The importance of cybersecurity for healthcare was brought sharply into focus again last week when the Irish healthcare system was crippled by a ransomware attack.
At the time of writing on 24 May, the fallout from the attack continued to disrupt services, with most radiology services canceling all but emergency imaging and reading being restricted to modality scanner screens only.
The latest media reports suggest that PACS and RIS, part of the National Integrated Medical Imaging System (NIMIS) network, are being brought back online site-by-site this week. However, the potential for sensitive healthcare data to be released by hackers in the coming weeks and the broader fallout for the Irish health systems in terms of care disruption are expected to be severe.
According to an update issued on 23 May by the Health Service Executive (HSE) in Ireland, "a structured and controlled deployment of the new decryption tool continues to take place across the core network and its endpoint devices. This work started on Saturday 22/5/21 and will continue this week. The new version of the decryption tool was developed on 22/5/2021 and was tested before being deployed."
"Progress continues to be made in some hospitals on restoring IT systems and some sites (at a local site level only) now have access to radiology, laboratories and their patient administration systems. But this is uneven across the country and levels of disruption this week are expected to be similar to those of last week," the HSE stated.
Europe: prime target for ransomware
The Irish attack comes only four years after a large part of the U.K. National Health System (NHS) was shut down by the global WannaCry attack. As I wrote in a 2017 column for AuntMinnieEurope.com, it would appear cybersecurity is a challenge many healthcare providers continue to fall short in addressing.
Healthcare providers and radiology leaders should be under no illusion as to the intensification and impact of the silent cybersecurity threat; the evidence speaks for itself.
Cyberattacks on healthcare groups in Central Europe increased 145% in 2020, with Europe overall increasing 67%, and notable increases occurred in Spain and Germany, according to analysis by Infosecurity. Three hospitals in France were hit by a ransomware attack in Feb 2021.
Brno University Hospital in Czech Republic was hit by an attack in March 2020. The Fresenius Private Hospital chain, one of the largest in Europe, was impacted in May 2020.
Reports in the UK NHS following the 2017 attack show that cybersecurity challenges remain. There is patchy training and a lack of certified cybersecurity specialist resources available, and many NHS trusts fall short of agreed cybersecurity standards (see Redscan 2018 report).
While many in radiology may suggest that cybersecurity is an issue for cross-departmental enterprise decision-makers, radiology has long been a trailblazer in terms of healthcare digitalization. Moreover, as a critical front-line service in care provision, radiology stakeholders have a responsibility for driving more focus on cybersecurity.
Most PACS/RIS contracts today demand 99.999% uptime as a core responsibility from imaging IT software vendors -- however, little scrutiny comes from the procurement organization to ensure its own cybersecurity efforts can deliver no downtime due to cyberattack. Surely demanding and scrutinizing PACS/RIS vendors to ensure near constant 24-hour running is counter-intuitive when most organizations have a weak grasp of the threat from cyberattacks and potential days or weeks of disruption that can ensue?
As has been well-documented in my past articles, radiology is undergoing a gradual digital evolution. Focus on imaging interoperability and multidisciplinary care, combined with more advanced imaging and new technology integration, is driving gradual system consolidation. In many cases, this is part of an "enterprise imaging" strategy to centralize the management and access of all imaging across healthcare provider networks. Radiology is commonly a central stakeholder in such a process.
Consolidation has some benefits in the view of cybersecurity, in that there are fewer "siloed" IT applications outside of the main platform. Most deployments require wholesale integration or retirement of legacy applications, allowing healthcare provider or vendor IT specialists to centrally manage all applications. In theory, this should allow a healthcare provider to limit its risk to cyberattack, as all applications can be updated and monitored centrally.
However, few healthcare providers, if any, have "completed" an enterprise imaging initiative today; in fact, many have not even started on the potentially decade-long process.
Across Europe, radiology is commonly a siloed department from cardiology, emergency medicine, surgery, and other imaging consumers. Many are also poorly integrated with centralized patient record systems. Many imaging IT contracts are still "standalone" in nature (e.g., not part of a consolidated, integrated deployment). Given most large hospitals will have tens hundreds or even thousands of discrete software applications in use across imaging stakeholders, this creates a substantial headache for IT to manage and upgrade centrally, opening up potential backdoors for cyberattacks.
