The University of Vermont (UVM) Medical Center in Burlington was rocked last fall by a cyber attack that took down its entire network. The attack prompted federal agencies — including the U.S. Department of Health and Human Services and the FBI — to immediately issue a warning that cybercriminals were targeting healthcare providers with ransomware.1 The lingering effects felt by UVM staff and patients are a stark reminder that radiology groups need to shore up their systems’ security and prepare for the worst.
“This cyber incident was particularly malicious,” says Kristen DeStigter, MD, FACR, chair of the department of radiology at UVM. “There is no way to completely protect against these attacks, but we have learned firsthand that we can make systems less vulnerable.”
“I think sometimes radiologists forget that everything we do is digital,” says Christoph Wald, MD, MBA, PhD, FACR, chair of the department of radiology at Lahey Hospital and Medical Center and chair of the ACR Commission on Informatics. “That means when a cyber attack happens, and your IT people pull the network cord to quarantine malware, radiology may lose every last bit of functionality it normally relies on. That might be hard to imagine, but it could happen to your practice.”
ROOT CAUSE
Cyber attacks on a hospital or healthcare group’s information management and operations systems can bring an entire network to an abrupt halt. Some attacks are more crippling than others, but almost all attacks are rooted in profit — either through ransomware or theft of patient information to sell on illegal online marketplaces. When approaching cybersecurity, there must be a balance between seamless access for healthcare professionals and protection against a data breach or system failure.
During the attack on UVM, the malicious actors leveraged malware through an employee’s off-network hospital laptop. “When the employee connected to our virtual private network — after two weeks of the virus sitting in the phishing email — the ransomware deployed causing widespread system outage,” DeStigter says. “After initiating the encryption, the malicious actors used the privileged credential to push a second virus onto internal systems to establish persistence.”
The UVM Health Network has since pivoted to a segmented approach to minimize its equipment and support system exposure. Segmenting a network creates layers between data servers — with the goal of separating your most sensitive data from everything shared outside of your internal network.
Without some kind of data separation, a virus can quickly spread. “The malicious actors gained access to our server, then encrypted all virtual hard disks, and finally obtained administrative credentials,” DeStigter says. “Our system was completely down. We had to reimage, rebuild, or replace all impacted systems. This cybercrime was called one of the most significant on any healthcare system in 2020.”2
GROWING PROBLEM
Radiology by virtue of its digital nature has a multitude of potential security vulnerabilities that pose significant cyber risk — but the specialty is not alone in adequately securing new or existing technologies, according to Daniel Reardon, MPA, CHPC, chief compliance officer for the ACR. The healthcare sector in general is woefully behind in proactively addressing the current threat landscape, he says.
When it comes to technology products, there is often a disconnect between vendors/manufacturers and IT departments. Products may not be designed with adequate security features or they may not be configured properly once procured. “Regardless of the scenario, there is a lot of finger pointing, which ultimately leaves patients at risk,” Reardon says.
This kind of impasse is especially dangerous as the number of ransomware attacks continues to rise. “Since late last year, several large healthcare systems have been taken down,” says Reardon. “When that happens, it can take months to get things back online.”
How you approach cybersecurity will likely vary depending on your practice type and size. Most experts recommend that larger groups have internal expertise — a group dedicated to managing security. Smaller practices often outsource all security operations. In any practice setting, Reardon says, you need to have some sort of incident response protocol in place. It could be a response team or an individual responsible for acting with purpose the moment a malicious actor strikes.
GROUP LESSON
“We learned firsthand that assembling a disaster management team within your department — charged with talking everyone through a checklist if (and when) something bad happens — is critical to maintain the safety of staff and patients,” DeStigter says. “A control center helps stabilize, optimize, and focus on next steps.” Giving and receiving support from the radiology community as a whole should also be part of the response, she says.
“When you see the severity of an attack unfold, you feel pretty isolated,” DeStigter says. “We are the only referral hospital in a large geographical area. With all systems down, we had to keep taking care of patients, and we didn’t have a playbook.”
