Cybersecurity

563RADIOLOGIC TECHNOLOGY, July/August 2019, Volume 90, Number 6
CE
Directed Reading
This article is a Directed
Reading. Your access to
Directed Reading quizzes
for continuing education
credit is determined by
your membership status
and journal preference.
Cybersecurity in Medical
Imaging
Adi Ferrara, MS, ELS
I
n May 2017, the world was rocked
by a cyberattack called WannaCry.
WannaCry was a malicious comput-
er software (malware) known as
ransomware. It encrypted all files on
infected computers, making them
unreadable and inaccessible. More than
200 000 computers were infected in
150 countries.1,2
In addition to affecting
large companies, such as FedEx in the
United States and Renault in France,
the attack caused a disruption of the
National Health Service (NHS) in the
United Kingdom.1
Nearly 19 000
appointments had to be cancelled, cost-
ing an estimated £20 million. The
NHS spent an additional £72 million to
recover from the disaster and upgrade
its systems to more secure ones.3
The attacks came to an end when a
22-year-old computer security expert
accidently triggered the virus’ kill
switch while examining the virus, halt-
ing its spread.4,5
WannaCry demonstrated the
importance of cybersecurity in health
care settings in a dramatic fashion.
During that same month, the Ponemon
Institute (an independent organization
that conducts research on data protec-
tion) published the survey results of
500 people who worked in the medical
device security profession. The survey
showed that 15% of health delivery
organizations were taking active steps
to prevent cyberattacks. That figure
stood at 17% for medical device manu-
facturers. When asked whether they
have “an incident response plan” in
case an of an attack, 22% of the health
delivery organizations and 41% of
manufacturers replied affirmatively, yet
the majority of responders considered a
cyberattack likely in the coming year.6
It is worth mentioning that worldwide,
more than 360 000 new malwares were
detected every day in 2017.7
The num-
ber was tallied for the first time in 2011,
when it stood at 70 000.7
Cybersecurity has been an increas-
ing concern to many in the medical
information technology (IT) profes-
sion since before the WannaCry attack.
As computerized devices in medical
After completing this article, the reader should be able to:
ƒƒ Explain why the health care industry is so susceptible to cybercrime.
ƒƒ Describe medical imaging cybersecurity vulnerabilities.
ƒƒ Discuss what health care organizations can do to increase the cybersecurity of medical
devices.
ƒƒ Outline security measures health care professionals can take to increase cybersecurity in
the workplace.
Cybersecurity is an increasing
concern for many in the
medical cybersecurity and
information technology
professions. As computerized
devices in medical facilities
become increasingly networked
within their own walls and
with external facilities, the risk
of cyberattacks also increases,
threatening confidentiality,
safety, and well-being. This
article describes what health
care organizations and
imaging professionals should
do to minimize the risks.

564 asrt.org/publications
CE
Directed Reading
Cybersecurity in Medical Imaging
request to) a website or a network (such as a hospi-
tal network). If the number of queries is sufficiently
large, the website or network cannot handle the
traffic and stops responding, thereby preventing
legitimate users from accessing the network.
ƒƒ Encryption – changing the contents of a com-
puter file to something else (akin to making the
file into a nonsense string of letters and numbers).
An encrypted file cannot be read unless a person
has the right credentials on the encrypted system.
Encryption is used for data protection, but it also
is used by ransomware to make the targets’ files
inaccessible.
ƒƒ Exploit – malware that takes advantage of a soft-
ware vulnerability.
ƒƒ Hacker – a computer expert who finds and takes
advantage of software vulnerabilities. A black hat
hacker does so for malicious, illegal purposes. A
white hat hacker hacks computers to warn compa-
nies or the public of the vulnerability they found
and its possible ramifications.
ƒƒ Malware – software designed to interfere with the
computer’s normal function. This interference
can take the form of destruction of data, inability
to run the computer or certain programs, stealing
personal information, or causing physical damage
to the device. Types of malware, include:
…… Ransomware – malware that encrypts all files
on a device, making them unreadable and inac-
cessible. To get the files back unencrypted, the
user must pay a ransom, usually quoted in the
internet currency, bitcoin.
…… Spyware – programs designed to harvest confi-
dential data and forward it to a third party.
…… Trojan – programs that pose as legitimate but
are, in fact, malicious. Trojans do not spread by
themselves between computers but allow the
hacker access to the infected computers unno-
ticed. From there, the hacker can steal personal
information or watch the users’ keystrokes to
steal passwords.
…… Virus – section of computer code that adds
itself to files and spreads in computers (among
files) and from there to other computers.
Ransomware is a type of virus.
facilities become increasingly networked within their
own walls and with external facilities, the risk of cyber-
attacks also increases. In February 2016, Hollywood
Presbyterian Medical Center in Los Angeles was
attacked by ransomware that blocked access to patient
data. The hospital was shut down for 10 days, with
emergency patients being diverted to other area hos-
pitals. Access to the data was restored only after the
hackers were paid the equivalent of $17 000 in bitcoin,
an internet currency that cannot be traced.8
The issue of cybersecurity in medical imaging, as
with all networked medical devices, involves more
than the security and integrity of patient data and
machine operation. In today’s clinical environment, a
breach of security on one computer—for example, one
used in the computed tomography (CT) suite—can
bring down the entire hospital’s network, compromis-
ing patient care and putting patients at risk of harm,
threatening their confidentiality, safety, and well-being.
A computer’s role in the network, whether it controls
an imaging device or has a nonclinical function, is
unimportant. When the department store, Target, was
breached and numerous credit cards were compro-
mised, the hackers broke into Target’s network through
the heating, ventilation, and air conditioning system,
which was part of the network.9
The number of medical imaging devices has
increased in the United States since their introduction
(see Figures 1-3).10-12
This number likely will continue
to increase, as these devices are now an integral part
of medical research and the diagnosis, treatment, and
prevention of numerous diseases and conditions.1
Although advances in medical imaging are great news
for patients and care providers, the rising importance of
these devices makes them a target for malicious hackers.
Cybersecurity Terminology
Cybersecurity terms are unfamiliar to many people.
In addition, some terms might be misunderstood by
those who do not work in the cybersecurity or IT pro-
fessions. The following list defines the most common
terms associated with cybersecurity13
:
ƒƒ Distributed denial of service (DDoS) – a cyber-
attack where hackers use multiple devices they
previously infected to simultaneously query (send a

