Mitigating cybersecurity risks in radiology—is it time to unmask vulnerabilities and fortify cyber defenses with ethical hacking?

Abstract

The integration of technology in medicine, particularly in the field of radiology, has led to significant advancements in patient care and diagnosis. While this digital transformation of healthcare has brought many benefits, it has also exposed radiological systems and sensitive patient data to unprecedented cybersecurity threats. This article aims to highlight the current cyberattack landscape, trends, and benefits of ethical hacking, which could be employed to identify vulnerabilities and improve cybersecurity defenses.

Global cyberattacks have been exponentially increasing on an annual basis. Focusing on the global healthcare sector, the number of attacks had alarmingly increased by 69% within the space of a year (from 2021 to 2022) [1]. Up to 250 million individuals have been affected by healthcare data breaches from 2005 to 2019, of which, 157 million individuals have been affected in the last 5 years [2]. The financial impact has also been significant. According to an IBM report, the average cost of a single healthcare data breach affecting an average of 26,000 records would cost up to $15 million [2]. The breach of Anthem, a medical insurance company in the USA in 2015, exposed the medical records of 78 million individuals and resulted in a $115 million settlement [3].

In Australia, 22% of businesses have experienced a cybersecurity attack in FY2021/2022, and the number of attacks has doubled since FY2019/2020 [4]. A total of 16% of the cyberattacks were scams/fraud, 5% were malicious software, and 3% were related to unauthorized access [4]. In FY2021/2022, these attacks were associated with 18% service downtime and 17% loss of staff productivity [4]. Notable events in Australian healthcare that occurred within the past year (2022) include the Australian Red Cross from a cyberattack on the International Committee of Red Cross servers, CTARS client case management system for vulnerable children, Medlab Pathology attack impacting almost 230,000 individuals, Medibank attack impacting 9.7 million customers and private hospital provider, Mater [1]. The impacts of cyberattacks on healthcare systems include the breach of sensitive patient data, disruption of services, electronic system downtime, cancellation of scheduled medical appointments, and ambulance diversions.

Within radiology, Picture Archiving and Communication Systems (PACS) and Radiology Information Systems (RIS) are used to help streamline the process of retrieving, storing, and sharing of medical images that are saved in the Digital Imaging and Communications in Medicine (DICOM) format (international communication standard). Breach of these systems can result in the theft of sensitive patient data/diagnoses and an increased risk of identity theft and ransom. Manipulation of medical images is also an emerging concern, which could result in dire consequences in patient care.

Since the inception of DICOM in the late 1980s, DICOM has underwent multiple enhancements from varying groups of stakeholders (i.e., vendors, working groups, and committees) through the years; however, DICOM security protocols were largely untouched [5]. Despite legal reinforcements and standard additions to DICOM, medical data security was never robustly built, theoretical, or nonexistent [5]. While the current DICOM standard includes some security provisions such as encryption for secure transmission of data via transport layer security (TLS) and digital signatures, the DICOM standard only provides for, but does not enforce the need for data security. As such, manufacturers are free to modify and implement parts of the DICOM standard based on preference. In addition to the proprietary nature of medical systems and the complexity of managing encryption certificates/keys, this has resulted in varying degrees of implementation or ignorance by the manufacturers [3]. Within the hospital walls, much of the data security falls onto the information technology (IT) and PACS administrative staff. This has led to generic protocol implementations such as firewalls, identity access management, and virtual private networks [5].

In a 2015 study, researchers simulated hackers and implemented a DICOM probe of the entire World Wide Web to locate vulnerable or open radiology servers via a standard DICOM handshake (analogous to opening a web page in a browser) [5]. The scanning tool acted as a legitimate medical application that was used to extract medical data from remote servers. They implemented a security threat grading system (type 1–6), where a true security threat is denoted from type 3 (basic threat DICOM application open to external party) to type 6 (complete open access to medical records). In total, 2774 servers were at type 3–4 security threat levels, of which, 719 were DICOM-open servers. The countries with the most extensive infrastructures (i.e., United States) also led in the most unsecure DICOM ratings. While most of the detected servers rejected the handshake, it was thought that this was likely due to vendor or support team whitelists that block foreign connections (basic security protocol), and that it may be possible to bypass this with a local internet protocol (IP) address. The study also revealed the lack of basic firewall protection for perimeter security as the researchers were able to still reach these servers from foreign IP addresses. The study concluded just short of downloading patients' data from the open servers as it was illegal but completely achievable [5]. The study's findings were echoed in 2018 when a McAfee researcher utilized an internet scanning tool and found 1100 unprotected DICOM servers worldwide. He was able to download medical DICOM images and print a 3D model of a patient's pelvic bones from the data [6].

