April 30, 2018
An operator of multiple imaging facilities in Greensboro, N.C. An Orange County, N.Y.-based multispecialty physicians' group. A West Hills, Calif.-based orthopedic center. A network of hospitals in Illinois, Iowa, and Wisconsin. Data breaches at these healthcare providers occurred in the first half of this year, compromising hundreds of thousands of patient records.
As cybercriminals continue to terrorize healthcare providers using phishing schemes and ransomware, providers and manufacturers alike must prepare for ever-evolving, increasingly sophisticated assaults. Axis Imaging sat down with Tim Peeler, vice president of service at Canon Medical Systems USA, to discuss how health systems can best fortify themselves ahead of an inevitable attack.
Axis Imaging: Recently, some diagnostic imaging systems at hospitals have been compromised by cyberattacks in the United States. What should hospitals be considering when purchasing diagnostic imaging equipment?
Peeler: Any diagnostic system that will be connected to your network should come with software that is designed to isolate and secure that device and all the data that it is producing. To protect yourself from zero-day and advanced, persistent threats, you should have a system that includes properly configured endpoints that deliver continuous, updatable, and scalable protection.
It's also very important to know if the device meets any of the industry standard security requirements and what those are. One size does not protect all when it comes to security.
Axis Imaging: Technology is constantly evolving and hospitals are becoming even more connected than ever before. How can hospitals reduce risk of a cyberattack, and what steps should be taken?
Peeler: Whether you are introducing diagnostic imaging equipment or tablets to your system, it's imperative that you take a holistic approach to cyber security. That process starts with the understanding that it's not enough to be able to just react when something does happen. You have to be able to prevent attacks before they occur.
As you introduce more devices, applications, partners, patients and providers into the mix, your ecosystem grows. While interconnectivity is at the heart of the digital health care revolution, it comes with the reality that the more connections are made, the higher the risk can be. You must therefore ensure that everyone within that ecosystem is protected by using the same standard of security that you are.
Many in the industry are moving to a Risk Management Framework (RMF), which is a set of standards developed by the National Institute of Standards and Technology (NIST). RMF is mandatory for federal agencies and anyone working with them.
The foundation upon which RMF was developed and deployed is the idea that you should constantly test your system and any system that connects to yours. Every organization should fully meet all RMF requirements and have a cyber-security team that is not only testing, but always on top of the latest threats and preventions.
One of the ways in which we achieve this at Canon Medical Systems is by joining organizations where cybersecurity experts help each other by sharing critical information about how to defend against the latest attacks.
The key is to not wait for the system to be infected. You must put in place tools and processes that will prevent attacks before they happen. You must constantly scan for vulnerabilities and breaches, deploy patches before you are infected and share everything you are learning along the way with your ecosystem.
Axis Imaging: What does Canon Medical Systems offer to hospitals to safeguard them from cyberattacks or threats?
Peeler: To ensure the integrity of the system and the data being generated by our devices, we have created a cybersecurity task force. This group is focused solely on understanding the latest cyber risks and vulnerabilities and how they evolve. This enables us to stay ahead of the curve and to develop software that will address what actions need to occur before or when an attack takes place.
The work done by this group is what shapes our products and services. For example, we created InnerVision®Plus, which isolates and protects the network and devices through a remote 1:1 network translation. One of the ways in which we protect the system from an attack is by limiting access to it, ensuring that any application running on the system has been reviewed and approved.
Axis Imaging: If a hospital identifies a loophole or learns that its network was compromised, what are the things that could be done to mitigate damage and/or how widespread the attack could be?
Peeler: First of all, you need to immediately notify any person and/or organization that is connected to your system. Early detection and communication is the key to limiting how far the attack can spread and ultimately how much damage it will do.
Second, immediately deploy patches, even to systems that have not been infected. Once a hacker finds a way in, it's only a matter of time before they gain access to every application and device that is connected in any manner.
When all is said and done, it's also very important to look back, review what happened, and learn from it. This is the only way that you can prevent it from happening again.
Axis Imaging: Some speculate that patient data has become more profitable than credit card numbers, so, in your opinion, will cyberattacks become more frequent and more serious? Why?
Peeler: I think that all cybersecurity experts would agree that attacks will continue to increase in number, frequency, and sophistication. This is a multibillion-dollar-a-year industry that affects every corner of the globe, and there's really no turning back at this point. As our lives become more connected, we leave a larger digital footprint, and with that comes risks. You also have to understand that for hackers, it's not just about the money.
Much of their culture revolves around the challenges they face in exposing vulnerabilities in applications and the pride and accolades that come with successfully storming the castle and breaching the wall.
This article was first published in AXIS Imaging News, April 2018.