CE
Directed Reading
Ferrara
…… Worm – a standalone program that spreads
among computers but does not infect indi-
vidual files.
ƒƒ Phishing – emails that pretend to be from a
company (often a bank or credit card company)
or from a governmental or organizational entity
(eg, a health care organization’s IT department)
(see Figure 4). These emails usually report a
problem that must be resolved by clicking a link
or opening an attachment. These links or attach-
ments are malicious and usually are aimed at
stealing sensitive information, such as financial
institution login credentials. They also can carry
malware.
ƒƒ Virtual private network (VPN) – it hides the user’s
information on the internet by encrypting data.
Many companies require employees to use a VPN
if they are working away from their office (ie, not
connecting through a secure company network). A
VPN allows users to connect to a private network
securely, even if they are using an open network
(eg, a free internet connection at a coffee shop).
ƒƒ Vulnerability – a weakness in software. Hackers
can take advantage of this weakness to release
malware into the computer. When a vulner-
ability is discovered, the software manufacturer
releases a patch, or fix, to eliminate it.
ƒƒ Zero-day attack – a malware attack that takes
advantage of a previously unknown vulner-
ability. These attacks are rare, but they present
a bigger problem because no solution exists for
this software weakness.
The CIA Triad
CIA (or CIA triad), which stands for the categories
confidentiality, integrity, and availability, is a com-
mon term often used in medical device cybersecurity.
Cybersecurity risks in medical imaging typically fall
into 1 of these categories.
Confidentiality in this context refers to protecting
patient information from falling into the wrong hands
and ensuring that data are always available to people
with legitimate needs (eg, treating physicians).14
Integrity in the cybersecurity context means pre-
venting malware from altering patient results or tying
26
24
28
30
32
34
36
38
40
42
1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
1994
10
5
15
20
25
30
35
1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
Years
Years
No.ofMRUnits
No.ofCTScanners
40
38
42
44
46
48
50
2000 2002 2004 2006 2008 2010 2012 2014 2016
26
24
28
30
32
34
36
38
40
42
1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
2016
Years
Years
No.ofCTScanners
No.ofMammographyMachines
40
38
42
44
46
48
50
2000 2002 2004 2006 2008 2010 2012 2014 2016
2016
Years
No.ofMammographyMachines
Figure 1. Magnetic resonance (MR) imaging units per 1 million
inhabitants, 1993-2017, United States. Graph courtesy of OECD
Health Statistics: health care resources. doi:10.1787/1a72e7d1-en.
Figure 2. Computed tomography (CT) scanners per 1 million inhab-
itants, 1997-2017, United States. Graph courtesy of OECD Health
Statistics: health care resources. doi:10.1787/bedece12-en.
Figure 3. Mammography machines per 1 million inhabitants, 2000-
2016, United States. Graph courtesy of OECD Health Statistics:
health care resources. doi:10.1787/685c9c5e-en.

CE
Directed Reading
of entry to the hospital network. However, with the
growing realization among cybercriminals that the
DICOM and health level 7 (HL7) protocols contain
valuable patient data, researchers assume attacks
on medical imaging devices will increase in coming
years.15,16
David J Harvey, managing director and chief
technology officer of Medical Connections, Ltd, said
in a 2018 interview: “We’re [radiology profession-
als] living on borrowed time,” adding that it was only
the relative obscurity of DICOM and HL7 that kept
radiology relatively safe from attacks,15
but that is
changing.16
Financial gain often is the driving force behind
malware attacks.2
Patients’ identifying information,
which is readily available in unencrypted DICOM
and HL7 files, is vastly more valuable on the dark web
than credit card data because people are quick to real-
ize their credit cards have been compromised. In such
cases, the cards are deactivated quickly and become
useless. Conversely, stolen patient information often is
used to obtain drugs or devices that then are resold on
the black market. Often, these identities also are used
to create fraudulent insurance claims totaling thou-
sands or tens of thousands of dollars. Meanwhile, it can
take years for patients to realize their identity was used
to commit these crimes. Patients’ stolen identities are
good long-term investments for cybercriminals.17
Cyberterrorism is, so far, a theoretical but not far-
fetched risk. Anura S Fernando, a principal engineer
with the Medical Software and Systems Interoperability
Health Sciences Division at Underwriters Laboratories,
painted a scenario whereby a physical attack (ie, a bomb
detonated in a populated area) is followed up by or
launched simultaneously with a DDoS or ransomware
attack on area hospitals.9
Such a cyberattack could
leave the hospital unable to use any of its imaging or
life-support machines, among other debilitating disrup-
tions. The consequences could be substantial in a mass
casualty event.
Attacks have been launched for political reasons
as well. The NHS in the United Kingdom is accessed
online by millions of people. In 2017, hackers linked to
the Islamic State of Iraq and Syria uploaded disturbing,
graphic pictures of Syrian war casualties to NHS sites
for anti-West propaganda purposes.18
correct results to wrong patients. Mahler et al proved
the feasibility of such alteration attacks in 2017.1
Availability means the device and its host computer
and network always are available, and the data and
operations software always are accessible. DDoS and
ransomware attacks fall under the category of availabil-
ity.
Why Target Medical Imaging Devices?
There are several reasons why malicious hackers
target medical imaging devices. Most motivations
apply to attacks against other medical devices as well.
Typically, hackers do not target a particular device
to harm patients, rather, the device is used as a point
Figure 4. Phishing email (redacted), purported to be from a legiti-
mate file sharing company called WeTransfer. The following signs
suggested the email was fake: The sender's address does not contain
the company’s legitimate internet domain (wetransfer.com); When
hovering the cursor over the link, the embedded internet address is
in Hungary (.hu) and does not contain the WeTransfer domain;
Information about who or where the files came from is not included—
file transfer companies always provide that information. Image cour-
tesy of the author.

