Q&A: Dispelling Myths, Reporting Trouble

The reports are out there on cyberattacks and data breaches. Headlines claim that malware is "rampant" in hospitals, or that a major hack of a healthcare system "could come any day." Cybersecurity is a top concern in medicine, but reports of the risks often leave many unanswered questions. What role does clinical staff need to play in maintaining security? Are certain systems more at risk than others?

To help clear the air on some of these questions, Health Imaging spoke with Ben Ransford, PhD, postdoctoral researcher in computer science at the University of Washington in Seattle  who has co-authored a number of papers on medical device security, to get his take on the how to improve cybersecurity in medicine.

What is the biggest misconception regarding cybersecurity in healthcare?

First of all, I think it’s appropriate to take those sort of horror stories that we hear with a grain of salt. I think the biggest misconception is that the computers inside medical devices, including radiology machines, are somehow fundamentally different from the computers on our desk. One belief I’ve heard is that the computers inside a medical device are more robust than the computers at your desk. I think that’s untrue.

If you look at the last few years of development of medical devices, you’re seeing a lot more devices that include off-the-shelf software, which is awesome for manufacturers because they save a lot of time by not writing their own operating system and all the stuff that is not related to medicine, but they lose control over some of the properties of their devices.

If you use a mainstream operating system on some device that you’ve intended to be very reliable, all of a sudden viruses that were written for that operating system will probably run on your device as well. The belief that medical devices are somehow not just computers from a certain perspective is misguided.

There have been reports of malware affecting devices such as x-ray machines, mammography systems and others across the enterprise. Are certain specialties more at risk, and where are the greatest areas of concern?

I think that the risk is evenly distributed over all kinds of devices that include software. That’s the key distinguishing factor. Obviously a tongue depressor is not going to be vulnerable to malware.

I don’t know of any malware that specifically targets radiology machines. More likely is that practitioners see garden variety malware that is the same kind that might infect your PC at home. That kind of malware doesn’t care what machine it’s running on. The reason that’s problematic is those kinds of malware aren’t particularly careful not to cause interference with the machine. If your home PC all of a sudden won’t print, that’s one thing, but if the same piece of malware causes your radiology machine to produce incorrect results or not boot the program that’s supposed to collect the data, that can be a real problem.

One concern we’ve heard is that clinicians may not report a malware infection on a system he or she uses because of fear of being blamed for allowing it to happen. How can medical centers encourage reporting of malware incidents so they can be addressed?

As usual, it doesn’t really help to blame the victim, and the people who discover malware are often the victim of the malware. Unless you’re trying to install malware on a device, it’s not really your fault if a device gets malware, even if you’re checking your email or playing Minesweeper. We have some distance to go before the stigma of reporting malware is lifted.

To me, the best way to encourage reporting is to get buy-in from everybody that their reporting is going to go all the way up to manufacturers or regulators. A good example is how some computer programs ask for permission to report crashes to the software maker; people don’t usually have a problem with that kind of reporting. That’s the best way to convey that you should feel inclined to report the problems that you find—it’s probably not your fault and you can help other people by reporting it.

Do you feel physicians and other hospital staff get enough education on these topics, and what would you advise people to do to help make their sites more secure?

I think [cybersecurity education] varies widely. I’ve seen reports all over the map. A lot of good faith efforts to report problems, but it’s really hard to generalize about cybersecurity in medicine because it’s only recently become something that people are paying a lot of attention to. To get better, it takes time.

I think medical practitioners have enough to worry about just practicing medicine. I think it’s unrealistic to expect busy physicians to devote a whole lot of thinking to theorizing about the computers they can’t even see that are inside their devices. Teaching is appropriate, but it’s not clear who should do that teaching. Clinical engineers are certainly busy enough trying to keep things running. Having them develop some kind of curriculum at the practice is probably unrealistic too.

My hope is that with the combination of good attitudes toward security and good regulation, we can eventually establish a set of best practices that goes all the way from the manufacturers to practitioners…the more information that’s allowed to get out and reach the people that can solve the problem, the better.

If you’re involved in purchasing medical devices…and if you have the choice between two pretty useful therapeutic devices and one of the manufactures has a much better attitude toward cybersecurity, it could help to choose that one. Give your dollars to the more responsible vendors. But to ask practitioners to do a lot more than what they’re doing is probably erroneous.

Any closing thoughts?

Things really do seem to be getting better from a cybersecurity perspective. The FDA has really ramped up its attention to medical device security and I think that’s a really positive thing. I can also report that I’ve seen a gradual shift in the way that manufacturers have been approaching cybersecurity. Before, it was much less of a concern than getting the devices to market, but now manufacturers seem to be taking a more holistic view that includes attention both to providing therapeutic value and doing so in a way that doesn’t introduce new cybersecurity problems.

Cybersecurity affects all of all us, because like it or not we are subject to whim of computers to a certain degree. We want the computers that have some control over our lives like in medicine, or in airplanes, we want those computers to work really well and the only way we’re going to get that is if we all continue to care about it and to encourage manufacturers to care about it as well.