Radiologists must make cyber security a priority to protect their businesses and patient data.
“Nearly 100 percent of what radiologists do is rendering care electronically. Unless their network security is lights-out good, they are disproportionately at risk for a data breach.” That’s the cold hard truth, according to David Sousa, chief operating officer and general counsel for Curi, a North Carolina-based insurance company offering physician liability protection. And as a variety of practices are realizing — despite an ever-growing to-do list for imagers — prioritizing cyber security is a must.
Cyber attacks to obtain personal data — often held hostage for a bitcoin payment or sold to another party on the dark web — are increasingly common. Healthcare data is particularly valuable. A data breach that compromises patient information can result in substantial government fines, lost time, and a damaged reputation for the targeted hospital group or radiology practice (see sidebar on page 12 for glossary of cyber security terminology).
Stolen health information can reveal Social Security information, Medicare data, patient identification numbers (PINs), patient addresses (physical and email), and details about health insurance and medical conditions. This can lead to identity theft, billing fraud, and sometimes blackmail — to the detriment of both patients and the radiology group charged with protecting their personal data.
“Medical information has the crown jewels for the bad guys when it comes to data they can monetize,” says Chris Swecker, a retired Federal Bureau of Investigation (FBI) assistant director, special agent, and currently an attorney in Charlotte, N.C. “Medicare is hit particularly hard when a beneficiary number is stolen.”
All radiology groups are fair game for hackers, Swecker says, but small- and medium-sized practices with no staff dedicated to cyber security can be easier targets. According to Swecker, “There is a general groundswell in the bad guy communities that medium-sized and smaller companies have less awareness. They aren’t focused on IT security.” As a general rule, he says, the larger you get, the better you get at security. Although that’s not true in all cases, he adds.
There has been a flurry of high-profile healthcare data breaches in the past year. Quest Diagnostics recently announced that a data breach through one of their billing vendors may have compromised the personal data of nearly 12 million patients.1 Shortly after, LabCorp said that the personal and financial data of more than 7 million of its customers had been exposed by the same billing vendor.2
The healthcare industry had more data breaches last year than any other industry sector, Sousa points out. While not the only targets, other notable breaches occurred at Anthem, Inc., TRICARE Management Activity, Community Health Systems, Advocate Medical Group, North Bronx Healthcare Network, and Health Net, Inc., Sousa says.
A lack of awareness by someone on staff is often the inroad. “I’ve preached nonstop about developing a cultural awareness — within your company or practice and among your customer base — about how you are being targeted,” Swecker says. “The takeaway is that you need to arm yourself and your staff with knowledge.”
According to Swecker, it’s not as complicated as people think for a hacker to invade a network and steal data. “More than 90 percent of the time a system is penetrated, it’s through simple spear phishing emails containing harmful attachments,” Swecker says. He notes that these emails can allow malware and ransomware to essentially hijack your network.
Spear phishing is the practice of sending emails ostensibly from a trusted party to targeted individuals within an organization with the purpose of retrieving confidential information. Of the 15 million patient records breached in 2018 — triple the total amount from the previous year — more than 11 million were accessed through hacking, and largely through phishing attacks.3
Swecker notes there are applications that companies can buy to prepare employees for nefarious emails. “One of the best things you can do is to make your staff aware of spear phishing,” Swecker says. “These apps will send fake emails to employees to teach them, and many companies are using them.”
Phony email education is a good first step, but you really need to hire a reputable company to come in and assess your information system, Swecker says. “You need to figure out if your security is up to snuff,” he says. “Get a baseline of where you are, then designate someone to be accountable in moving forward.”
If you are a small practice and don’t have someone dedicated to cyber security full-time, then a manager or part-owner must be vigilant in asking the right questions to determine your preparedness, says José M. Morey, MD, chief medical innovation officer for Liberty BioSecurity and MedTech and AI advisor for NASA iTech.
