Healthcare under attack: The top cybersecurity priority for medical imaging

Since 2011, healthcare has been the costliest industry for data breaches. The total cost of healthcare data breaches in 2024 was $9.77 million; in 2023, it was $10.93 million. That far outpaces any other industry, from tech to pharma to entertainment to education (the second costliest victim is the financial industry, whose breaches cost closer to “just” $6 million). Why healthcare? Because patient data provides all the ingredients a cybercriminal needs to create a fraudulent identity for committing other crimes. 

Source: https://www.ibm.com/reports/data-breach  

The sheer volume of medical devices makes healthcare a target rich environment. But worse than that, healthcare makes itself an easy target for malware, ransomware attacks, and data breaches because the perpetrators know we’ll almost certainly have to pay up. The patient data we carry and review on an hourly basis is so critical for care that we can’t afford to be held hostage; everyone from radiologists to PACS administrators to hospital leadership are almost willing to do anything to make sure patient data is freed up as quickly as possible.  

And when a cyberattack causes an outage at one hospital, it immediately creates ripple effects that impact care services at other hospitals – increasing ER arrivals and patient volumes. Small wonder that in-patient mortality rates can increase by anywhere from 35% to 41% during a ransomware attack. Security vulnerabilities at one site don’t affect just that one site; they affect everyone in the system.  

The clinical impact: The effect of cyberattacks on radiologists and medical imaging 

For too long cyberattacks have been dismissed as problems for the IT department. But these aren’t just IT problems; they’re problems for radiologists and physicians, too. And I can tell you, speaking as someone who works in radiology and has firsthand experience of this, when downtime occurs, it’s the physician on site who becomes the face of the problem. 

Patients get frustrated when they’re sitting in the ER for hours, waiting for test results that aren’t coming because the system is down. Physicians get frustrated because they’re not able to schedule surgeries or move patients along to the next step of their care. Staff gets frustrated because they’re not able to push patient exams through the system. Nerves are rattled, anger mounts, and an already difficult situation becomes even harder to manage for both clinicians and their patients. 

And the root cause of much of this frustration? Lack of communication.  

Lack of communications with healthcare providers drives frustration during cyberattacks  

Not too long ago, my practice was hit by a cyberattack. And the vendor we used at the time just didn’t communicate with us during or after the breach. Not because they weren’t unaware or weren’t doing anything – they had chosen to spend their time figuring out the problem internally before coming to us with a solution. But because we went that whole time without hearing from them – not knowing what they were doing, what systems of ours were affected, how quickly we would be back up – that created a ton of new frustration on our end. Clinicians would ask about when they could schedule operations or cancel others, and we couldn’t answer because our vendor wasn’t clueing us in on timelines. 

This cannot be allowed to happen. Think about how hectic an ER is on any given day. On average, about half a dozen healthcare workers are involved with a single ER patient visit. Admitting the patient, ordering an MRI, reviewing the images, sharing the results with the patient, making decisions on next steps (Release them? Send them upstairs for further treatment?) – there are a lot of steps taken by many different people during rapid patient care and triage, and it’s all happening digitally now. So when a system is down and there’s no communication about when it’ll be restored and what backups we should be falling over to in the meantime, that’s a recipe for chaos. We need that communication from vendors so that we can guide staff, ER physicians, surgeons, and ultimately the patients on what their next steps are – which options are on hold, which tasks need to be performed in a different way, and what kind of timeline they’re working on.  

Implementing a healthcare cybersecurity comms strategy 

Our industry should take a cue from the utilities industry. When my house loses power, my utility provider sends me a text message, voicemail, and email alerting that: a) they’ve identified the problem; b) they’re working on it; and c) they’ll provide more updates when available. Which they do, because I then get a text about when technicians are at the site of the downed power line or broken equipment, with follow ups about the repair status, ETA until the repairs are completed, and a final alert about when the repairs are finished. 

This may seem like oversharing, but during a crisis, oversharing is better than not sharing at all. 
 

There are many options that medical imaging organizations can and should pursue to better protect patient data – from implementing more secure imaging solution frameworks, to establishing business continuity and disaster recovery plans, to cyber resilience security measures and ensuring all employees have been given adequate cybersecurity and IT hygiene training. 

But at the end of the day, the most cost-effective and achievable option for a cybersecurity preparedness plan is a transparent and timely communications strategy. Healthcare is the place cybercriminals most want to hit; we’re a high value target and as long as we’re handling patient data, that won’t change. What can change is what we do about it.  

Healthcare providers must create a clear and speedy strategy for communications during and after a cyberattack – prioritizing comms for end users and ensuring that radiologists are constantly aware of what’s going on, what has been affected, when it will be fixed, and when things can get back to normal. We must give visibility and control back to clinicians. Anything else is disservice to them and their patients. 

For more on the dos and don’ts of implementing effective cybersecurity measures for medical imaging organizations, check out the replay of our recent virtual event on Defending Healthcare: Perspectives on Cybersecurity in Imaging.