In addition, recent proof-of-concept attacks have demonstrated vulnerabilities in RIS/PACS and DICOM (image file standard in radiology). Researchers recently showed the ability to automatically add lung cancer nodules/lesions to chest CT scans using deep learning techniques and modifying DICOM data which was in transit from the scanner to the PACS system [7]. The tampered CT chest images were able to fool 99% of the radiologists involved in the study. In another attack, malware was embedded within the DICOM file header, which allowed the file to still function normally on PACS. However, the malicious binary executable would be triggered when the study was opened [8].

To help safeguard PACS/RIS and DICOM images, there is a myriad of security measures and recommendations that can help bolster the resilience to cyberattacks in healthcare organizations [9]. Whilst there is an extensive list of recommendations, they could be broken down into physical, technical, and organizational sections. Physical security measures include locking doors in unused rooms and preventing network cable removal using secure network plugs. Technical security measures include splitting or segmentation of internal networks with interspersed firewalls between layers, secure wireless networks with regular review and updates, regular antivirus, and malware scanning, and permitting only the use of whitelisted applications. Organizational security measures include appropriate access rights for employees (since data breeches or theft are usually from employees), vendor/IT collaboration to use bi-directional authentication for TLS encryption, and audit with support for encrypted network communication [9].

Despite regular updates and improvements in cybersecurity, cyberattacks continue to become more commonplace and sophisticated. The implementation of the above-mentioned security recommendations will also be likely patchy with varying degrees of adoption across global healthcare organizations. Perhaps it is time for everyone to think outside the box where ethical hacking methodology would be of benefit. Ethical (or “white hat”) hackers employ the same tools and techniques as malicious attackers but do so under contract to identify vulnerabilities before criminal exploitation. Hacking approaches such as penetration testing, social engineering, and fuzzing can all reveal weaknesses in an organization's networks, applications, and human elements.

For radiology systems, ethical hacking should include attempts to breach the network perimeter, interception, and modification of DICOM transfers, alteration of RIS scheduling data, and embedding codes into DICOM files. Successful attacks would demonstrate insufficient encryption, lack of data validation, unpatched software vulnerabilities, and inadequate intrusion detection. These invaluable insights obtained from ethical hacking would allow IT security teams to improve authentication controls, segment internal networks, enforce encryption protocols (i.e., TLS), validate DICOM object integrity, and monitor system activity. Periodic retesting would verify and ensure that the appropriate defenses are in place.

Apart from the routine cybersecurity practices that are already employed widely, ethical hacking exercises would help build security awareness among radiology staff through social engineering attempts. With proper scoping and authorization, controlled attacks can improve the cyber resilience of radiology workflows and limit/prevent any disruption of patient care. Radiologists must also partner with health IT security teams to utilize ethical hacking as a proactive form of cyber defense.

Advances in technology will bring two sides of a coin. Whilst there is much good that is achieved, new cyber risks and vulnerabilities will also continue to emerge. This article has shown that there is much to be desired in the cybersecurity of radiology RIS/PACS and DICOM systems. Whilst this can be partially mitigated by the employment of cybersecurity recommendations, its implementation will likely be varied. Perhaps ethical hacking, akin to the above-mentioned studies where researchers mimic hacker techniques to test the security levels and vulnerabilities of open DICOM systems, is an important addition to our armamentarium in our war against the ongoing waves of sophisticated cyberattacks. As ethical hackers are employed by healthcare organizations, they will be able to tailor their approach and identify organization-specific vulnerabilities, which will be helpful given the variations in security protocol implementation. Along with vendor collaboration and regularly updated standards, there is hope that this multi-faceted approach can continue to help us keep radiological systems safe, secure, and trustworthy sources of patient data in this rapidly evolving cyber landscape.

Reuben Schmidt: Conceptualization (supporting); investigation (equal); data curation (supporting); writing − original draft (equal). Lincoln J. Lim: Conceptualization (lead), investigation (equal); data curation (supporting); writing − original draft (equal); project administration (lead); writing − review & editing (lead). All authors commented on previous versions of the manuscript and approved the final version.

The authors declare no conflict of interest.

Not applicable.

Not applicable.