CE
Directed Reading
Ferrara
resources directed away from caregiving decrease qual-
ity of care and patients’ well-being.
There also are potential consequences to health care
cybersecurity breaches that might not be immediately
obvious. The Office of Civil Rights estimated that
during 2015 and 2016, more than 127 million patient
records were compromised, most because of cyber-
crimes.21
Many of the large attacks were well publicized.
Such attacks shake the public’s trust in the health care
system and might lead to a reluctance on the part of
patients to share medically relevant information with
their health care providers. This is especially true for
patients with sexually transmitted infections or mental
health conditions.2
This reluctance can spell trouble for
accurate diagnosis and treatment.
In August 2016, a financial investment firm reported
specific vulnerabilities with an implantable cardiac
device, the kind that automatically communicates the
patient’s data to his or her doctor. This vulnerability
purportedly would allow a hacker to manipulate the
patient’s device, though no actual attacks have taken
place.21
The company was criticized strongly by the
U.S. Food and Drug Administration (FDA) for failing
to patch a known risk, even though all similar devices
from other manufacturers carried this vulnerability.
Although the security risk was patched, concern among
patients who already had or needed the device grew; the
thought of an outside malicious attack that can affect
a person’s heart was frightening to many patients. One
doctor reported he had patients who got the device but
refused to have it monitored remotely through an inter-
net connection, thus negating a benefit of the device.21
Diagnostic imaging often is used in time-critical
situations, when any delay could mean a patient’s life.
A cyberattack that shuts down magnetic resonance
scanners (as happened at NHS hospitals during the
WannaCry attack) or any other imaging device could be
fatal to a critically ill or injured patient.
Another potential cyberattack is alteration of patients’
test results. If this happens, the consequences for patients
can range from inconvenient to stubstantial. If a posi-
tive test result is switched to negative, patients who need
treatment might not receive it. Conversely, if test results
of any tests are changed to false positive, patients might
get treated for conditions they do not have.
The health care industry especially is vulnerable
to cyberattacks because its focus was solely on the
quality and safety of patient care for years, and most
devices were standalone devices, not networked.19
Culture changes slowly and involves a learning curve.
“The difficulty with maintaining strong cybersecu-
rity in radiology, and health care in general, is that
the effort is often viewed, consciously or not, as a
zero-sum game,” wrote Imaging Technology News’
Associate Editor Jeff Zagoudis in 2018.15
Medical IT
departments and device manufacturers always are
patching known vulnerabilities to stay compliant with
basic regulatory requirements.15
However, zero-day
attacks such as WannaCry have been given low prior-
ity until recently.
In addition, device manufacturers usually are
unaware of their products’ security flaws and have a
hard time finding people with the right expertise who
can identify cybersecurity problems during the produc-
tion cycle, rather than postmarketing.
Consequences of Cyberattacks
Cyberattacks are expensive. If the hospital chooses
to pay the hackers behind a ransomware attack, that is a
big expense. But even if payment is not made (because
the attack was of a different nature or the hospital
recovered its files without paying a ransom), heavy costs
are associated with cyberattacks.
The Department of Health and Human Services’
Office of Civil Rights levies fines and assesses penalties
against providers whose patients’ data were breached.
In 2017, these fines and penalties totaled $19 393 000.20
Costs resulting from a cyberattack also include staff
hours responding to Office of Civil Rights inquiries,
conducting their own investigation into the breach,
and upgrading and patching networked devices. There
might be additional costs if providers must pay for
credit monitoring for patients whose records were
breached.20
One consequence that rarely is discussed is the long-
term effect of a cyberattack on the quality of care in the
facility. According to a 2017 study, the 30-day mortality
rate for acute myocardial infarction (heart attack) rose
for 2 years after a cyberattack, compared with hospi-
tals that experienced no breach.20
Distracted staff and

CE
Directed Reading
protocol, which allows various imaging devices
to communicate with each other without com-
patibility concerns, has an option that allows the
sender to encrypt data before transmitting it.
However, DICOM software does not mandate
encryption. Instead, it is up to the facility or orga-
nization to mandate encryption.23
Not all facilities
and organizations enforce encryption, even
though DICOM files contain detailed patient
information in plain language.
ƒƒ Failure to protect servers – access to servers
should be behind a firewall or require a VPN con-
nection. Devices connected to the internet should
be protected by a firewall (a security protocol that
allows or rejects traffic into a computer or net-
work, based on set rules), so that the network is
not visible nor accessible to everyone.
ƒƒ Failure to destroy patient data – patient data must
be destroyed when disposing of a medical device
or when sending it out for service.
ƒƒ Theft – laptops and other mobile devices that
contain patient information.
Health delivery organizations deal with outside
contractors, or vendors, for various business purposes
(eg, imaging device suppliers, payroll processing com-
panies). These vendors might have access to employee
or patient records and usually are allowed into the
health delivery organization’s network. As Peterson
pointed out, however, they might be the weakest link
in the organization’s cybersecurity plan.20
Vetting ven-
dors allows a health delivery organization to evaluate
vendors’ commitment to cybersecurity and safeguard-
ing patient and employee data. Some organizations
use questionnaires, either alone or as a starting point
for a more thorough back-and-forth vetting process.20
Organizations that use questionnaires might use the
vendor’s responses as part of the contract the vendor
signs with the facility.
Medical Imaging Vulnerabilities
A recent worldwide security sweep of DICOM
servers found more than 2700 networks that were not
secured—anyone could access them. Half of these
unsecure networks were in the United States. Of these
networks, 719 willingly shared information with an
Cybersecurity Risks in Medical Devices
The primary risks to medical devices from a cyberse-
curity standpoint include the following14
:
ƒƒ Software faults – cybersecurity historically
has not been a high priority in health care, but
device manufacturers are now considering such
risks. Software developers working for medi-
cal device manufacturers might not have been
trained to include cybersecurity considerations
in their code. In addition, many health care
facilities use legacy systems that include old
medical devices or unpatched operating systems
(eg, Windows XP, which is no longer supported
by Microsoft, and therefore no vulnerability
patches exist for it).2
The need to keep up to date
with software and platforms was driven home
by the criticism of the NHS after the WannaCry
attack. A report from the National Audit Office
in the United Kingdom specifically cited the
lack of regularly patching software as a contrib-
uting factor to the system’s catastrophic failure,
along with several other factors.22
Further, device
manufacturers do not always know which soft-
ware will be used with their device. The health
delivery organizations might choose a cheaper,
third-party software option instead of the manu-
facturer’s expensive, proprietary bundle. In such
cases, the software acquired by the health deliv-
ery organization might have vulnerabilities the
manufacturer did not safeguard against when
designing the device.
ƒƒ Poor password hygiene – passwords sometimes
come with the device and are hardcoded, mean-
ing they cannot be changed. This is a security
risk because such passwords are easy to steal or
deduce. Other times, the facility itself is negligent
and the password is written down and displayed,
sometimes taped to the device.
ƒƒ Incorrect permissions – often users are granted
more permissions on a device than they need to
perform their duties. The more people who access
areas that should be restricted, the greater the
chance of a serious problem developing.
ƒƒ Failure to protect data – data should be encrypted
before sending it out. For example, the DICOM