“Within days of the initial event, a number of radiologists from around the country reached out to me, asking if there was anything we needed,” DeStigter recalls. “I was so appreciative of that. It really showed me the strength and empathy of the radiology community.”
In turn, DeStigter — during the first weeks following the attack — communicated learned best practices to radiologists at other institutions. “You worry about a chain reaction,” she says. “I wanted to share our experience and let them know what they could be facing in the event of a total system failure.”
“We were running paper reports up to other floors, and providers were coming to the department with imaging questions. But we were in a pandemic! Because of COVID-19, we had to put up signs and lock reading rooms to keep too many people from coming into our department at once,” DeStigter remembers.
“In our radiology department, we practiced and thought we would rely heavily on our emergency backup system in the event of a breach,” DeStigter says. “When that got infected, too, we had to go completely to paper.” At UVM, they could use their imaging equipment but could not transfer images from scanners to workstations. Radiologists interpreted scans from modalities and QA workstations until a temporary solution was in place. Results were recorded in handwritten reports and they quickly developed templated paper reports. Because network storage systems were down, staff had to buy hard drives to avoid losing data.
DeStigter says, “We quickly established a process on paper, but we are all accustomed to working with voice recognition in standardized reporting systems. Many staff were never trained — or had never had the need — to handwrite a report. We didn’t even have enough pens for everyone.”
“The only safe way we had to communicate, believe it or not, was through a mobile app service on our smartphones,” she says. “We created a list to communicate with radiologists, residents, technologists, and others in the care delivery process. Preparing standardized forms for printable paper reports and creating a list of phone numbers for all staff — not just those in your department — are two things you should do now. Definitely keep good records of everything. ”
REGULAR REHEARSAL
According to Reardon, “We know it is a matter of when and not if. More and more people are getting comfortable with that reality,” Reardon says. “They are less comfortable with their ability to react when something happens.”
Using multi-factor authentication and vetting security vendors is important. Staff training — on phishing, for example — should be commonplace. Reducing your vulnerability by creating a strong “human firewall” is important, but having a tested post-attack response plan in place is critical, Reardon says.
“Do you have the right response protocol in place? Do you know when or if to get a notice out to your patients? Should you be talking to the authorities, and if so which ones? Do you pay a ransom to unlock encrypted files? These are the kind of aftermath scenario desktop exercises you should be thinking about,”
Reardon says.
“There’s really not much a radiology practice can do to completely prevent a cyber attack,” Wald agrees. “Radiologists should focus on understanding the various resulting operational scenarios that may ensue.” They need to understand how radiology operations will change if IT starts shutting things down, he says.
“You are potentially looking at no PACS, no voice recognition for reports, reading scans directly from scanners, physically locating one or more subspecialty radiologists at critical scanners, and locating referring physicians for direct communication on every single study,” Wald says. “You must prepare for this sudden shift and instruct and train your folks ahead of time how to function.”
“The best laid plans are what they are, but you have to test them out,” Wald says. His group runs downtime tests from time to time. “We intentionally take down systems and practice for brief periods of time. The simulation shows how people might handle a crisis.”
Radiologists should also be asking their equipment vendors about how older operating systems are being updated for current security threats, Wald says. In addition, know what kind of support your vendors provide in the case of a breach. “Our vendor, for instance, is required to bring PACS back up within 96 hours of an outage,” Wald says. When it comes to details like this, Wald points out, “staying informed isn’t expensive.”
In order to avoid disruptions to patient care, practices need a disaster response process that amounts to standard operating procedures, Wald says. “You should have hard copies of the disaster plan at each workstation for each modality,” he says. “Everyone needs to know where they are and what to do with them.”
Documenting everything is critical when normal operations cease, Wald says. “Eventually you will have to restore your reporting manually. Your record will also be your bridge to billing — and that might be a long time off,” he says. “You could be looking at two to four weeks for a partial return, and three to six months for a full return.”
