Ideas for Hospitals, Centers, and Practices

False Sense of Security?

This year, the backup medical files of approximately 800,000 individuals seen at South Shore Hospital in South Weymouth, Mass, went missing during transport to the facility’s IT vendor; University Hospital in Augusta, Ga, lost a data tape containing information on 13,000 patients; and an employee of Tulsa’s Saint Francis Hospital stole data on 60 patients with intent for fraud. Unfortunately, these are just three of the 60-plus health care-related data loss incidents recorded this year by DataLossDB, a record of information security breaches maintained by the Open Security Foundation, Glen Allen, Va.

Loss of data or breach of information is the primary risk facing today’s electronic medical systems, with consequences ranging from fraud accusations to public embarrassment to penalties and fines. Lax security can also result in damage to systems, downtime and outages, and misappropriated resources (whether for personal gain or to attack others). “There are a number of things that can happen if security is lax, and some of it is avoidable,” said Mac McMillan, chief executive officer of CynergisTek, headquartered in Austin, Tex.

RIS Risks?

Radiology information systems (RIS) and PACS present unique risks for electronic (and physical) security. “PACS are very dynamic in the sense that they receive feeds from a lot of other systems, such as modalities. These modalities are a problem because a lot of them are not as secure as other systems,” McMillan said.

Modalities can be hard to protect because virus protection software may not be compatible and manufacturer patches are slow to release due to FDA requirements. “There’s a period of time during which the system is insecure and nobody can do anything about it. If modalities are not patched or maintained properly, they can become infected by a virus and infect the PACS, which, in turn, can infect the network on which it sits,” McMillan said.

Some organizations approach this threat with hardware solutions. “A lot of hospitals have actually taken to dealing with these biomedical devices from a network architecture perspective, [physically] segmenting them away from the rest of the network,” McMillan said.

Radiology systems are often offered with functionality that is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), but to take advantage of built-in capability, the system must be set up and maintained properly; it cannot just be “plugged in.”

In Good Hands?

Unfortunately, the person in charge of setup and maintenance is not necessarily educated in IT security. Many facilities permit the radiology department to maintain management of its information systems rather than put them under the purview of IT.

“Usually, when you meet the guy in radiology managing the system, he’s a regular IT person or someone trained on the system,” McMillan said. Often, he is not an IT security professional and therefore doesn’t really understand how to manage it from a security perspective.

An easy solution is to put IT in charge of the security for RIS and PACS or to consult with someone who has the necessary expertise. At the very least, McMillan suggests development of a hardening guide, which he defines as a reference for the configuration and ongoing patching of the system to ensure maximum security.

“The PACS needs to follow the same rules and procedures with respect to security that every other IT system on the network follows, and IT should have the ability to audit that system. I’ve seen PACS that were always up, but nobody was there watching. I’ve seen PACS where the passwords were either generic or actually in plain sight,” said McMillan.

Secure Solutions?

Policies, such as automatic log-offs and unique passwords, should be properly enforced. Guidance can be found through organizations such as the Healthcare Information and Management Systems Society (HIMSS) and the National Institute of Standards and Technology (NIST).

Risk assessments can also help to identify where security may be lax. These may look at one system or at the enterprise as a whole. Naturally, the scope will impact the cost and time frame. A single system assessment may be finished within a few days while an enterprise-wide approach can take 4 to 6 weeks. CynergisTek approaches the process both internally and externally.

“You’re looking at testing the entire network and all of the systems in use; completing both technical and administrative reviews; evaluating policies, procedures, and workflows; performing physical reviews of the facility; and doing an assessment of what all that means,” McMillan said. The broader approach helps to protect the overall architecture as well as create a deeper appreciation for security risks without having to suffer the consequences.

—Renee Diiulio

Built for and by Radiologists

What should a radiology group do if they can’t find a PACS solution that fits its needs? If you’re Virtual Radiologic Corporation (vRad), you build one that does.

The teleradiology group developed its vRad PACS over the last 2 years, creating a solution that gives its radiologists a level of flexibility, control, and productivity that is hard to find elsewhere. The group recently released the vRad PACS to the market.

While the results have been impressive, the need for the vRad PACS solution was born out of a very simple, yet serious problem. “We were working with a vendor who wasn’t responsive to our needs,” said Benjamin W. Strong, MD, ABR, ABIM, vRad’s client medical director. “We had already developed our own set of online tools to cover credentialing, reporting, and worklists. We needed something to supplement and integrate with those tools.”

The decision to leverage vRad’s 30 software engineers into a PACS development team didn’t come lightly, but it did reflect the company’s tech-savvy approach to imaging. “It’s an extension of what we’ve been doing for the last 7 years,” said Rick Jennings, vRad’s CTO. The radiologists drove the design of the system, and because of that, Jennings says, innovations, changes, and corrections could be made and tested almost immediately by the working radiologists.

The result is a highly flexible PACS solution that allows for customization and increased productivity at every level. Strong said that there were a number of “must have” features that were included during the development process. These included flexibility in the hanging protocols and multiple tool options. The result is a level of customization that is “spectacular,” according to Strong.

For instance, users have essentially every tool option currently available on the market in the single platform, which allows them to customize the way they like to hang, zoom, even what kind of input device they like to use. The key was to develop a system that reflected the way radiologists worked, said Strong.

The upshot is a more productive radiologist. According to Jennings, vRad radiologists view on average 26,000 images per radiologist per year with a nearly 100% accuracy rate in both the final and preliminary reads. In other busy practices, the average is 16,000 images per year.

The vRad PACS also allows for automation of repetitive tasks, including pre-batching and pre-caching of images. The system also features fast scrolling and enhanced communication with RIS. “This has made me the most productive,” said Strong. “Things like requesting prior images, establishing communication with the referring physician, the local radiologist, or the technologist, are an enormous development. I never sit on hold.”

The vRad PACS has customized voice recognition that has eliminated typos, allowing radiologists to keep their eyes on the image, again increasing productivity and accuracy. Other innovations are smaller but crucial to efficiency. For instance, each study is color-coded; a prior study is red, a current one is yellow. This prevents any confusion instantly, allowing the radiologist to know with complete certainty which study is the most current and needs to be read.

All of the features are attractive, but what’s most important is that they have all been road tested by working radiologists, proving that the vRad PACS is reliable and scalable.

The vRad PACS brings more than toolsets that are valuable to radiologists. It has a number of other advantages as well, according to Jennings. “It’s been on the cloud since day one, there’s no hardware so there’s no capital outlay needed, and it’s fast and secure,” he said.

The vendor-neutral vRad PACS doesn’t require a dedicated workstation; images can be viewed on a standard computer screen.

Perhaps the most important thing that any potential customer has to know about the vRad PACS is that it is still being used to run the Minneapolis-headquartered teleradiology business.

—C.A. Wolski