CE
Directed Reading
Ferrara
them containing protected health information such
as the patients’ names, ages, weight, facility, and city
where the imaging study was done.25
By combining
PACS and DICOM vulnerabilities, the research-
ers were able to create, in 1 PACS server, a fictitious
patient record (accompanying a knee radiograph).
They then penetrated the server again and changed
all references in the record from knee to elbow. The
change was saved successfully in the fictitious patient’s
record.25
Because this was research intended to help
(ie, white hat hacking), the McAfee researchers notified
all the vendors whose vulnerabilities they exploited of
the problems they found in their PACS and are working
with them to overcome these deficiencies.25
Another big vulnerability of medical imaging devices
is the reliance on portable storage media, such as
universal serial bus, or USB, drives. Patients and care
providers often bring imaging scan results to the health
outside source requesting communication. Although
the rest of the open networks did not share information
(patient confidentiality was protected), they were still
open to DDoS attacks.24
Researchers at the security software company
McAfee conducted extensive vulnerability research
on DICOM and PACS used by medical facilities of all
sizes.25
Medical facilities use PACS to store and access
medical images. PACS receive images from medical
imaging devices through an acquisition gateway. From
the acquisition gateway, the images move through the
PACS controller to the database system, where they are
archived (see Figure 5).
The first thing the researchers noticed was that the
acquisition gateways usually are placed in the facil-
ity’s computer network instead of being insulated
from it. Although it is done for the sake of efficiency
(to allow for speedy exchange of images across the
network), this leaves the gateway vulnerable to attacks
and potentially compromises patient confidentiality.25
The UC Davis Medical Center isolated its PACS after
a malware data breach that supposedly started with a
phishing email. Although the breach did not originate
with the acquisition gateway, isolating the PACS com-
ponents was part of a larger upgrade effort to secure
the hospital network.
PACS packages come from many sources and range
in price from free (open-source PACS) to very expen-
sive.25
Many smaller facilities favor the free PACS to cut
expenditure. The problem is that many open-source
PACS are built on old software platforms that contain
multiple vulnerabilities. For example, 1 package runs on
software that has more than 40 known vulnerabilities.25
Furthermore, when the researchers looked for PACS
servers directly connected to the internet (similar to the
DICOM search discussed previously), they found 1100
unprotected servers around the world. They commu-
nicated with these servers using DICOM and were able
to obtain the software name and version number the
PACS was built on. A malicious hacker could use such
information to exploit the known vulnerabilities in the
software running the PACS.25
Turning their attention to DICOM, the McAfee
researchers scanned servers for DICOM images. They
found thousands available for download, many of
Figure 5. The basic elements of a PACS infrastructure. © 2019
ASRT.

CE
Directed Reading
treating the patient for a nonexistent condition.
It also is more difficult to identify such an attack
because the image quality is not affected. The
third scenario involved connecting the imaging
result from one patient to a different patient’s
record. Again, the consequences can be severe,
even fatal, as patients might be misdiagnosed
and mistreated.
ƒƒ Denial of service – imaging devices often are used
in critical situations where time is of the essence
to save a patient’s life. The researchers held the
host control computer hostage with ransomware,
thereby making the scanners unavailable for criti-
cal tasks.
In addition, the researchers’ tampering with the CT
software on the host computer also allowed them to
deliver high radiation doses through the scanner, a mat-
ter of substantial concern.
Efforts to Improve Cybersecurity in
Medical Devices
In December 2016, the FDA published nonbind-
ing recommendations in “Postmarket Management
of Cybersecurity in Medical Devices: Guidance for
Industry and Food and Drug Administration Staff.”
This guidance followed the 2014 “Content of Premarket
Submissions for Management of Cybersecurity in
Medical Devices. Although the FDA acknowledges
the need to consider cybersecurity throughout the life
cycle of a medical device, these guidance documents
are not enforceable by law. Not complying with the
recommendations, however, can result in penalties or
delayed approvals.28
The FDA recommendations call
on manufacturers to incorporate cybersecurity into
their postmarket device management plans in the form
of monitoring, identifying, and addressing known and
emerging cybersecurity risks. This should be performed
on a continual basis postmarketing.29
The FDA guidance does not provide manufactur-
ers with guidelines to help them evaluate the efficacy
of their process to address cybersecurity threats.
However, 2 recent standards, the Technical Information
Report 57 (TIR57) and the UL 2900, might fill this
gap. The TIR57 was written by the Association for
the Advancement of Medical Instrumentation. TIR57
delivery organization on portable media, which are not
secure and can be infected with malware.26
Direct Attacks on Medical Imaging Devices
Mahler et al conducted a cybersecurity in imaging
devices risk study in cooperation with Israel’s larg-
est health maintenance organization.1
Concentrating
on CT scanners as their model imaging device, the
researchers launched a variety of cyberattacks against
the devices, resulting in several categories of adverse
events, including:
ƒƒ Mechanical disruption – by manipulating the
correct software files on the CT’s host control
computer, the researchers physically changed
the behavior of the various motors of the CT
apparatus (eg, motors controlling the bed or
the rotation of the scanners). In these scenarios,
they showed that cyberattack can cause physi-
cal damage to the CT’s motors (resulting in
potential heavy financial losses), and that the
intrusion can physically put patients at risk (eg,
by changing the bed movement in a way that
causes the patient to fall off). Although not a
concern when cyberattacks first appeared, the
ability to cause physical (ie, real-world) damage
to computer-controlled mechanical equipment
through malicious software was demonstrated
by the Stuxnet virus, which destroyed many
centrifuges at an Iranian uranium enrichment
plant in 2009. The virus causing the damage was
not discovered until 2010 by an antivirus team
investigating strange behaviors on some clients’
computers. Stuxnet is considered the first cyber-
weapon because of its ability to cause real-world
damage.27
ƒƒ Image distortion or alteration – by manipulat-
ing the image reconstruction software or the
DICOM protocol (both done through malware
attacks), the researchers mounted increasingly
sophisticated attacks on CT scanners. The first
scenario resulted in unusable images, requiring
a repeat scan. The second scenario escalated
the attack by altering the image, essentially giv-
ing false-positive or false-negative scan results.
This scenario can lead to missing a diagnosis or

