As a radiologist, I know too well how cybersecurity is foundational to the day-to-day imaging work my team and I do. While radiologists are not experts in phishing, zero-trust, or threat hunting, we know the baseline infrastructure – which includes security – always needs to operate so that we can interact with the clinicians and patients who depend on us.
However, when data breaches and downtime occur, radiologists need information to understand what happened and when the system will be live again. Without that knowledge, an untenable situation exists for hospitals, IT, clinicians, and most of all, the patients.
This communication gap is exacerbated by a lagging pace of security adoption at too many practices and providers. In my experience, whenever we bring new tech in, the project is education first and implementation second. When I go to conferences like SIIM, I see security tech on display that is further along than what many in-house security teams at imaging organizations are doing.
This is not a new phenomenon, but it’s getting worse. Hackers and cybercriminals are only getting more advanced and sophisticated in their methods for compromising healthcare data. And the major health systems and imaging organizations are too slow and not agile enough to keep up with this pace.
Security vendors must be cutting edge because the health systems can’t be. Too much inertia keeps the pace of in-house security tech and knowledge from being where it needs to be. At the same time, there are steps that healthcare providers can take – internally and with the help of external partners – to boost both their security capabilities and the confidence of their clinicians in those capabilities.
How radiologists think about cybersecurity
A 2024 HIPPA survey underscores this anxiety: in the first half of 2024, 387 reported data breaches involved 500 or more medical records, an 8.4% increase from the same period in 2023 and up 9.3% over 2022.
However, while healthcare data breaches may be ticking up, cybersecurity is something we only sometimes actively think about as radiologists. Patient images in front of our eyes, not latent fears about breaches and hacks, are top of mind. Because we’re reading hundreds or thousands of images daily, we don’t have the time to think about our practice’s cybersecurity any more than we can think about electricity. Whether it’s there or not, it’s only when it’s not that we take notice.
That state of play – always worried about the risk but rarely actively thinking about it – is precisely why many of us feel anxious about our readiness for cybersecurity.
That said, there are concrete steps that healthcare providers can take to better reassure their radiologists about their cybersecurity confidence and the organization’s more extensive preparedness in thwarting or defusing threats.
1. Implementing basic security training – This is IT Hygiene 101, but there’s a reason for that. While radiologists can’ be expected to manage their organization’s cyber defense strategy, essential awareness of how to spot phishing emails, for example, can improve the self-confidence of these clinicians. This preparedness can support a considerable team effort to ward off cyber threats rather than indicate this responsibility as someone else’s with a mental handwave.
As part of the team, radiologists can help plug some of the most common holes exploited by hackers, i.e., employees who may not know better.
2 Updating legacy IT infrastructure- I understand why radiologists are hesitant to have new hardware or software updates dropped in their lap. When using the same system to read hundreds, if not thousands, of images daily, you can’t help but get used to your tools.
At the same time, there are many good and necessary reasons why our legacy imaging infrastructure is overdue for a refresh – whether it’s to take advantage of the cloud, provide better support for teleradiology and image sharing, or make quality-of-life improvements like streamlined workflows and fewer clicks. Cybersecurity can and should be a part of that same push.
Providers should likewise take advantage of these other modernization initiatives as they plan to update their security infrastructure. They include system audits, stricter patient data privacy controls, continuous real-time monitoring, and zero-trust protocols that make penetration by bad actors more difficult. This also goes a long way in shoring up clinician confidence in security.
Suppose your IT infrastructure needs to be improved, such as your choice of PACS for your cloud deployments (or choice to use the cloud). In that case, radiologists will feel less confident about their organization’s security preparedness. If the tech feels more bleeding edge, then that trust goes up.
3. Drawing on a broader pool of outsider expertise – It’s not enough for imaging and healthcare organizations to partner with security vendors; these vendors should draw from a broad and flexible pool of expert talent. Like healthcare organizations, in-house security engineers can also hit a brick wall in new knowledge and capabilities.
Refreshing those capabilities with new perspectives helps ensure that vendors always bring in experts with fresh experience — armed with knowledge of the latest threat trends and capable of deploying solutions ahead of the curve instead of playing catch-up.
Do you have the tools to identify bad actors? If those bad actors get behind the firewall, can you quickly react and adapt to those situations? Can they communicate the scope of the threat and the timeline for restoring normalcy to the healthcare organization?
The downstream effects are real — putting patients at risk and keeping clinician teams in the dark. When in-house teams may not be resourced enough or fast enough to stay on top of these challenges, outside experts and vendors can help fill the gap and bring a new level of confidence to the practice.
4. Closing the communications gap – The lack of communication during an outage or breach — when the vendor can’t tell you the timeline because they don’t know — is one of the most significant sources of frustration during a cyber crisis or downtime. This is all the more reason why tapping into a bigger pool of domain experts can help more readily diagnose an attack and communicate about it in real time.
We need security vendors and healthcare providers to quickly say what measures they have in place to prevent a threat from happening and spreading and how quickly they can get systems back up and running. The lack of knowing is not just frustrating; it’s unacceptable. Giving as much information as possible on what’s affected and when it will be over is critical – and many in-house security teams and vendors can’t do this.
When needed, engage outside experts, such as security vendors, with more extensive experience than any company security organization. They bring the right tools and information that healthcare providers and their imaging teams crave to help restore the confidence and trust in our cybersecurity readiness that we radiologists need.
Photo: Athima Tongloom, Getty Images
Raj Chopra, MD, is the Chief Medical Officer for Merge by Merative. He has over 20 years of clinical experience as a board-certified radiologist. He has been actively involved in various advisory roles, helping to guide many organizations on imaging AI, FDA regulations, billing and coding, claims processing, utilization reviews, and Medicare/Medicaid compliance.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.
