID-19 parallel, Wald points out, “There are some similarities between being shut down by COVID-19 or another pandemic and getting hit by a cyberattack. Cyberattacks, however, play out on a very different timescale than COVID-19 has at some institutions.
“In both situations, nothing will be the same under the conditions you will be operating within,” Wald says. “A tremendous amount of preparedness and flexibility are probably the winning recipe. You must have some type of disaster plan and infrastructure in place to manage a crisis. That’s something you’d better establish ahead of time.”
Everyone should have a contingency plan, he says. Stress to staff and leaders the importance of knowing what you have in place. “For example,” Wald says, “this could be a cellular phone system or other communication means that isn’t impacted by a cyberattack when most or all of your systems are shut down.”
To address the growing threat, the ACR Commission on Informatics established the Cybersecurity Working Group that launched at the 2022 ACR Annual Meeting. “It is a coalition of ACR volunteer leaders, military members and ACR staff working to jointly examine the topic and provide the kinds of resources we need to combat cyberattacks,” Wald says.
“We have given three workshops — one at the annual meeting, one at the Informatics Summit in October 2022, and a widely broadcast American Society of Radiologic Technologists webinar in November 2022 during National Radiologic Technology Week,” he says. The goal is to bring together coalitions and to raise awareness of the cybersecurity issue.
“It is growing, and it’s dangerous for our patients and our practices,” Wald says. “Cyberattacks have seriously disabled institutions — resulting in pain and suffering and financial losses.2 It is rather a complex set of vulnerabilities that we all have. The bottom line is that it still takes a village, but you can also do your own part to reduce the likelihood of a devastating attack.”
PREPARE FOR IMPACT
“Cybercriminals are very incentivized to target healthcare because it creates chaos and instability issues, often more so than with banks,” says Chen. “The malicious actors are mostly looking for a financial return.”
But there are steps healthcare leaders can take to use technology to fight back. “When it comes to protecting yourself, there’s some low-hanging fruit out there for radiologists,” Chen says. For instance, don’t use your work password for personal accounts and vice versa. Use a password manager with a strong master password so you don’t have to use a single password with multiple applications. And always use a secure connection such as a VPN to tap into sensitive information such as PACS.
In this new era of radiology, Chen warns to watch out for risks intensified by the continued popularity of remote work. “One relatively easy thing you can do is to have someone help you manage your remote workflow from a security perspective,” Chen says. “It’s imperative to have the right security measures in place when you are working remotely. ‘Work from home’ puts both work and home at risk.”
He compares the situation to sending your children to school and having them bring home the flu — except in malware’s case, the “germs” are passed virtually. “It’s imperative to have the right security measures in place when you’re working remotely because malware could pass from work to home through your workstation and into your family’s devices,” Chen says. “If you have IT support at your organization, they may be able to come by your remote location and check your workstation.”
THINK ABOUT STRATEGIES
“Radiology is absolutely at risk,” Palmer says, especially because of the specialty’s heavy reliance on technology. The impact of disruption, coupled with the potential use of older or legacy equipment and a lack of dedicated down time for IT maintenance because of 24/7 operations, makes it imperative to consider cybersecurity as critical to business operations.
“You can never eliminate the threat,” Wald says. “Radiologists have a particular reason to be cognizant of this.” Radiologists are 100% digital, so when they lose even some of their production
infrastructure, they essentially can no longer carry out their clinical mission.
“You can establish a reasonable level of resilience and disaster preparedness — you can try to be as comprehensive as you can to have business continuity measures in place,” Wald says. “At the end of the day, you just don’t know, before the actual attack unfolds, how much of your production infrastructure is going to be taken out of the game.”
It can range from all of it — your complete system — to losing just part of the functionality. You may be able to isolate an attack, or it could be catastrophic. There are many variables, he says.
“As such, it behooves radiologists to spend more time probably than just about any other specialty thinking about strategies for business continuity,” Wald says.
ADOPT A DEFENSIVE STANCE
“Preparation and education are key,” Palmer says. The more preparation you can do in advance of a potential cyberattack, the better positioned you’ll be in responding to incidents and lowering the
possibility of devastation.
Your plan should include addressing everything from business continuity to data protection. It should include a low-tech solution for interim operations to allow for continued patient care, and it should be crafted with a diverse group of stakeholders — including representatives from cybersecurity, corporate security, legal, HR, communications, finance and more, Palmer says.
“It also means building relationships with law enforcement early and baking their roles into your plan,” Palmer says. “The hours after an attack is not the time to forge new relationships.” Engaging with FBI and Cybersecurity and Infrastructure Security Agency (CISA) partners before an attack occurs, for example, gives you a head start in your incident response planning. CISA, law enforcement and banking experts offer various forms of virtual and in-person training to help staff members learn how to be diligent.3
Creating a preparedness plan is crucial, but equally so is testing it — and testing it again, Palmer says. “Conducting tabletop exercises and running through various real-world scenarios will allow you
to ensure all stakeholders understand their roles and responsibilities and keep your plans efficient and effective,” she says.
Advances in technology are increasingly exploited by cybercriminals and hackers for malicious purposes including financial gain. Resources to combat these crimes — including videos from institutions hit by cyberattacks — have been compiled on the ACR’s Cybersecurity Resource Hub.
“We can’t just give radiology groups a playbook — what you’re doing and what I’m doing might not call for the same approach,” Wald says. “What we can and are doing at the ACR is putting radiologists on the right track toward education and preparedness.”