CE
Directed Reading
Ferrara
multifactor authentication throughout the entire
organization.20
In the months after implementing the
multifactor authentication program, the institution
saw a consistent 98.5% drop in the monthly number of
compromised accounts. Emory now has expanded its
multifactor authentication program to cover logins to
20 different applications on its servers. Other compa-
nies and organizations also are looking at alternatives to
less-secure logins. With advances in technologies such
as biometric readers and facial recognition, there are
more secure options for network log ins.
What Needs to Change
The move from standalone to connected medical
devices requires a different philosophy on the part of
all stakeholders. Malware is becoming more sophisti-
cated, and the consequences of a cybercrime can affect
patients’ safety and possibly their lives. Today’s health
delivery organizations must develop a culture of com-
mitment to cybersecurity. Among other things, this
includes a commitment to regular, timely assessments
of risk for all connected devices, and establishing a rapid
response plan that can be initiated if a cyberattack does
penetrate the network.
According to Kevin McDonald, director of clinical
information for the Mayo Clinic, a commitment to a
cybersecurity culture also means15
:
ƒƒ committing to running supported operating sys-
tems
ƒƒ ensuring the organization upgrades the operating
systems on its devices
ƒƒ using only open-source or third-party software
that can be upgraded
ƒƒ maintaining a list of authorized personnel for
every device to restrict access
Historically, device manufacturers have not concerned
themselves with cybersecurity during the product
design and development stage.19
This is the first major
shift that should occur; to achieve this, the purchas-
ing organization (the health delivery organization)
and the manufacturer should collaborate during
the device’s design stage. The manufacturer needs
to understand the type of connected environment
in which the device will function, not just what the
device is expected to do.19
provides guidelines on integrating cybersecurity risk
management into the device’s development cycle. It
guides engineers in identifying, evaluating, and con-
trolling security risks. It also provides guidance on
monitoring the efficacy of the controls. TIR57 is now a
recognized FDA standard,28
which allows manufactur-
ers who use it to get through their device’s regulatory
review quicker, as it successfully fulfills a portion of the
requirements for approval.
The UL 2900 comprises 3 standards and col-
lectively is named “Software Cybersecurity for
Network-Connectable Products.” It provides test-
centered criteria that allow manufacturers to prove
their compliance with FDA guidance and expectations.
It is built around several well-established cybersecurity
standards and is a recognized FDA standard.28
Acknowledging that there is never going to be a way
to completely proof health delivery organization net-
works against cyberattacks, researchers look to mitigate
such risks. For example, researchers are teaching an
artificial intelligence program to recognize standard
CT operational commands and scan parameters, so it
can flag unusual input and alert a human before execu-
tion. The team means for this artificial intelligence
system to be a last line of defense if all other measures
fail.30
Tom Mahler, a PhD candidate working on the
project, said: “We focus on developing an anomaly
detection system using advanced AI methods to train
the system with actual commands recorded from actual
equipment. Our system will monitor scan protocols
to detect whether outgoing commands are malicious
before they are executed and will alert or possibly stop if
it detects an issue.”30
Many software packages are available to help
enhance cybersecurity. Studies show, however, that
using multifactor authentication has a significant effect
on the number of compromised accounts in an institu-
tion or organization. Multifactor authentication can
guard against individuals using stolen login credentials
to access a network. It essentially is a request for 2 or
more forms of identification. For example, the user
enters a user name and password, and a random code
is then sent to the person’s smartphone, which he or
she must enter to finish the login. Peterson recounted
Emory Health Center’s experience with instituting

CE
Directed Reading
Information sharing is important in maintain-
ing a secure environment as recognized in the U.S.
Cybersecurity Information Sharing Act enacted
in 2015.19
The act encourages the formation of
Information Sharing and Analysis Organizations
across industries. Knowing about existing vulner-
abilities and sharing solutions and work-arounds for
the seemingly insurmountable security maintenance
issues of old systems, for example, enables the health
care community to remain safer and plan for disaster
better. But information sharing and discussions of
known vulnerabilities traditionally have been taboo
in health care because of fears of admitting liability
and protection of intellectual property rights.19
White
hat hackers often are rebuffed in their efforts to notify
manufacturers of a newly discovered vulnerability.
This sometimes results in a premature release of
information to the public, as the hackers get frustrated
waiting to talk to manufacturers. Sometimes, white
hat hackers might feel their newly discovered vulner-
ability is sufficiently threatening and they cannot wait
any longer to warn the public. Premature releases of
such information often cause alarm and further erode
the public’s trust in the health care industry. A thor-
ough plan of collaboration between researchers and
manufacturers, which includes response and public-
ity scenarios when a new vulnerability is discovered,
should be the norm. In late 2017, only a handful of
manufacturers had such collaborations and plans in
place.19
The issue of maintaining inventory that is mean-
ingful for cybersecurity protection is difficult in a
large health delivery organization. Many devices are
old and inventory rarely is accurate, as the number
of devices keeps increasing. On average, there are 13
devices per hospital bed in the United States. To be
meaningful, inventory records need to include the
device make and model, the software it runs on (with
a complete version number), the operating system
the software runs on, whether it is a wired or wire-
less device (and if wireless, what wireless protocol it
uses), IT parts in the device, the device’s internet pro-
tocol, or IP, address, and firmware version number.6
Responding rapidly to an alert of new malware often
is impossible. Virta Labs is a company that creates
The testing philosophy regarding medical devices
also should change. The FDA calls for testing intended
use and unintended misuse when evaluating a device’s
performance and risk of causing harm to patients.
However, with more than 360 000 new malwares
discovered each day, these 2 testing categories are no
longer sufficient.19
Furthermore, manufacturers should look closely
at device components not made by the manufacturer
itself. Understanding the security features of those com-
ponents and their possible vulnerabilities should be part
of the design stage for any medical device and should be
transparent.
Likewise, software developers that rely on open-
source libraries to construct parts of their own code
should examine these codes and understand the poten-
tial vulnerabilities. Typically, software developers do
not write the entire code for the software themselves.
They rely on premade open-source libraries to get code
for common tasks and procedures. But in using some-
one else’s code, they might unknowingly be introducing
vulnerabilities. Developers are not expected to reinvent
the wheel by writing code that is freely available, but it
is not unreasonable to ask them to examine the pieces
they use.
Manufacturers, health delivery organization
procurement managers, IT specialists, and health tech-
nology managers should work together to ensure the
devices meet cybersecurity expectations and require-
ments. The Manufacturer Disclosure Statement for
Medical Device Security, a form that lists the device’s
security features, might be insufficient for assessing
whether the device meets the minimum requirements
for the organization.19
Professor J Anthony Seibert,
associate chair of informatics for the University of
California, Davis, recommends that imaging devices
undergo acceptance testing to evaluate potential vul-
nerabilities.15
Such testing should look for problems that
include15
:
ƒƒ hard-coded default user names and passwords
ƒƒ how maintenance of antimalware is handled and
by whom
ƒƒ whether the device accepts remote access requests
as well as how secure the process is for gaining
remote access

