Responding to a Cyberattack on Radiology
Reading Time: 6 minutes read
Understand the impact of a cyberattack – and how to respond.
By Trevor Weyland, Director, Gallagher National Cyber Practice.
Radiology departments and practices – like all healthcare organizations – are attractive targets for a cyberattack. In the unfortunate event that your facility has a cyberattack on radiology, it is important to have an Incident Response Plan in place that immediately triggers a structured and practiced response to the situation.
Hackers and cyber criminals recognize the valuable data associated with medical imaging, and the profession’s reliance on technology in the provision of care and their business operations. For example, ransomware attackers might take control of the practice’s systems and make extortion demands for restoring access and for not releasing the data they found.
Cyberattacks and data breaches come from many threat vectors, including through social engineering and business email scams; lost devices; malicious acts of employees; physical theft of system resources; exploiting vulnerabilities in software/hardware; phishing attack; and compromised credentials. Not only are the radiology department’s own systems at risk, but so are the systems of its vendors (IT consultants, cloud storage vendors, etc.) on which the practice relies for the functioning of its business/systems and to which the practices have entrusted Protected Health Information (PHI).
Although incidents come in many forms, a strong response to a cyberattack in radiology (and responsibilities) will likely follow the broad categories explained below as a healthcare facility attempts to tackle the situation in an effective and efficient manner. The priorities will be to understand what has happened; take control of the response; get systems back up and running; and fulfill any obligations to third parties like patients whose personal information may have been compromised.
Incident response to a cyberattack in radiology.
When the imaging department or facility becomes aware of an incident (for example through receipt of a ransomware demand or notice of a data breach), they should:
- Instigate a forensic investigation into the system intrusion or data loss so that they can determine what access/data is involved or ongoing.
- Secure legal advice to review and determine its responsibilities under privacy laws, such as HIPAA, which may require them to make notification to affected individuals and within tight timelines. It will be important to employ a law firm with expertise in this area that can also advise the practice on how to engage an outside forensics firm while preserving privilege over the findings, and to advise on the legality of making ransom payments. For example, the U.S. law generally prohibits payment to suspected terrorists or persons in a jurisdiction subject to comprehensive U.S. sanction.
- Manage external publicity or press inquiries about the situation.
Your healthcare organization should have in place (and tested regularly) an Incident Response Plan that sets out the process of discovery, investigation and response to a cyber incident in radiology or any other department.
Business operations.
Particularly in the event of an attack on a system (or those of IT vendors), business operations in radiology can be affected in myriad ways. Systems may be down, preventing access to records and digital equipment needed for day-to-day operations. This may limit the ability to keep or schedule imaging exams, affect revenue and billing and increase internal costs as the radiology staff seeks work-arounds. The team will want to trigger its backup systems and restore data; however, additional manpower or resources may be needed, and incur further costs to restore that data.
Part of the preparation to deal with a cyber incident is to have redundancy in systems and data, including separate back-ups, so that the consequences (and downtime) in radiology can be minimized, and the practice’s negotiating position with a ransomware attacker can be enhanced.
Finally, it’s critical to keep complete and accurate records of the additional costs and lost revenue in case these can be recovered from a vendor or insurer.
Liability and regulation.
Failure to protect confidential information from unauthorized release or access gives rise to responsibilities and liabilities at law. Various federal and state regulations like The Health Insurance Portability and Accountability Act of 1996 govern the use and security of private information and impose obligations to give notice of a breach. They also permit regulators like the Office of Civil Rights (OCR) to investigate and penalize offenders and to impose corrective action plans – all at potentially considerable cost to the organization.
Next steps.
Cyber threats are all too real these days, with potentially severe consequences to a healthcare business and its operations. However an organization can do much to prepare and protect itself by having IT systems that incorporate the correct controls and measures to prevent and minimize attacks, and having an Incident Response Plan in place.
The team doesn’t have to respond to incidents alone, however. Cyber Insurance not only provides financial risk transfer, but also provides immediate access to expert legal, forensic and other professionals who will help manage the situation effectively and efficiently. Cyber insurance, and the resources it provides, should be an integral part of any Incident Response Plan too.
Trevor Weyland is area senior vice president at Gallagher and a member of both the national Healthcare and Cyber practices. He advises healthcare organizations on cyber and management liability risks and solutions.
Trevor Weyland is area senior vice president at Gallagher and a member of both the national Healthcare and Cyber practices. He advises healthcare organizations on cyber and management liability risks and solutions.
Gallagher is the brand name of Arthur J. Gallagher & Co. (NYSE: AJG), a global insurance brokerage, risk management and consulting services firm headquartered in Rolling Meadows, Illinois. The company has operations in 57 countries and offers client service capabilities in more than 150 countries around the world through a network of correspondent brokers and consultants.
The article is for awareness purposes only and does not constitute professional advice by Carestream Health. Carestream makes no claim regarding the applicability of Arthur J. Gallagher & Co.’s services to your situation.