Other markets have been more forward in consolidating imaging in larger regional or national networks; Austria, Denmark, Italy, the Netherlands, Scotland, Spain, and Wales, are all advanced or part way through the "enterprise imaging" journey.
Yet in the case of Ireland, the national scale of consolidation has itself created challenges in responding to attack. As the central HSE data center was attacked, all major systems connected to the HSE, including the NIMIS imaging IT network, were immediately shut down as a precaution. Thus, while the attack could well have not originated or impacted the NIMIS at all, the disruption still ripples through the broader associated networks, creating a national crisis in this case. For healthcare providers, the balance of pushing aggressive consolidation to centrally manage security is therefore pitched against the greater risk and impact of an attack.
The 3 Cs: Cost, complexity, cloud
Lowering the risk of cyberattacks is also not an easy fix. The basics still apply: retirement and isolation of legacy applications, Bring Your Own Device (BYOD) policies, increased staff training, etc. Yet all initiatives require substantial funding -- a commodity that is scarce as health systems reel from the economic and organizational impact of COVID-19.
Worse still, IT applications and tools implemented as part of COVID-19 response may have not been scrutinized to the same degree as in normal times, such was the rapid response required, leaving many health systems vulnerable.
The growing availability and adoption of imaging IT software that is hosted in the cloud could provide some tonic. While not a "golden arrow" to fixing the issue of cybersecurity risk, adoption of cloud technology can support central management of IT in radiology and broader imaging.
Reducing, or removing, "onsite" hardware and consolidating centrally makes updating security less arduous for administrators, while also providing the potential to inbuilt redundancies for service continuation during attacks. Multi-tenancy cloud solutions can also provide web access to patient records, even during an attack. Software applications and data can be hosted across multiple data centers, allowing providers to isolate the "attacked" data center while allowing users remote access to other "copies" of the same data, reducing the impact on front-line services.
Healthcare providers and radiology should also consider public cloud options (hosting data and applications on shared, public, data centers owned by technology vendors).
While some national or regional regulators today restrict partnership with leading public cloud technology vendors such as Microsoft, Google, Amazon, and IBM, those that do can benefit from the billions of Euros of investment each makes annually in cybersecurity protection -- far more than any individual or even larger regional healthcare network could provide alone. This creates a further quandary for regulators concerned around data privacy: partner with leading public cloud vendors and deal with data privacy concerns around secondary use of data or keep architecture "in house" or on-premise and risk a potential greater risk of attack, data breach, and mass release of sensitive data.
No easy fix, no choice but to fix
Consolidation of imaging IT and adoption of cloud technology does not come quickly or cheaply; cloud adoption can often require similar or even higher up-front costs in comparison to on-premise deployment, with cost offset against economical gains over the lifetime of the contract. Moreover, with increasing scale, procurement cycles and contracts for consolidating imaging IT are now complex and lengthy to roll out. This will further slow the rate at which healthcare providers can move their core systems to a framework or strategy that will be better protected against threats.
With a growing threat and near-constant reminders of healthcare systems falling foul of cyberattacks, it is perhaps time that healthcare providers and radiology take a more radical approach to cybersecurity. Whether this is through a combination of additional investment, system consolidation or public cloud partnership, action is clearly required. For radiology, this may sometimes mean difficult choices -- dropping some "best of breed" software demands, specialist features, or legacy applications, to the advantage of supporting broader system management and centralized security, or proactive adherence and support of cybersecurity initiatives and training.
The Irish attack and many recent examples show that healthcare providers can no longer bury their heads in the sand when it comes to cybersecurity. As the most targeted sector globally, healthcare is front and center of the cyberwar raging in the shadows -- a war that is impacting and disrupting the provision of care all too often today. For radiology, healthcare, and all its stakeholders, this targets the very core of its being, function, and purpose.
Steve Holloway is principal analyst and company director at Signify Research, a health tech, market-intelligence firm based in Cranfield, U.K. Competing interests: None declared.
The comments and observations expressed herein do not necessarily reflect the opinions of AuntMinnieEurope.com, nor should they be construed as an endorsement or admonishment of any particular vendor, analyst, industry consultant, or consulting group.