Q&A: MITA’s Hornberger stresses communication, engagement for improved imaging cybersecurity

While healthcare learns how to improve its response to cybersecurity threats, the number and ferocity of incidents continue to increase. Health Imaging spoke with Zack Hornberger, recently tabbed as director of cybersecurity and imaging informatics for Medical Imaging & Technology Alliance (MITA), to discuss what medical imaging professionals can do to best prepare for handling cybersecurity breaches.

Health Imaging: Cybersecurity is obviously a top concern across healthcare. What unique challenge or challenges do medical imaging professionals face?

Zack Hornberger: It’s true that cybersecurity is a top concern across the healthcare industry. One of the unique challenges in medical imaging cybersecurity is that a multitude of security components converge in this environment. Devices need to be secure against threats and unintended use. External security must be in place to ensure secure information exchange, which should always use existing standards whenever possible. And, a whole community approach that includes staff security education and protocol is absolutely critical for imaging professionals.

Considering the interconnectedness of imaging informatics applications, how well is the workforce prepared to operate securely? Will widespread training programs be needed to educate users on the various medical devices?

Advancing cybersecurity measures within healthcare and public health requires a ‘whole of community’ approach, requiring manufacturers, installers, service staff and healthcare providers to accept shared ownership and responsibility. Products must be designed to be cybersecure; plans must be developed for avoiding and responding to cyberattacks; and users and operators must be trained to understand and follow risk-mitigation procedures.

What obligation do imaging professionals have to audit departments, systems, etc.? Are users aware of proper protocols to ensure a secure work environment?

Medical imaging device manufacturers’ field service representatives and training staff share a responsibility for security measures. They should be aware of their customers’ specific security requirements and abide by them. This includes obtaining prior permission from the appropriate customer IT security staff to insert flash drives or external computers into any component should that customer’s protocols require it.

Are there best practices in communicating with manufacturers to eliminate/minimize vulnerabilities?

MITA and its member companies take cybersecurity risks very seriously. Cybersecurity incidents have the potential to harm both patients and healthcare providers, disrupt patient care, reduce the reliability of the healthcare system and challenge the integrity of protected information.

We have been actively engaged on cybersecurity issues for a number of years and the MITA Board of Directors has established cybersecurity as a top industry priority. The MITA Cybersecurity Task Force is working to: establish a framework for information sharing about cybersecurity vulnerabilities and incidents, develop incentives that will promote the use of cybersecure products, and align strategies and open communications channels between MITA and other critical stakeholders, including regulators, healthcare providers and other industry sectors.