CE
Directed Reading
Ferrara
ƒƒ Avoid knee-jerk reactions to phishing emails.
These emails work because they often use signifi-
cant threats (“We’ve blocked access to your bank
account” or “you’re facing arrest for tax debts”).
A valid business or government entity will call or
send a letter, not an email with threats. When in
doubt, call the organization and find out whether
there is an actual problem.
ƒƒ Do not give passwords over the phone, even to
someone claiming to be an IT employee. IT per-
sonnel will not ask for passwords. They will ask
the user to enter it on his or her workstation, if a
true need to troubleshoot a problem exists.
ƒƒ Avoid using known information as part of a pass-
word. This includes names of family members,
birthdates, or street addresses.
ƒƒ If portable media devices (such as a USB drive or
an external hard drive) are carried between home
and work, ensure home devices have virus protec-
tion that updates automatically. Always install
operating system updates at home as soon as they
become available—they frequently contain patch-
es for newly discovered vulnerabilities.
Conclusion
The health care profession lags behind other pro-
fessions in its response to today’s swiftly changing
cybercrime landscape. As a consequence, it is vul-
nerable at a time when it increasingly is becoming a
target because of the high value of patient records on
the dark web. Furthermore, the evolution of health
care itself increases its reliance on connected devices.
Telemedicine and virtual care are no longer the realm
of science fiction stories, but a reality that is becom-
ing quite prevalent. Furthermore, breaches in network
security across an organization result in significant
financial loses and negatively affect the quality of
patient care.
A culture shift in medical device manufacturers
and health delivery organizations is required to bet-
ter deter and prevent cyberattacks on medical devices.
Manufacturers must consider cybersecurity from the
beginning of device design and production. More
collaboration between manufacturers and various
health delivery organization stakeholders is needed
software hospitals can use to manage cybersecurity
on their networks.9
Its software package, BlueFlow,
helps hospitals inventory and pinpoint at-risk devices
almost instantly. BlueFlow allows a rapid response by
performing a complete network assessment of the hos-
pital’s inventory.9
Cybersecurity training should be mandatory for all
employees of a health delivery organization, regardless
of their role in the organization.2,15
A group administra-
tor is just as likely to click on a link in a phishing email
disguised as a vendor invoice as a radiologist is likely
to bring in an infected USB drive intending to review
images on the device.
Keeping the Workplace Cybersafe
Radiology professionals are not likely to be in a posi-
tion to influence procurement or IT policies. However,
individual employees can increase the overall security
of their organization and enhance the safety of their
patients by adhering to the following:
ƒƒ Do not use a workplace password anywhere else.
Most people tend to reuse passwords on multiple
sites. The more a password is reused, the larger
the chance someone will find it and access the
sites, pretending to be the user.
ƒƒ Do not write down a password at work. If there
are passwords taped to devices in the workplace,
consider being an advocate for change.
ƒƒ Do not share passwords with coworkers, even for
the sake of speed and efficiency. A shared pass-
word is no longer secure. Even if it is changed as
soon as duties are completed, a malicious attack
might already have started.
ƒƒ Never click on links or open attachments in suspi-
cious emails. If an email from a coworker contains
an attachment with a vague explanation, ask the
sender if they sent it. If the sender is outside your
organization (eg, a vendor, bank, or government
agency) or otherwise unreachable, forward the
email to your IT department. Most IT depart-
ments have a special email address for suspicious
emails. The ransomware used in the Hollywood
Presbyterian attack spread in other attacks
through Microsoft Word attachments, usually dis-
guised as invoices.

