By Rik Primo, MS
Both care providers and manufacturers in the digital medical imaging ecosystem must be aware that medical imaging devices, like all computer systems, are subject to cybersecurity risks which may harm the software, hardware, and data security of the device, exposing ePHI and threatening patient safety. As we become increasingly connected to networks, security risks move beyond the system to intrusions across entire digital networks. Advancing cybersecurity counter-measures within healthcare relies upon an ‘it takes a village’ approach requiring manufacturers, installers, service staff, and healthcare providers alike to accept shared ownership and shared responsibility. The Medical Imaging & Technology Alliance (MITA) seeks to foster collaboration such that current and emerging threats can be appropriately addressed across the lifecycle of imaging devices—from design, to installation, and through end of life.1
MITA published a white paper that identifies a set of best practices and guidelines that medical imaging manufacturers and the user community can implement to minimize the possibility that bugs, malware, viruses, or other exploits can be used to negatively impact patient safety by compromising ePHI or product operation.2 The paper was developed in collaboration with the American College of Radiology.
In the whitepaper MITA states that manufacturers have to build security into the imaging device to ensure that it meets quality expectations as well as demanding standards from regulators such as the FDA. The whitepaper further makes the point that medical imaging manufacturers and hospital IT departments share the responsibility for the technical infrastructure and mechanisms to provide compliance with best-in-class cybersecurity provisions and risk assessment tools.
A robust cybersecurity plan can only be achieved when processes are clearly defined and effectively followed by staff who have been trained in IT and cybersecurity. Important guidelines for imaging staff are defined in the MITA whitepaper including guidelines for image and report distribution, sharing, and communications (eg, using encryption when creating CDs with images or reading CDs on a PC not connected to the network before importing into PACS).
Cybersecurity in medical imaging is an ecosystem of shared responsibility between healthcare providers and manufacturers. Imaging staff needs to be aware of cybersecurity threats and best-in-class practices. Processes need to be defined and implemented. Technology must support the applicable standards. All this is necessary to achieve a zero-breach cybersecurity goal.
In my session on Wednesday, July 12 at the 2017 AHRA Annual Meeting, “Cyber Security in the Medical Imaging Department,” I will provide valuable guidelines where you can find cybersecurity resources and demonstrate how to work within your organization to develop a practical plan for maintaining cybersecurity.
- The Medical Imaging & Technology Alliance (MITA), a division of the National Electrical Manufacturers Association (NEMA), is the collective voice of medical imaging equipment manufacturers, innovators, and product developers. It represents companies whose sales make up more than 90 percent of the global market for advanced imaging technologies.
- Geiss R, Primo R. NEMA/MITA CSP 1-2015Cybersecurity for Medical Imaging. https://www.nema.org/Standards/Pages/Cybersecurity-for-Medical-Imaging.aspx. Published March 9, 2016. Accessed May 24, 2017.
Rik Primo, MS is with Siemens-Healthineers Digital Health Services (DS) where he manages the strategic relationships of DS with media, consultants, and analysts. He is also Chairman of the Medical Imaging Informatics (MII) section of the NEMA Medical Imaging Technology Alliance (MITA). His blog was written in his MII Chair responsibility.