Q&A: Dispelling Myths, Reporting Trouble

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
 - Ben Ransford
Ben Ransford, PhD, University of Washington, Seattle

The reports are out there on cyberattacks and data breaches. Headlines claim that malware is "rampant" in hospitals, or that a major hack of a healthcare system "could come any day." Cybersecurity is a top concern in medicine, but reports of the risks often leave many unanswered questions. What role does clinical staff need to play in maintaining security? Are certain systems more at risk than others?

To help clear the air on some of these questions, Health Imaging spoke with Ben Ransford, PhD, postdoctoral researcher in computer science at the University of Washington in Seattle  who has co-authored a number of papers on medical device security, to get his take on the how to improve cybersecurity in medicine.

What is the biggest misconception regarding cybersecurity in healthcare?

First of all, I think it’s appropriate to take those sort of horror stories that we hear with a grain of salt. I think the biggest misconception is that the computers inside medical devices, including radiology machines, are somehow fundamentally different from the computers on our desk. One belief I’ve heard is that the computers inside a medical device are more robust than the computers at your desk. I think that’s untrue.

If you look at the last few years of development of medical devices, you’re seeing a lot more devices that include off-the-shelf software, which is awesome for manufacturers because they save a lot of time by not writing their own operating system and all the stuff that is not related to medicine, but they lose control over some of the properties of their devices.

If you use a mainstream operating system on some device that you’ve intended to be very reliable, all of a sudden viruses that were written for that operating system will probably run on your device as well. The belief that medical devices are somehow not just computers from a certain perspective is misguided.

There have been reports of malware affecting devices such as x-ray machines, mammography systems and others across the enterprise. Are certain specialties more at risk, and where are the greatest areas of concern?

I think that the risk is evenly distributed over all kinds of devices that include software. That’s the key distinguishing factor. Obviously a tongue depressor is not going to be vulnerable to malware.

I don’t know of any malware that specifically targets radiology machines. More likely is that practitioners see garden variety malware that is the same kind that might infect your PC at home. That kind of malware doesn’t care what machine it’s running on. The reason that’s problematic is those kinds of malware aren’t particularly careful not to cause interference with the machine. If your home PC all of a sudden won’t print, that’s one thing, but if the same piece of malware causes your radiology machine to produce incorrect results or not boot the program that’s supposed to collect the data, that can be a real problem.

One concern we’ve heard is that clinicians may not report a malware infection on a system he or she uses because of fear of being blamed for allowing it to happen. How can medical centers encourage reporting of malware incidents so they can be addressed?

As usual, it doesn’t really help to blame the victim, and the people who discover malware are often the victim of the malware. Unless you’re trying to install malware on a device, it’s not really your fault if a device gets malware, even if you’re checking your email or playing Minesweeper. We have some distance to go before the stigma of reporting malware is lifted.

To me, the best way to encourage reporting is to get buy-in from everybody that their reporting is going to go all the way up to manufacturers or regulators. A good example is how some computer programs ask for permission to report crashes to the software maker; people don’t usually have a problem with that kind of reporting. That’s the best way to convey that you should feel inclined to report the problems that you find—it’s probably not your fault and you can help other people by reporting it.

Do you feel physicians and other hospital staff get enough education on these topics, and what would you advise people to do to help make their sites more secure?

I think [cybersecurity education] varies widely. I’ve seen reports all over the map. A lot of good faith efforts to report problems, but it’s really hard to generalize about cybersecurity in medicine because it’s only recently become something that people are paying