www.healthcare-in-europe.com 27IT & TELEMED Hospitals face advanced persistent threats to security Is PACS ready to expand beyond radiology images? Hacking into healthcare records can kill ‘Not yet,’ says IT medical systems expert Report: Mélisande Rouger Is your network safe? This loaded question made delegates shiver during Inforsalud 2015, the annu- al meeting of the Spanish Health Informatics Society, held in Madrid this February. In a fast-paced, hectic presenta- tion, Dr Jesús Díaz Barrero, sys- tems engineer at Palo Alto Networks (PAN), highlighted how hospitals are increasingly the target of advanced persistent threats (APTs) – from groups with both the capability and intent to determinedly and effec- tively targets a specific entity. Over the past few years, an increasing number of cases have been reported in which hackers modified the parameters of an insu- lin bomb, or a defibrillator to deliver random shocks to a patient’s heart from the Internet. Recently, a report in MIT Technology Review and CNBC stated APTs from the Chinese army stole millions of personal data from US hospitals in the USA. The reason is simple: it is incred- ibly easy to hack a hospital. Millions of players can access a hospital’s Report: John Brosky Nine out of 10 hospitals in Western Europe have a fully-operational picture archiving and communica- tions systems (PACS) to manage and exchange medical images. The integration has become so routine that other physicians are now asking why they cannot as easily share with others the images they generate with non-radiology devices. It would appear that vendors of PACS systems are ready to tackle the assignment, thanks to the introduc- tion of vendor-neutral archiving and zero-footprint viewers. ‘Not really, not yet,’ cautions Marco Foracchia, the IT Medical Systems Manager for Santa Maria Nuova near Parma, in Italy’s Reggio Emilia region. He is less confident that a system built for rigidly structured radiol- ogy exams is ready to take on all the types of medical images from specialties such as dermatology and endoscopy, or orthopaedic videos. ‘One physician is a small prob- lem, but when you add them up, it becomes a big headache,’ he explained as he presented a case study for the Healthcare Information and Management Systems Society Europe at the European Congress of Radiology (ECR). After an inventory at the Santa Maria Nuova hospital, Foracchia said he found 534 imaging and data sources to be added to the tradi- tional radiology network. Of these, 13% create images that are what he called properly managed, and 8% are clearly improperly managed. The remaining 79% of exams are not managed or stored at all. Unlike radiology exams, he said, image acquisitions on these devices are not scheduled but made on the fly, and reporting is not sequential following the acquisitions, as is the case in structured PACS manage- ment. Instead, physicians, surgeons and specialists often do their report- ing during the exam itself. DICOM, the bedrock standard for image exchange on the radiology PACS, is rare among over 500 of the devices physicians in his hospital want to connect. ‘Radiology PACS is a proof that management and sharing is clini- cally meaningful, and on paper it is the solution,’ he said, but added that there are so many anomalies that a system built for radiology does not apply to extra-radiology systems. In an effort to determine the readiness of European hospitals for evolving PACS systems the European Society of Radiology and HIMSS have announced a partnership that will, during, evaluate the maturity of health information technology systems with a report expected at ECR 2016. ‘Radiology is already more closely tied with information technologies than any other medical discipline,’ said ESR Past President Guy Frija MD, who described the scope of the partnership as embracing big data, business intelligence, as well as archiving and structured medical reporting to ensure future applica- tions and challenges for radiology will be met. ‘We also hope our partnership with HIMSS Europe will create a greater awareness especially among IT companies for the innovative potential that has always been inher- ent in radiology and which will con- tinue to shape the discipline,’ Frija stated in the joint announcement. In a first step for establishing an imaging IT maturity model for the joint project work group, HIMSS senior consultant for analytics Jorg Studzinski presented an evaluation compiled from a survey of six major western European countries, with the notable exception of France, where, he simply explained, ‘we just don’t know’. He also noted the maturity of Nordic countries in health informat- ics is so advanced that the data for the Netherlands serves as a mirror. Starting with the fundamen- tal radiology information system (RIS), more than 90% of all hospital systems in Italy, Germany, Spain, the Netherlands and the United Kingdom reported a system in place, with