The First 3 Steps to Take When Your Medical Imaging Data is Breached


Data breaches affect medical imaging filesData breaches are becoming a far-too-common occurrence in the healthcare world, causing significant financial and legal headaches for providers. A recent Accenture study noted healthcare cyberattacks will cost $305 billion in lifetime revenue, and more than 25 million patients will have their data stolen from provider records by 2019.

Breaches are a persistent thorn in the sides of healthcare executives, but they should also encourage providers to frequently assess their medical imaging data contingency plans.

“Proper security planning before a breach will allow you to take comprehensive action without panicking and missing steps along the way,” said Ken Ho, Professional Services Engagement Manager for McKesson. “There are many things one should do after a data breach has been discovered, and many of the steps are done in parallel.”

Ho outlined the first three steps providers should take when evidence of a breach surfaces.

These steps include:

  1. Identify compromised medical imaging data and the root cause
  2. Implement a plan for containment of the attack, allowing preservation of assets
  3. Develop or update your data recovery plan with important new findings

Here is a further analysis of these steps, and how you can put them into action if a data breach occurs within your healthcare system:

1. Identify compromised medical imaging data and the root cause

The initial shock of a confirmed data breach should be countered with immediate action to identify compromised data. It is crucial to quickly determine what information was breached, and how the attack occurred.

Technical issues are the root cause of many disaster recovery plans, but as Assero Security’s Matt Malone notes, there is more involved than simple system analysis.

“When a breach occurs there is much more at stake than just getting the system stored,” said Malone. “There may be legal liabilities, damage to the brand and reporting requirements, just to name a few. How the incident is handled can mean the difference between minimal damage and devastation.”

An attack might allow a leak in confidential patient information, like personal identification indicators, imaging files and medication needs.

“Understand what has been leaked and how the attack took place,” said Engin Kirda, Professor of Computer Science at Northeastern University. “In order to do this, you must be able to actually detect the attack and resulting data breach. Otherwise it can be very difficult to determine what has leaked how, making it even more difficult to know what to do next.”

2. Implement data breach containment

Once breached healthcare data has been identified, the next step is to contain the attack, preserving the current state and protecting the chain of custody. Data breach containment is a tedious process, but slow responses can result in greater amounts of compromised medical imaging information.

“Once you know what was leaked and how the attack took place, you can start to take measures to limit further damage, notify affected third parties if applicable and prevent it from happening again,” said Kirda.

Breach containment has both physical and interpersonal elements. While the affected physical servers can be disconnected after a forensic analysis, the administrative teams should also change their credentials to prevent further access.

“Once you’re on a system that was not compromised, log in and change all the passwords of all your accounts, starting with the most important,” said cybersecurity engineer Edsard Ravelli. “Remember, hackers typically leave a Trojan horse behind. This means that if you change any passwords on a compromised system, they can tell right away.”

3. Develop a post-breach data recovery plan with new findings

Once the breach is contained, add any new findings to your data recovery plan that could curb the frequency or severity of future attacks. Make sure you know what the risks are with future breaches by conducting a business impact assessment after the attack is fully contained.

“A proper business impact assessment is required to find out what the parameters are for RPO (Recovery Point Objective) and RTO (Recovery Time Objective), as well as the financial impact to breaches and outages,” said Ho.

You can soften the blow of a data breach, and relieve some pressure from your security teams, with data resiliency plans. With solutions like a vendor neutral archive, you can fortify your data security before any breaches occur, and contain damages faster post-breach.

To learn more about effectively managing your medical imaging data and radiology department, subscribe to the Medical Imaging Talk Blog or learn more about McKesson’s diagnostic imaging consulting services.

Leave a Reply