RSNA 2022

Cybercrime against healthcare institutions has exploded in recent years. In 2021, more than 1 in 3 healthcare organizations reported being hit by ransomware.

The situation has been considerably worsened by the pandemic, which produced a triple threat for healthcare systems: a rapid expansion of internet-connected technologies and services causing an expanded attack surface, an increase in many types of cyberattacks, and fewer available resources to defend against cyberattacks.

Cybersecurity has become an important part of healthcare, and every radiology practice can easily become victim of a targeted cyber-attack. This was the subject of one of the opening education lectures of the recent RSNA (the Radiological Society of North America) conference in Chicago presented by Professor Benoit Desjardins, MD at Penn Medicine,  Associate Professor Shandon Wu, at University of Pittsburgh, and the author.

AI is now extensively used by both attackers (“Offensive AI”) and defenders (“Defensive AI”).  This four part lecture explored three forms of interaction between AI and cybersecurity that affect healthcare:

(1) Offensive AI: how cybercriminals are weaponizing artificial intelligence to improve their attacks against medical institutions, including how cyber-criminals are using AI to improve success of different types of attacks, such as phishing, scanning, and intrusions of medical centers.

(2) Defensive AI: how cyber-defense teams at medical centers are using artificial intelligence to supplement the limited capabilities of humans to detect and defend against cyberattacks, especially now that many of those cyberattacks are controlled by artificial intelligence.

(3) AI Model Safety: how cyber-threats can disrupt the integrity of medical images, and how this affects diagnosis by AI and humans, including an overview of the multiple ways in which data can be modified to fool AI algorithms.

(4) A panel discussion of the practical implications of AI for radiology practices.

AI is incredibly powerful and in a radiological imaging environment can mean the difference between early and timely diagnosis of cancers and other potentially life threatening conditions, or a medical condition not being discovered until it's too late. But Radiologists should be aware that AI models can be poisoned and corrupted, or used for nefarious purposes. If AI modelling and training is conducted safely and securely however, the benefits appear to far outweigh the risks.

For more details, please see my slides from the event on the growth of healthcare cybercrime and the issues of Offensive AI.

Read More

ISfTeH

Richard Staynings with Michele Griffith MD, President of ISfTeH.

The 'International Society for Telemedicine & eHealth' held its annual conference in San Jose, CA today and the author was proud to be invited to speak on the subject of 'cybersecurity as an enabler of new remote medical services'. 

 

Remote patient services whether telehealth consults with a primary care physician, post operative recovery from home to free up needed hospital beds, or the right of patients to die in their own home (embodied in law in many jurisdictions now), requires a different approach to patient data protection, privacy and security. Indeed, many of the new services envisaged as part of improvements to patient care for the future, will require careful examination to ensure that these do not expose provider medical networks to undue risks. Personalized medicine looks set to transform patient well-being and intervention outcomes but if providers are to store and process patients' DNA then they need to do a much better job of protecting that information than they do protecting current personal health information. 

 

Regulation across multiple jurisdictions requires that the confidentiality (privacy) of electronic patient information (ePHI) be protected, yet from a risk perspective loss of confidentiality although still important, is minor compared to the loss of health data integrity (the changing of a medical record) or the loss of availability (patients unable to receive an X-ray or CT scan while in the Emergency Room). 

 

With multiple hospitals being attacked with ransomware every week today, the risks for providers are obviously great. Although the costs of loss (lost revenue) can be massive, (Scripps Health is reported to have lost $112.7 million in revenue following its ransomware attack in 2021), the impact to patients for protracted downtime caused by a cyber attack can be life threatening, impacting patient safety, morbidity and even mortality, as we have seen from some prior ransomware attacks. Cyber-criminal activity by extortionists is literally killing people. Cyber attacks against the 'availability' of health services can be devastating to patients in need of radiotherapy or chemotherapy when those services are denied them. The same is true for those in need of Emergency Care or those giving birth when health IT and IoT are unavailable and being held to ransom.

 

The conference heard that it is important to balance 'confidentiality', 'integrity' and 'availability' of health information that together form what is known as the CIA triad. It also heard that a more risk-based-approach is required if providers are to get in front of managing the proliferation of new AI and ML based technologies, clinical applications and medical devices.

A full copy of the author's deck can be found here.

 

Attendees, speakers and panelists came from all over the world and were drawn from many different medical disciplines and specialties.  This was the first international conference of the ISfTeH since COVID-19 locked down many countries and prevented international travel.

 

 

Read More