CE
Directed Reading
15000 Central Ave SE, Albuquerque, NM 87123-3909, or
emailed to publications@asrt.org.
© 2019 American Society of Radiologic Technologists.
References
1. Mahler T, Nissim N, Shalom E, et al. Know your enemy:
characteristics of cyber-attacks on medical imaging
devices. Paper presented at: Radiological Society of North
America 2017 Annual Meeting; November 26-December 1,
2017; Chicago, IL. https://arxiv.org/ftp/arxiv/papers
/1801/1801.05583.pdf. Accessed February 3, 2019.
2. Coventry L, Branley D. Cybersecurity in healthcare: a nar-
rative review of trends, threats and ways forward. Maturitas.
2018;113:48-52. doi:10.1016/j.maturitas.2018.04.008.
3. Field M. WannaCry cyber attack cost the NHS £92m as
19,000 appointments cancelled. The Telegraph website.
https://www.telegraph.co.uk/technology/2018/10/11
/wannacry-cyber-attack-cost-nhs-92m-19000-appointments
-cancelled/. Published October 11, 2018. Accessed February
3, 2019.
4. Arif A. Meet the 22-year-old who saved the world from the
WannaCry ransomware attack. Wonderful Engineering
webiste. https://wonderfulengineering.com/22-year-old
-saved-world-ransomware-attack/. Published 2017. Accessed
February 3, 2019.
5. How to accidentally stop a global cyber attacks. Malware-
Tech website. https://www.malwaretech.com/2017/05
/how-to-accidentally-stop-a-global-cyber-attacks.html.
Published May 13, 2017. Accessed February 3, 2019.
6. Busdicker M, Upendra P. The role of healthcare technol-
ogy management in facilitating medical device cyber-
security. Biomed Instrum Technol. 2017;51(s6):19-25.
doi:10.2345/0899-8205-51.s6.19.
7. Seals T. 360K new malware samples hit the scene every day.
Infosecurity website. https://www.infosecurity-magazine
.com/news/360k-new-malware-samples-every-day/.
Published December 14, 2017. Accessed February 3, 2019.
8. Winton R. Hollywood hospital pays $17,000 in bitcoin to
hackers; FBI investigating. Los Angeles Times website.
https://www.latimes.com/business/technology/la-me-ln
-hollywood-hospital-bitcoin-20160217-story.html.
Published February 18, 2018. Accessed January 15, 2019.
9. Mertz L. Cyberattacks on devices threaten data and patients:
cybersecurity risks come with the territory. Three experts
explain what you need to know. IEEE Pulse. 2018;9(3):25-
28. doi:10.1109/MPUL.2018.2814258.
10. Magnetic resonance imaging (MRI) units. OECD iLibrary
website. https://www.oecd-ilibrary.org/social-issues-migra
tion-health/magnetic-resonance-imaging-mri-units
to establish the requirements for a secure connected
device that enables efficient, high-quality patient care.
Despite decades of being conditioned to avoid exposing
faults in their products, manufacturers must become
more transparent when discussing (or receiving infor-
mation about) vulnerabilities in their products. In
addition, employees must be trained in cybersecurity to
avoid falling into traps that allow a cyberattacker to get
a foothold in their organization.
These actions require education, training, and some-
times retraining. The consequences of keeping to the
status quo continue to escalate. Currently, the price
paid by health delivery organizations and manufactur-
ers for successful cyberattacks is limited to financial
loses and eroded public trust. In the future, the price
might include patients’ well-being or their lives.
Cybersecurity can no longer be an afterthought
in health delivery facilities. It should become a cul-
ture in itself, meaning money should be allocated to
keeping all software current and updated regularly,
switching to secure encrypted data transmission,
and isolating internet connections behind firewalls.
In addition, health delivery organizations should
invest in secure backup mechanisms and prepare
a rapid response plan in the event of a cyberattack.
Often the quickest and cheapest way to end a ran-
somware attack is to wipe the affected computers
clean and restore them from backup, assuming the
backup is current and known to be secure and infec-
tion free. Recent experiences also have shown that
using alternative login methods, such as multifactor
authentication, are effective at reducing the inci-
dence of compromised accounts across a network.
Although this kind of upgrade might be expensive,
the return on investment is substantial.
No one expects health care to be completely resistant
to cybercrime, but organizations should think about
how to manage and mitigate risks.9
Adi Ferrara, MS, ELS, is a freelance medical writer and
editor. She has nearly 20 years of experience writing for
professional and consumer audiences.
Reprint requests may be mailed to the American Society
of Radiologic Technologists, Publications Department,

CE
Directed Reading
Ferrara
-device-cyber-security. Published August 16, 2017. Accessed
February 3, 2019.
22. National Audit Office. Investigation: WannaCry cyber
attack and the NHS. https://www.nao.org.uk/wp-content
/uploads/2017/10/Investigation-WannaCry-cyber-attack
-and-the-NHS-Summary.pdf. Published April 25, 2018.
Accessed February 3, 2019.
23. Medema J, Horn R, Tarbox L. Security. DICOM website.
https://www.dicomstandard.org/using/security/. Accessed
January 2, 2019.
24. Stites M, Pianykh OS. How secure is your radiology depart-
ment? Mapping digital radiology adoption and security
worldwide. AJR Am J Roentgenol. 2016;206(4):797-804.
doi:10.2214/AJR.15.15283.
25. Beek C. McAfee researchers find poor security exposes
medical data to cybercriminals. McAfee website. https://
securingtomorrow.mcafee.com/other-blogs/mcafee-labs
/mcafee-researchers-find-poor-security-exposes-medical
-data-to-cybercriminals/. Published March 11, 2018.
26. Zaw NT, Soh K. DICOM: a ticking cybersecurity time-
bomb in the healthcare industry. Healthcare Innovation
website. https://www.enterpriseinnovation.net/article
/dicom-unknown-vulnerability-cyberattacks-healthcare
-industry-1675831549. Published December 8, 2017.
27. Zetter K. Countdown to Zero Day: Stuxnet and the Launch
of the World’s First Digital Weapon. New York, NY: Crown
Publishing; 2014.
28. Yuan S, Fernando A, Klonoff DC. Standards for medi-
cal device cybersecurity in 2018. J Diabetes Sci Technol.
2018;12(4):743-746. doi:10.1177/1932296818763634.
29. U.S. Food and Drug Administration. Postmarket man-
agement of cybersecurity in medical devices. Fed Regist.
2018;81(249):95617-95618..
30. Medical equipment hacking and defensive solutions presen-
tation by Ben-Gurion U. researcher. EurekAlert! website.
https://www.eurekalert.org/pub_releases/2018-11/aabu
-meh112618.php. Published November 27, 2018. Accessed
February 3, 2019.
/indicator/english_1a72e7d1-en. doi: 10.1787/1a72e7d1-en.
Accessed May 10, 2019.
11. Computed tomography (CT) scanners. OECD iLibrary
website. https://www.oecd-ilibrary.org/social-issues-migra
tion-health/computed-tomography-ct-scanners/indicator
/english_bedece12-en.). doi:10.1787/685c9c5e-en.
Accessed May 10, 2019.
12. Mammography machines. OECD iLibrary website https://
www.oecd-ilibrary.org/social-issues-migration-health
/mammography-machines/indicator/english_685c9c5e-en.
doi:10.1787/685c9c5e-en. Accessed May 10, 2019.
13. Patterson N. 29 cybersecurity buzzwords you need to know.
Business Insider website. https://www.businessinsider.com
/29-cybersecurity-buzzwords-you-need-to-know-2017-6.
Published may 31, 2017. Accessed February 3, 2019.
14. Hegde V. Cybersecurity for medical devices. Paper pre-
sented at: 64th Annual Reliability & Maintainability
Symposium (RAMS); January 22-25, 2019; Reno, NV.
15. Zagoudis J. Cybersecurity threats in medical imaging.
Imaging Technology News website. https://www.itnon
line.com/article/cybersecurity-threats-medical-imaging.
Published January 31, 2018. Accessed February 3, 2019.
16. Raper V. Cyber security threats represent serious challenge
to radiology’s future. ERC Today 2018 - European
Congress of Radiology: Daily News From Europe’s Leading
Imaging Meeting. https://www.myesr.org/sites/default
/files/ECR%20Today%202018_Saturday_March%203
.pdf. Published March 3, 2018.Accessed February 3, 2019.
17. Humer C, Pinkle J. Your medical record is worth more to
hackers than your credit card. Reuters website. https://
www.reuters.com/article/us-cybersecurity-hospitals
-idUSKCN0HJ21I20140924. Published September 24,
2014. Accessed February 3, 2019.
18. Sengupta K. Isis-linked hackers attack NHS websites to
show gruesome Syrian civil war images. The Independent
website. https://www.independent.co.uk/news/uk/crime
/isis-islamist-hackers-nhs-websites-cyber-attack-syrian
-civil-war-images-islamic-state-a7567236.html. Published
February 7, 2017. Accessed February 3, 2019.
19. Schwartz S, Ross A, Carmody S, et al. The evolving state
of medical device cybersecurity. Biomed Instrum Technol.
2018;52(2):103-111. doi:10.2345/0899-8205-52.2.103.
20. Peterson DC, Adams A, Sanders S, Sanford B. Assessing and
addressing threats and risks to cybersecurity. Front Health
Serv Manage. 2018;35(1):23-29. doi:10.1097/HAP
.0000000000000040.
21. Fornell D. Raising the bar for medical device cyber
security. Diagnostic and Interventional Cardiology website.
https://www.dicardiology.com/article/raising-bar-medical

