Editor’s Note: The following article was published in the Technical Exhibits Focus supplement to the RSNA Daily Bulletin and is reprinted here with permission.
The role of the radiologist in a patient-centered practice sounds simple: Get the right data to the right person at the right time to assure the patient gets the right treatment.
If only it were that easy.
Technology provides opportunities for interoperability that would have been unimaginable even a few years ago. However, increased interoperability can bring with it increased risks. Although more information can be shared over wider networks than ever before, those “cyber” affiliations carry with them cyber threats.
Research by the Ponemon Institute indicates one out of four organizations will suffer a data breach in the next 24 months, with an average containment cost of $4 million – and health care is not immune to these breaches.
Evgueni Loukipoudis, CTO and CIO at McKesson Imaging and Workflow Solutions, points out that last year, for the first time, a hacker attacked an infusion pump and gained the ability to modify medications.
“More and more, healthcare systems are becoming the target of cybersecurity attacks,” said Loukipoudis.
But when organizations place a priority on protection from cyber threats, they sometimes force compromises that make health care professionals uncomfortable.
Access to information is vital. Yet today, that information flows over potentially vulnerable internet and intranet channels. Creating a fortress attitude around this information flow could prevent it from reaching its destination in a timely manner.
“There is a very fine balance in dealing with these two components at the same time,” Loukipoudis said.
While there is a need to assure that individuals have the appropriate authority to access information, the rigors of such a system can prove detrimental to patients.
“If you don’t have authorized access to data, but you need that data because it is a matter of life or death for the patient, you need break-the-glass functionality,” added Loukipoudis.
Practical challenges must be considered when trying to resolve this dilemma – and one of the most serious is cost.
As an example, most health care institutions today use IT infrastructures that were built and expanded over time, often with off-the-shelf platforms and components.
“Those components are often the target of the attack,” Loukipoudis said. “They are readily available and used by the thousands.”
Unfortunately, many healthcare institutions cannot afford either the money or the time to update those components with the most recent patches that resolve newly discovered vulnerabilities.
Ironically, he pointed out, hosted public clouds have proven to be safer than private clouds when it comes to storing and sharing information. The number of serious incidents on public clouds is relatively small, compared to those on privately managed infrastructure.
Loukipoudis said that is because public cloud infrastructure has factored in the recurring investments required for cybersecurity-related updates while those who maintain their own have not.
“That could lead to a shift toward adopting public infrastructure,” he said, “because the safety is, by fact, guaranteed.”
Resolving these challenges is the reason for McKesson’s focus on broader risk management frameworks, both pre- and post-market, that prevent the alteration of data or the context in which it is presented.
“We want to assure that data is presented correctly to that final physician who needs it to make a decision,” Loukipoudis said.
Those new frameworks include the development of threat models and the ability to execute “ghost scans” and systems that incorporate incident reports, alerts and even recalls.
“Access to data is the thin ice that we all must walk on,” Loukipoudis said.