Radiology AI projects are complex and not risk-free, especially in terms of cybersecurity threats, Irish and U.S. experts have emphasized. To simplify the process, they have outlined how to improve security through better detection and preventative techniques.
"While the potential for AI to revolutionize the practice of radiology is clear, it is important to realize the potential impact of increased connectively and adoption of technology on the confidentiality, integrity, and availability of healthcare data," Dr. Brendan Kelly, specialist registrar in radiology and honorary clinical lecturer at St Vincent's University Hospital, Dublin, and colleagues noted in an article published by European Radiology on 7 July.
The authors' aim is to provide an introduction to radiology cybersecurity and give background to both general and healthcare-specific cybersecurity challenges. "Healthcare providers and device manufacturers have the advantage of being able to take inspiration from other industry sectors who are leading the way in the field," they state.
Lessons of Irish cyberattack
The 2021 cyberattack on the Irish Health Service Executive (HSE) was a landmark case, not just in healthcare but globally within cybercrime, according to Kelly's joint first author Conor Quinn, lead incident response consultant at Rapid7 in Dublin and research fellow in cybersecurity at Boston College, Massachusetts, U.S.
"There had not been an incident where a country's health service provider was taken offline," he told AuntMinnieEurope.com. "The international attention put the threat actor under pressure, as within some cybercrime groups, healthcare organizations are off-limits. The threat actor (ransomware operator/affiliate – Conti) provided the decryption key for ransomed data/systems, which accelerated recovery, but it did not solve all the issues. It took months to fully understand the scale and to return to normal operations."
If cybersecurity is not taken seriously, patient outcomes can be affected, Quinn continued. "Every hospital should have a robust cybersecurity program to ensure protections are put in place and monitored. It is not just the responsibility of IT people; doctors and staff within the healthcare industry should be cyber-aware to ensure they are making the right decisions."
Due to the HSE cyberattack, Kelly had no access to his research data for over 16 weeks. "I wanted to use this time productively, and through my Fulbright network, had access to Conor and his academic supervisor Jim Burrell," he noted. "I understood involving radiology and AI increased the potential 'attack surface' for future attacks, and wanted to do all I could to ensure the security of my own data."
During this period, Kelly discovered many processes that he thought could benefit the wider community and decided to share them in a journal article.
Different types of agreements
When European hospitals implement AI, they typically enter into various contracts and agreements to ensure compliance with legal and ethical standards, Prof. Erik Ranschaert, PhD, past president of the European Society of Medical Imaging Informatics (EuSoMII), told AuntMinnieEurope.com. He said that the specific contracts and agreements may vary depending on the jurisdiction and the nature of the AI, but here are some common types:
- Service Level Agreements (SLAs): SLAs outline the performance metrics, responsibilities, and expectations between the hospital and the AI provider. They specify factors such as system uptime, response times, and service quality.
- Data Processing Agreements (DPAs): DPAs are crucial when AI involves the processing of personal data. They define the roles and responsibilities of the hospital as the data controller and the AI provider as the data processor. DPAs ensure compliance with the General Data Protection Regulation (GDPR) and govern data protection, security, and privacy obligations.
- Software License Agreements: These agreements outline the terms and conditions for the use of AI software. They define the scope of the license, intellectual property rights, limitations of use, and any restrictions or obligations related to modifying or distributing the software.
- Confidentiality and Non-Disclosure Agreements (NDAs): NDAs protect sensitive information exchanged between the hospital and the AI provider. They prevent the unauthorized disclosure or use of confidential data, proprietary algorithms, trade secrets, or any other confidential information.
- Research Collaboration Agreements (RCAs): In cases where hospitals work with research institutions or universities, RCAs establish the terms.
- Data Protection Impact Assessment (DPIAs): The DPIA makes an inventory of the potential risks in handling patient data (see European Commission website). This is not the same as the DPA.
To comply with GDPR, a data protection officer (DPO) needs to be appointed in every hospital to manage all issues related to data security and data transferring. Another consideration is the value of pseudonymization versus anonymization in data-deidentification (see 8 May 2023 article by IP, IT, and Data Protection Lawyer Magali Feys on LinkedIn).
"There's also a lot to say about the type of vendor that can be contracted," noted Ranschaert, who is a visiting professor at the University of Ghent, Belgium. "The safest method to work with is to use a single platform offering different solutions, so that five or 10 different contracts and procedures can be avoided when five or more AI solutions have to be implemented."
Overall, a well-orchestrated approach to security management and policy is crucial before implementing any AI-based solutions, he said.
Looking to the future, Kelly believes an important area is federated learning, which enables development of models trained locally in hospitals, instead of collecting the data from different institutions and storing the data centrally. This means sensitive data can remain with its data controller, avoiding the associated legal and security complications of transmitting data between institutions, he explained.
Kelly, who is an ICAT HRB/Wellcome Trust academic fellow and PhD candidate at the Insight Centre for Data Analytics at University College Dublin, is now contributing to a federated cybersecurity project with colleagues at Stanford University in California. "So, watch this space!" he commented.
As well as the federated learning project, he is working to prospectively include these considerations in his research. Security was identified as a key concern of patients in another recent article, and he said he is placing it "front and center going forward."
The 7 July European Radiology article by Kelly, Quinn, and colleagues is available open access. Funding for the work came from the Fulbright-Ireland-USA HealthImpact and TechImpact.