Directed Reading Quiz
continued on next page
Read the preceding Directed Reading and choose the answer that is most correct based on the article.
1. As computerized devices in medical facilities
become increasingly networked within their
own walls and with external facilities, the risk of
______also increases.
a. destructiveattacks
b. cyberattacks
c. corporateattacks
d. terrorist attacks
2. A ______is a computer expert who finds and takes
advantage of software vulnerabilities.
a. hacker
b. vendor
c. developer
d. spy
3. ______is software designed to interfere with the
computer’s normal function.
a. Encryption
b. Exploit
c. Spyware
d. Malware
To earn continuing education credit:
 Take this Directed Reading quiz online at asrt.org/drquiz. Enter the Quiz ID 19804-01 into the search bar.
 Or, transfer your responses to the answer sheet following the quiz and mail it in for grading.
* Your answer sheet for this Directed Reading must be received in the ASRT office on or before this date.
Some quizzes are renewed and the expiration date extended. Check online at asrt.org/drquiz or call Member Services at 800-444-2778.
1.5 Category A credits
Expires August 31, 2022*
QUIZ ID: 19804-01
Cybersecurity in Medical
Imaging
4. Which malware encrypts all files on a device,
making them unreadable and inaccessible?
a. spyware
b. ransomware
c. worm
d. trojan
5. Which of the following is not a reason discussed in
this article why malicious hackers target medical
imaging devices?
a. political
b. asapoint ofentry to thehospital network
c. to harmpatients
d. financial gain
6. A device that comes with a hardcoded password
that cannot be changed is an example of what?
a. incorrect permissions
b. failureto protect servers
c. poorpasswordhygiene
d. failureto protect data

Directed Reading Quiz
11. Which of the following can employees do to
increase the security of their organizations and
enhance the safety of their patients?
a. click onlinksoropenattachmentsinsuspicious
emails
b. not sharepasswordswith coworkers,evenfor the
sakeofspeed and efficiency
c. writedownapassword at work
d. reuseworkplacepasswordsonmultiplesites
12. Which information should be avoided when
creating a password?
a. favoritecolor
b. favoritesportsteam
c. birthdates
d. high school mascot
7. What is it called when someone holds the host
control computer hostage with ransomware,
thereby making devices, unavailable for critical
tasks?
a. denialofservice
b. imagedistortionor alteration
c. mechanicaldisruption
d. softwarefaults
8. ______ provides guidelines on integrating
cybersecurity risk management into the device’s
development cycle.
a. UL2900
b. DICOM
c. HL7
d. TIR57
9. According to Kevin McDonald, director of clinical
information at the Mayo Clinic, a commitment
to cybersecurity culture in today’s health delivery
organization includes which of the following:
1. upgrading devices’ operating systems and
restricting access
2. running supported operating systems
3. using only open-source or third-party
software that can be upgraded
a. 1and2
b. 1and3
c. 2and3
d. 1,2,and3
10. Cybersecurity training should be mandatory for
all employees of a health delivery organization,
regardless of their role in the organization.
a. true
b. false

✁Carefullycutortearhere.
Cybersecurity in
Medical Imaging
Expiration Date: August 31, 2022*
Approved for 1.5 Category A credits1 9 8 0 4 - 0 1
CE Answers Section
2
1 A B C D
2 A B C D
3 A B C D
4 A B C D
5 A B C D
6 A B C D
7 A B C D
8 A B C D
Note: For true/false questions, A=true, B=false.
USE A BLACK INK PEN. Completely fill in the circles.
Get immediate Directed Reading quiz results and CE credit when you take your test online at asrt.org/drquiz.
*Some quizzes are renewed and the expiration date extended. Check online at asrt.org/drquiz or call Member Services at 800-444-2778.
2 We need your ASRT Member ID and your two-digit Birth
Month to track your CE credits. Be sure to use your
ASRT Member ID and not your ARRT Registry Number.
Birth Month
ASRT Member ID
4 8 2 6 0 3
2 To ensure proper credit, please print the following information.
Identification Section Member Information Section
Name
City
State
Email
9 A B C D
10 A B C D
11 A B C D
12 A B C D
0252408281
– A passing score is 75% or better.
– ASRT must receive this answer sheet before the quiz expires and before the end of the CE biennium for which
you want credit.
– To see a list of the Directed Readings available to you, visit asrt.org/drquiz.
– To evaluate this Directed Reading, visit asrt.org/dreval.
– Take the quiz online at asrt.org/drquiz for immediate results and your CE certificate.
– Or, mail the original answer sheet to Processing Center 2908 Stewart Creek Blvd., Charlotte, NC 28216.

Cybersecurity

More Related Content

What's hot

Similar to Cybersecurity

Recently uploaded

Cybersecurity