Just when you thought you had a grip on every potential threat to your imaging business, a new one emerges. A June Wall Street Journal article highlights the latest issue being faced by hospitals, in particular: the infection of medical devices, including imaging equipment, by malware. These viruses can expose patient information to outside parties, violating HIPAA regulations; worse, they can compromise patient safety by making equipment malfunction.
The threat is real and growing; VA records document 327 instances of malware infecting medical devices at VA hospitals since 2009, and the FDA says that it is aware of hundreds of similar examples. The problem is bolstered by the growing digitization of health care—and by the fact that medical equipment is built for many years of use, meaning that its software (and accompanying malware protections) rapidly become out of date.
The issue crosses vendor lines—the article specifically mentions problems with equipment from GE, Philips, Siemens, and Hologic—and is difficult for facilities to protect themselves against; in one case, equipment that was never otherwise connected to the Internet became infected when a vendor’s technician briefly connected it for an update. It’s even more disturbing that most of the health-care organizations contacted by the Wall Street Journal for the article either refused to discuss the issue or were unaware of it; vendors expressed similar reticence, citing concerns about increased development costs and regulatory oversight.¹
There are two messages for the imaging community here. The smaller of the two is to expect cybersecurity to become an increasingly hot topic in the months and years to come: that sensitive patient data might be exposed to outside servers is a dangerous and potentially expensive problem, and the possibility that equipment’s function could be compromised is even more disturbing. Were patient safety to be affected by a malware infection—and worse, if the problem went undetected for some time—the consequences could be dire enough to bring down an organization.
The bigger message, however, is that (as always) with greater freedom comes greater responsibility. The digitization of imaging has been an incredible leap forward that I’ve been privileged to witness over my seven years writing about this field, and it has unlocked an array of innovations that make the practice of radiology a freer proposition than ever before: free in terms of geographic location, of the exchange of information, and of integration with the imaging happening elsewhere in the enterprise.
As the article indicates, however, when it comes to cybersecurity, finger-pointing following a problem will fall on deaf ears. We’ve been here before: After the Cedars–Sinai CT radiation-dose scandal, blame for the problem was thrown every which way, but in the end, who screwed up didn’t matter. New legislation put the responsibility for cumulative dose tracking on the shoulders of health-care organizations. This time around, imaging businesses would be wise to take a proactive approach before a landmark crisis occurs. It’s what’s best for them—and what’s best for patients.
Cat Vasko is editor of ImagingBiz.com and associate editor of Radiology Business Journal.