Austria being the low end of the scale at 85%. Radiology PACS is nearly as well implemented with Italy and Germany trailing at 80%. A dedicated cardiology PACS has caught on with the UK reporting such a system at 80% of facilities, Spain and Austria pushing above half of hospitals, while Germany and Italy were at 24% and 14%, respectively. Pointing towards the upcoming assessment is a newly created cat- egory for an imaging data centre (IDC) that is meant to measure over- all image management capabilities, though in the current evaluation it remains less clearly defined, and evaluation results are highly varied, from 97% in the Netherlands to 41% in Germany. In announcing the partnership with HIMSS that initially will aim to establish an imaging IT matu- rity model for Europe, the radiology society said the on-going collabora- tion with the joint project group will help ensure that a broad agenda of IT topics are linked to radiology and that they are regularly addressed at the European Congress of Radiology, including e-health, data mining, dose watch, structured medical reporting and enterprise-imaging. network, either outside or inside the facility. For instance, patients can consult their reports and interact with their doctors from home. These new means of communica- tion increase the possibility of APTs, according to Díaz. ‘Each time we open a door, we find a problem,’ he said. The growing use of telemedicine in Spain, especially in remote areas such as the Balearic Islands, also increases this risk. So does access to the network by external clinics, delegations, manufacturers, pharma- ceuticals and insurance companies, lawyers, etc. Within the hospital or campus, many teams are connected to the network – labs, examination rooms, patient rooms, and so on. Even the private wide area network (WAN), which connects all medical sys- tems such as PACS and information exchange systems, can be a target. ‘Having all these channels means that the opportunity for an APT is very high. I don’t want to scare you, but this is the reality of the health- care setting today, all around the world including Spain. We are used to thinking that bad things only happen elsewhere. You’ll see how it is far from being the case,’ he said. He presented studies conducted near three randomly chosen health- care facilities over a year. These demonstrated how vulnerable those facilities were. All of them emitted malware from their own network without being aware of it. Malware, short for malicious soft- ware, is hidden within standard web content and designed to exploit vulnerabilities on Internet-enabled applications, such as browsers and browser plug-ins. Its aim is to dis- rupt computer operation, gather sensitive information, or gain access to private computer systems. Researchers placed external waves to monitor web traffic at those facili- ties. Results show that not only did scanners, modems and web cams emit malware, but also radiology systems and, most surprising of all, firewalls. ‘Firewalls are supposed to protect hospital systems against malware, but they were actually the main source of malware. More alarmingly, the staff responsible for the system security did not know what was going on,’ Díaz said. PAN gathered information over the past five years at a large number of facilities and healthcare companies in Spain. The firm found out that all of the amenities had malware in their systems. They all shared the same problem: their security systems did not work together, Díaz pointed out. ‘The facilities failed because of dispersion. Traditionally, we’ve put punctual solutions that work independently and are not related to each other. Therefore, when I have an incoming threat, I’m lost in this mess. It’s also crucial to distinguish which threat is impor- tant and which isn’t. Moreover, most security systems need manual inter- vention, which is time consuming,’ he said. Díaz recommends that hospitals correlate information between their systems and identify what applica- tions they have in their networks – and decide whether they are safe or not. Information should be segment- ed and access to the server should be granted strictly and according to the visitor’s needs. Hospitals should also apply the Zero Trust principle, in which two critical machines cannot share the same level of security. Access from one to the other should be protect- ed, for instance by passwords. With the explosion of smart phones and tablets use, one should also adapt these measures to the mobile world. Finally yet impor- tantly, a security platform should be able to counter both known and unknown APTs. Many firms currently offer protec- tion platforms against all sorts of APTs, including Dell SonicWALL, NETGEAR, WatchGuard and PAN. The product PAN-OS is considered an industry leader but recently scored lower on independent NSS Labs test. Source:Carestream Jesús Díaz Barrero, systems engineer at Palo Alto Networks (PAN), Spain