Submitted via IRC for SoyCow9088
Cyber Threats to Medical Imaging Systems and How to Address Them
Healthcare continues to see staggering growth in breaches to patient health information. In the first half of 2019 alone, 32 million health records were breached, compared to 15 million records in the entire year of 2018. However, this trend of growing cyber breaches in healthcare is likely to persist due to the following characteristics of the healthcare industry:
[...] Medical imaging is a critical aspect in the delivery of patient care. Imaging records are now digitized and often stored on picture archiving communication systems (PACS), which enables the sharing of medical images to facilitate the delivery of care. However, cybersecurity measures to protect patient health information are often not implemented.
A recent report by ProPublica showed that medical imaging data of over 5 million patients in the United States are publicly available on the internet. As a result of 187 misconfigured servers, medical imaging data, often containing identifiable patient information that should be protected, is "sitting unprotected on the internet and available to anyone with basic computer expertise." Researchers discovered over 13.7 million medical tests, including 400,000 with downloadable images. These imaging records were stored on servers, including systems used for archiving medical images, without a robust solution in place to monitor for unauthorized changes or to ensure the servers were securely configured and in compliance with regulatory standards. These medical images include MRI, X-Rays and accompanying identifiable patient data that could be used for blackmail.
Due to the vulnerabilities in picture archiving communication systems (PACS), Tripwire partnered with the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), along with other technology collaborators, to develop cybersecurity guidance for securing PACS. According to the NCCOE, "compromises on PACS could result in significant data loss, could serve as an avenue to cause disruption through a hospital's system, or should the information be altered or misdirected, could impede timely diagnosis and treatment."
(Score: 3, Interesting) by Runaway1956 on Sunday October 06 2019, @08:05AM (3 children)
WTF is all this stuff available on the INTERNET? Every god-damned thing today has to be "connected". Not one super-bright genius is capable of building a separate net or web, insulated from the internet? It's impossible in today's world to hire couriers to physically move medical data from one location to another, OVERNIGHT? Seriously, it's possible for Amazon to deliver some rather bulky crap anywhere in the US overnight, but couriers can't move a thumb drive from Mayo Clinic to Miami, San Diego, Portland, Me or Portland, Or overnight?
Oh, but, that might cost more than a few electrons on a publicly accessible internet?
Well, cheap bastards don't deserve any sort of guarantee that they can compete against more savvy competitors.
(Score: 2) by HiThere on Sunday October 06 2019, @06:18PM (2 children)
That it was in the Internet isn't the real problem. The real problem was that it wasn't well encrypted.
Couriers would add both cost and time delay. Encryption is relatively easy and cheap.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Runaway1956 on Sunday October 06 2019, @06:26PM (1 child)
I'll give you a point on that one. But, let's keep in mind that various actors want to outlaw encryption, and other people claim that encryption will become useless within a few more computer generations. Some forms of encrytioin are already pretty useless, especially if it's true that the NSA backdoored them.
You didn't address alternative networks, though. The US military doesn't use the publicly accessible internet for most of their stuff. Instead, they use their own network. The medical community could do the same. They could even ask the military and/or NSA for assistance in setting up such a network. Your community clinic and your doctor could maintain public facing sites on today's internet, and use a separate machine to connect to what we'll call "The Medical Professional's Network".
(Score: 3, Interesting) by HiThere on Sunday October 06 2019, @08:13PM
Alternative networks within a building/campus/contiguous installation are reasonable, but you need to guard against some dingbat (or malicious actor) linking them to the wider internet. Alternative networks across town start to get expensive. Alternative networks between cities....if you can't set up a microwave or laser link, forget it. The cost is exorbitant.
Encryption is a much easier answer, and while the encryption may be breakable with a quantum computer, only major players need to worry about that. (Also, there are varieties of encryption that don't depend on prime factorization. The one time pad is the most reliable of these, and the easiest to implement, but it does require occasional exchange of physical tokens (probably DVDs).
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by DannyB on Monday October 07 2019, @03:18PM
How about attacking medical imaging equipment and especially radiation therapy equipment to deliver improperly high radiation doses to the patients?
Do they think about this possibility?
By "they" I could mean:
1. The equipment manufacturers
2. The hospitals
3. The democrat socialist environmentalist death panels who want to reduce earth's population to 500,000 people <sarcasm>
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.