We know it is a matter of when and not if. More and more people are getting comfortable with that reality.
IMPERFECT SYSTEM
While cybersecurity experts agree that it impossible to guard against all attacks — and that scenario training is invaluable — consistent vulnerabilities in radiology could be identified now.
The medical analytics team at Massachusetts General Hospital (MGH) radiology department developed an application to identify weaknesses in Digital Imaging and Communications in Medicine (DICOM) servers — the standard for managing medical imaging and related data. The MGH team has tested its application multiple times by conducting a worldwide security scan of servers. Thousands of unsecured hospital servers were discovered to be at risk worldwide — having no firewall in place and accepting information from sources outside of their own hospital network. Half of those compromised servers are in the U.S.
These unsecured servers make cyber attacks easier, says Oleg S. Pianykh, PhD, director of the medical analytics group at MGH Radiology and assistant professor of radiology at Harvard Medical School. These vulnerabilities have largely continued since first scanning DICOM servers in 2014, he notes.
“I believe the only way to fix the radiology data security problem is for a designated group to perform independent vulnerability checks,” Pianykh says. “Radiology technology is outpacing security efforts. A DICOM scan approach can be done now. We don’t need to spend the next decade looking for an ideal security solution.”
A national, system-wide program would be the best option, Pianykh says. At the very least, every radiology training and management project should convey that leaving medical devices and imaging archives wide open at their default DICOM ports and settings is the most common security problem.3
“This problem should not be put solely on the shoulders of hospitals,” Pianykh believes. “They don’t have the resources.” You can have as many security policies as you want, but if you do not actively enforce security from the outside — through a completely independent entity — the problem will go on and get worse, he says.
“This might be something ACR can lead the way on,” Pianykh says. “For now, we will continue to pursue and expand our project. We can scan hospitals and identify their vulnerabilities. Hospitals could also work with us by submitting their network and domain names for scanning — in turn getting vulnerability results from us. By using the scanning approach already accessible to us, we could make significant progress in a short amount of time.”
LINGERING THREAT
More cyber attacks are looming as COVID-19 continues to generate more remote work for employees who are potentially working on less secure mobile devices and networks. Gauging your team’s ability to respond to a cyber attack needs to happen now, DeStigter says. “During a cyber attack, things happen quickly and you have to find solutions as you go if you have nothing in place,” DeStigter says. “In our case, COVID-19 worsened an already unimaginable situation.”
“It would be wise to evaluate your access to resources in light of pandemic restrictions,” DeStigter says. “For example, UVM had a third-party vendor in place to assist with security and recovery issues, but no one from the outside was allowed in after the attack so everything was done remotely,” she says. “Staff shortages may still be an issue at your facility, making a rapid, organized response even more daunting.”
Beyond the pandemic, the financial impact, the scheduling challenges, and the uphill climb to resume outpatient services, your radiology group will grapple with intangibles that linger long after a cyber attack, DeStigter says.
“During a crisis, everyone is under a tremendous strain,” DeStigter says. “Staff and patient safety must be prioritized, traditional resident education screeches to a halt, and there is no time to think about downstream legal ramifications of the decisions you are compelled to make in the moment.”
“There is an element of demoralization to this type of calamity,” she says. “The whole department feels it — being helpless to help patients. Staff wellness hits the lowest of low points.” It is incumbent upon radiology groups to implement and routinely review a cyber attack response plan — sooner rather than later, DeStigter says. “Action today may ensure your future, and the well-being of staff and patients,” she says.
“We are recovering but are functioning to near-baseline,” DeStigter says. “Thankfully, we have seen no negative patient outcomes from our radiology department as a result of the cyber attack, and it appears the malicious actors did not export any patient data. We have added new security to our network — right down to each individual laptop. We know now that you are never 100% safe, but we have never been more prepared to handle the worst.”