While acknowledging that some healthcare establishments have implemented measures to ensure eavesdroppers cannot access their systems, Torbjörn Kronander is concerned that others are still exposed to intrusion from outsiders. As head of the Swedish firm Sectra, which develops and sells products and services for medical imaging IT and secure communication, he believes hospitals often do not realise how easy it is to eavesdrop into secure conversations or archives and how common it is.
However, he is sensing a change of attitude among healthcare organisations and an increased demand for his company’s knowledge and expertise in data security in a medical IT setting, coupled with greater awareness of the risks of data breach and the importance of a security component for hospital archives.
Challenges still remain, he notes, in implementing the need for security into daily practice and ensuring the medical community understands the need for effective data security. Another issue for Europe’s health sector is the lack of uniformity in secure systems adoption in hospitals. The risk of data breach and eavesdropping, he explained, was vividly highlighted by the case of American computer specialist Edward Snowden, where the former NSA contractor revealed details of global surveillance by the NSA.
Torbjörn Kronander maintains that it is not difficult to keep internal and opportunist hackers out of hospital systems but stressed that many need to take practical steps if they want to remain IT secure. ‘They need an awareness and knowledge of data security at IT level and also understand how to make the system secure so that no one can go into the system and change data. Changing data is the worst thing you can do in a hospital; it’s worse than losing data or eavesdropping on the data.’
He cited an example of a case a decade ago in a European country: a doctor who had made a clinical error went into an image archive and changed the picture he had used for the procedure. ‘Security comes at different levels and you can do a lot with software but in the initial phase it is a systems approach; how you look at security in hospital, support it, and then how you enforce it. No chain is stronger than its weakest link, so all systems must be secured,’ he added. ‘For a hospital, the first need is to understand that there is a problem and then adopt a symptomatic specification on a hospital level on how this should be tackled, so that you don’t solve security in different ways in different places.’
Security that pays off
While secure systems cost money and take up some staff and time commitment, the cost is not always as high as hospitals fear. ‘Security costs money but a breach of security costs even more money. It is like insurance; insurance costs money but if you do not have insurance and something happens it will be even more expensive.’
Sectra, which has evolved over the past 35 years into an international company with more than 500 employees across 12 countries, is now seeing interest in securing the medical imaging infrastructure and PACS the Company sells in its other division.
The company underpins its success with long-term and close collaboration with customers, understanding their daily life and routines and combining this with leading-edge expertise in technology.
Security awareness, he pointed out, remains generally low in standardisation bodies such as DICOM, and there is no consistent way of solving security issues within them. He also advises hospitals to demand certain levels of security specification from a vendor when they buy a PACS, RIS, or HIS system and also adopt the information security management systems standard ISO27001 for security of data, which is used by vendors and security companies such as Sectra.
Kronander warned that these days, obviously no information can be perfectly safe, but added that with Sectra, hospitals can “make their IT systems immensely more difficult to eavesdrop and listen in to.”