Five months on from the crippling impact of the WannaCry cyberattack that affected one-fifth of U.K. hospitals and many other health providers across Europe, let's revisit the crucial topic of cybersecurity. Where do we stand today? What should be done to limit risk? And what does it mean for European radiology?
As the dust settled after the WannaCry attack, a few clear lessons were evident. Firstly, the root of the crisis was related to the lack of a security "patch" being administered at affected sites -- ultimately an error many IT administrators had overlooked. Legacy applications and hardware running on dated or now unsupported operating software were most commonly fallible, either not having had their security updated or had not been adequately separated from the wider network.
Secondly, and more concerning, was the speed and ability of the attack to spread. Once a system had initially been infected, the ransomware "worm" was able to quickly identify and target connected systems with the same fallibility, facilitating the rapid spread. Both of these aspects raise serious questions for health providers and radiology provision in Europe.
Europe has an aging installed base of imaging hardware, as highlighted in the latest report by the European Coordination Committee of the Radiological, Electromedical and Healthcare Industry (COCIR) on the age profile and density of medical imaging equipment. Many of these older systems still run on embedded operating systems such as Microsoft Windows XP or Microsoft Server 2003, which are no longer supported by Microsoft and are easy targets for future cyberattacks.
Smaller providers, who have limited resources and staff for security, remain the most at risk. Moreover, as radiology IT and imaging hardware becomes increasingly interconnected, the potential scale and impact of future cyberattacks could be even greater than those observed with WannaCry.
Regulation lags behind
A further cause for concern is evident in Europe's current regulation of medical devices. Today's regulation does not specifically stipulate cybersecurity standards at all, and there is no harmonized approach or requirement beyond general confidentiality and security of data. A new regulation -- the General Data Protection Regulation (GDPR) -- coming into force in Europe in 2018 focuses on patient confidentiality, while the new Medical Devices Regulation (MDR) -- set to be enforced in 2020 -- will go some way to address this. There is still little clarity, however, for health providers or vendors.
In contrast, the U.S. market, one of the most frequently targeted by cyberattacks, has been making more regulatory progress. Most notable of late was the U.S. Food and Drug Administration's (FDA) release of specific premarket and postmarket guidance for device and software vendors specifically in relation to cybersecurity. This is partly a reflection of the scale and frequency of cyberattacks in the U.S.; recent estimates suggest that data from 110 million patients were targeted in 2015. However, it's also abundantly clear that regulators in the U.S. are playing catch-up to this now-prominent threat.
So, what can be done?
It would be wrong to conclude that the current push toward more integrated, connected systems in radiology and wider healthcare should be halted in favor of a protectionist, batten-down-the-hatches approach. The benefits in quality, efficiency, cost of care, and health provider operation far outweigh the risk and impact of cyberattacks. However, there are some areas where vendors and providers should be focusing their efforts to limit exposure to future cyberattacks:
- Retire or isolate legacy applications and hardware: The gradual spread of IT across the hospital is a boon for more integrated care, but a headache for IT administration. With many providers operating a "delete nothing" approach for fear of compliance breaches or data loss, there are still a myriad of legacy departmental applications being left in "maintenance-only" mode. These legacy applications are expensive to keep running, but are kept in service even after adoption of an enterprise platform. To mitigate this risk, providers should look for archiving or migration specialists that can transfer these applications and data into a central repository with up-to-date, rigorous defenses against cyberattacks.
- A bring-your-own-device (BYOD) policy: Vendors and providers alike have made it far easier as of late for radiologists to access images and data directly on their personal smartphone and tablets. However, few have a rigorous framework in place to ensure these personal devices are secure to the same standards as the central network. Moreover, providers have also done little to limit or provide clear guidance on sharing of data and access between radiologists and other clinicians via social media platforms and personal devices (e.g., WhatsApp, SMS etc.)
- Transition to cloud IT: Adoption of hybrid and hosted software for radiology has remained weak in Europe to date, with many concerned over data ownership, security, latency, and cost. However, third-party cloud software often offers more rigorous and up-to-date security capabilities than a health provider or radiology department can provide -- especially smaller providers and users. The availability of third-party hybrid and hosted services from leading radiology IT vendors has also proliferated in the last few years.
- Learn from others: Other industries, notably finance, have also been working on cybersecurity, including widespread adoption of frameworks such as the U.S. National Institute of Standards and Technology (NIST)'s Cybersecurity Framework and running cyberattack emergency response "trial runs" to ensure preparedness. Innovation is also evident in healthcare, with vanguard approaches blossoming. Most notable in Europe is the approach of Estonia, where the e-health authority has partnered with blockchain specialist Guardtime to use a distributed ledger system based on blockchain technology to protect its one million patient records from future cyberattacks.
A big dose of reality
Above all, there must be greater awareness of the growing threat from cyberattacks in healthcare. New types of attack are also expected, increasing in power and complexity. Many cybersecurity experts are also predicting a greater targeting of core public services -- such as healthcare -- as a tactical means of causing severe disruption and potentially even loss of life. Radiology, as an early adopter of IT and digital hardware, has a responsibility to drastically improve its defenses against cyberattack. Further attacks like WannaCry are practically guaranteed. Is Europe ready for them? That question has yet to be answered.
Stephen Holloway is a principal analyst and the company director at Signify Research (www.signifyresearch.net), a health tech, market-intelligence firm based in Cranfield, U.K.
The comments and observations expressed herein do not necessarily reflect the opinions of AuntMinnieEurope.com, nor should they be construed as an endorsement or admonishment of any particular vendor, analyst, industry consultant, or consulting group.