The surge in attacks against companies that provide medical imaging services, as evidenced by the recent Visage Imaging Data Breach Case, shows how vulnerable the medical imaging field has become. Most of the focus on cyber security for the medical imaging industry has been directed at hospitals and large health care systems; however, the medical imaging technology manufacturers are at the centre of a vast network of interconnectedness (they receive the patient’s health information via images, they send diagnostic files, and they support multiple facilities across many different areas). Therefore, the medical imaging manufacturers are an ideal target for cybercriminals, as they provide access to sensitive information and represent vulnerable points within the overall health care system.

For instance, when a medical image is stored, not only are the actual images of a patient stored, but also a record of every study performed (which includes the identifying information of the patient, such as name, birthdate, and ID number). In many cases, the medical imaging report is included with the patient’s image binary files (the BWF). While the medical imaging manufacturers are under a greater obligation than other providers to interact with the patients, they are nonetheless in possession of sensitive/ personally identifiable information (PII) about their patients that has been compromised in the Visage Imaging cyber attack. And while compromised PII may only recently have been released, the ramifications may last a long time for those involved.

Imaging companies are becoming Cyber Hot Spots for many reasons, including the type of systems that they use. These systems are found in radiology departments, as radiology relies on constant and high-speed data transfers among hospitals, clinics, cloud-based storage systems, and off-site reading services; therefore, there are a lot of opportunities for cyber criminals to gain access due to the large number of endpoints. In addition, Picture Archiving & Communication Systems (PACS), diagnostic viewers, cloud hosting, and workflow tools must all be able to connect together to perform properly. If a single element in this integration sequence is compromised (such as by using an old version of software), then the entire integrated system will be vulnerable to being attacked.

Legacy technology also poses as a problem when using imaging systems. Many hospitals updated their radiology equipment years ago but did not upgrade the software, server architecture, and/or other integration tools that are used to operate these systems so that they meet the latest Cybersecurity standards. Imaging equipment represents a significant capital investment for a hospital, and it is often difficult and expensive to replace, which leads to a continued reliance on outmoded technology. As a result, Cybercriminals know about the history of upgrades and are actively seeking to exploit the vulnerabilities found within outdated imaging software.

The presence of multiple third-party vendors creates another obstacle for the imaging company. They usually collaborate with hospitals and other healthcare providers (HCPs), cloud storage services (CSS), artificial intelligence (AI) vendors and teleradiology vendors. While this collaborative approach does provide the ability to work more efficiently and effectively together, it also increases exposure to cyber security vulnerabilities. Each vendor in the imaging chain has its own set of vulnerabilities, which, if any one vendor has weak security, the entire chain would be at risk of becoming compromised. The Visage Imaging incident illustrates how rapidly third-party vendors can gain access to imaging assets without authorization, and further illustrates the need for improved safeguards for companies that possess extensive integration solutions.

Cybercriminals are also aware that there is financial gain associated with imaging records. For example, a single stolen imaging record from a medical imaging company could potentially contain enough information for an individual to steal that person's identity (e.g., Social Security number/full name) or file false claims against the same individual. Therefore, when an individual's full name/Social Security number is exposed to cybercriminals, they may be able to use this information to open fraudulent accounts, file false claims, or impersonate the individual for years to come (before the person has the ability to resolve these issues). Unlike the cancellation of a credit card, once sensitive personal identifying information has been compromised in a data breach situation, it cannot be replaced.

The use of cloud-based imaging has increased the potential for cybercrime targeted at medical imaging companies, as these organizations utilize digital or online processes (cloud computing) for storage of images, sharing of images, and interpretation of images. While this has allowed for improved access to medical images due to the convenience of accessing them online rather than in a physical location, the risk posed by cybercriminals has increased if these cloud computing environments do not have appropriate security measures and processes in place. Cybercriminals could gain access to medical images through the use of misconfigured storage systems, weak authentication methods, and overlooked access permissions that could lead to unauthorized access to sensitive medical image data.

The breach of Visage Imaging is indicative of an ongoing trend in the healthcare industry where medical imaging companies are experiencing an increasing threat of cybercriminal activity. Medical imaging platforms typically support thousands of provider organizations across the country and therefore the breach of one of those organizations can lead to exposure to compromising personal medical data for patients located in multiple states. As the use of medical imaging continues to expand and the technology becomes more sophisticated through the introduction of artificial intelligence and cloud-based workflows and remote diagnostic imaging services, the need for enhanced cybersecurity measures will continue to increase.

Cybercriminals are targeting imaging firms due to their large volume of clinical and non-clinical information. The data that resides in these systems is considered to be very valuable over time from an identity standpoint, and therefore, should be closely guarded and protected by healthcare organizations. Because many healthcare organizations have not been previously thought of as being a good source of information for cybercriminals, incidents like the Visage Imaging data breach serve to highlight how important it is for organizations of any size or specialty that are in possession of sensitive information to maintain constant vigilance.