For instance, do you use remote access to your network for off-site employees or contractors? Do staff mix personal information with private healthcare data on email? Do employees have any private patient data on their personal devices that they also use for work? “Someone has to be accountable for answering these questions,” Morey warns. “This isn’t a ground-up approach. It’s a top-down thing that needs to happen.”
Radiology leaders and designated informatics staff must also consider the multitude of entry points to their network that may lead to a data breach, Morey suggests. “For a small or large group, when you are looking for new software imaging equipment, for example, the last thing you probably ask about is cyber security features,” he says.
Hackers can get into devices in your radiology department fairly easily, Morey says. “They know that 99.9 percent of people are probably not asking the next MRI vendor, ‘How do you handle patient data encryption?’” The imaging equipment vendors probably aren’t going to volunteer that information, he says.
Vendor agreements protect you, Sousa says. Radiology practices often outsource to vendors — whether a coding or billing company or IT firm that maintains equipment. “Because radiologists may be dependent on third-party vendors, they need to be absolutely sure that they use a HIPAA-compliant business associate agreement with those vendors,” he emphasizes. That should include, at a minimum, Sousa says, “an indemnification clause that states, ‘If your protected health information gets out there and it’s our fault, we are going to protect you totally for that.’ You should also insist that those vendors have cyber liability insurance protection.”
In many cases, a cyber attack won’t directly impact patients through a data breach. The fallout instead hits the radiology group that was compromised in the form of regulatory penalties.
“I think the medical industry is more regulated than the financial industry,” Swecker says. “You’ve got gun-slinging attorneys general coming at you, the U.S. Securities and Exchange Commission, and HIPAA.” It is incumbent upon you to protect patient information, he says. “With so many patient notification laws, when something goes bad, the whole world will know about it,” Swecker says.
Beyond the dangers of present-day privacy regulation, patients’ perception of how secure their data is will become more of a factor in how they choose services. As health data becomes more interconnected with other data, people will insist that it is protected, Morey says. “It’s easier to change your radiologist than to switch banks or change your email provider,” notes Morey.
According to Morey, the days of not having someone with dedicated time for informatics and cyber security are long gone. With the rise of AI and machine learning platforms, more data breach hazards could be likely to follow, he says. “We live in a digital age,” Morey says. “The practices who don’t dedicate time to this are the ones who will be disrupted, dislocated, or taken over in some way.”
The Good News
There are a lot of basic security steps you can take that are already commonplace for credit card companies and familiar platforms like Gmail.
The low-hanging fruit are things like implementing two-factor authentication, Morey says. This is something we use every day with mobile banking and logging into personal email accounts. “It is very easy to put in place and costs are minimal,” he says. Biometric interfaces will plug into most systems as well, and are relatively inexpensive and easy to implement, he adds.
from staff’s personal information is a no-brainer, Swecker says. Having regular security assessments, buying data breach insurance, and forming an in-house response group to react immediately if an information system is compromised will also serve you well.
Stealing patient identification and medical record numbers requires more expertise on the part of hackers, Swecker says. “So it’s fine to outsource your IT, where a lot of information is stored in a cloud,” he says. Just develop an awareness of the dangers from within your practice, “because that’s how the bad guys are going to get in,” Swecker notes.
In the event you have a data breach, Sousa says, “the first thing the feds want to know is whether you have a checklist in place and a written compliance plan that’s designed to educate, prevent, and respond.” If you don’t, he says the fines and penalties will escalate. “They’ll say that HIPAA security updates have been in place since 2013, and that you should have been ready for this.” (Learn more at bit.ly/HIPAA_CyberSecurity).
Time is of the essence when it comes to cyber security — in terms of acting quickly if a breach happens, and in moving now to get a plan in place if you don’t have one. People get caught up in day-to-day tasks, and radiologists are no exception. “But if cyber security is not on your radar, you’re going to be playing catch-up and find yourself in a reactive situation,” Morey says. “Be proactive, even if you think you have things covered.”
By Chad Hudnall, senior writer, ACR Press