How to Protect Your Organization from a Cyberattack

Introduction

According to the US Department of Health and Human Services, cyberattacks have increased on health systems by 9,851% since 2019.  This makes it imperative you learn how to protect your organization from a cyber-attack.  In fact, in 2020, there were 239.4 million cyber-attacks on healthcare endpoints costing healthcare organizations, on average, over $4 million per incident.  In 2021, this figure has risen to an average of over $9 million per incident

While staggering, these numbers are sure to increase, making vigilance and preparation critical to ensure your organization is properly prepared and protected.  But why are healthcare organizations the target of ransomware or cyber-attacks in the first place?   A primary reason is the vast amount of sensitive and valuable data (like personal health records, financial information, and insurance details) they possess. This data is highly sought after on the black market making it useful for identity theft, insurance fraud, or sold for profit.

Another reason health systems are targeted is due to the disruptions in patient care a cyber-attack can cause.  Health systems are more likely to pay ransom payments to quickly get their systems back on-line, limiting disruptions and to protect their established trust within their community.

Realizing why hospitals are targets of cyber-attacks is one thing but understanding steps to take to keep your data and staff safe is equally as important.  In this month’s blog, we’ll share a few ways you can help protect your organization from ransomware and cyber-attacks along with some thoughts from InsiteOne to keep your data safe and secure.

Action #1: Awareness and Training

One of the best lines of defense an organization can do to keep data safe is through continuous training to all staff on the methods cybercriminals use to find organizational vulnerabilities.  Phishing attempts are the most common and successful methods to catch employees off guard.  Oftentimes, unwary staff may feel pressured to offer information that provides cybercriminals an easy pathway to penetrate your organization.  Phishing, social engineering, spear-phishing, malware, and insider attacks are just a few of the methods used to compromise healthcare IT systems today.

InsiteOne Tip

Many organizations provide cyber security training to keep employees informed and educated on the type of attempts they may face every day.  Organizations like Knowbe4 offer training courses, information, and on-going updates that are entertaining, yet very insightful.  Your healthcare teams are always your number one defense in defending against a cyber-attack, and frequent training is the key to help keep your organization safe.  The more your employees know, the better protected your organization will be when it comes to cyber security threats.

Action #2: Encourage strong passwords and best practices when in possession of sensitive information

Using “password” as your password is a bad idea.  Writing down your passwords and taping them to your computer is even worse.  Strong passwords are a strong line of defense against cybercrime. Techniques like creating passwords from your favorite songs or using the first letter of a favorite phrase (intermixed with numbers and other characters) makes password creation easy to remember and difficult to hack.  For example, the song “Don’t Stop Believing” by Journey could become a password like “D0nt_Stp#B3li3ving!”.

Encourage employees to memorize passwords or better yet, use a password manager to maintain them so they stay safe and secure and only have one password to remember.  Writing passwords down and keeping them by your computer opens the door to unwanted opportunity for compromising your IT systems.

Protecting sensitive information is equally as important. Never leave sensitive information out in the open if you must leave your workspace.  Lock up sensitive information in a secure location and log off your computer.  It’s a good idea to always keep your workspace organized and free of sensitive data.  Finally, never insert unknown USB drives into your computer. They may contain harmful malware ready to attack your organization’s network.

InsiteOne Tip

Creating complex but easy to remember passwords and securing sensitive information seems common knowledge, yet oftentimes, people get in a hurry and may inadvertently make a mistake. Under time pressure, a user may create a simple password and write it down with the intention to change it later.  An impromptu meeting could pull them away in a rush potentially compromising their workspace. Leaving sensitive data in a folder by your computer makes it easy for prying eyes to find just what they need to inflict harm. Continuous diligence is very important in the fight against cybercrime.

On-going cyber security training for your staff prepares them for handling cyber-attacks.  Your employees are your first line of defense and arming them with knowledge helps better protect themselves and your organization from cybercrime.

Action #3: Data Encryption

Encrypt your data at rest and in transit.  Ensure your IT systems provide the ability to encrypt data while being stored and at rest. Data encryption while in transit further ensures you will be less likely to have data stolen and misused during a cyber-attack.   Encrypted data, without a de-encryption key, is useless to a cybercriminal.  It’s equally important to make sure data is transmitted securely and only the intended recipient has the necessary de-encryption key.  Any interception of the encrypted data while in transit provides no value to the criminal.

InsiteOne Tip

InsiteOne’s archives provide data encryption while at rest and in transit, ensuring your data is safe and secure all the time.  Any interception will be useless to cybercriminals and by using some of today’s best security methodologies, your data is always protected in our archives and managed under our watchful eye.

Action #4: Network Segmentation and Security Patches

Segmenting your network limits the spread of a potential breach should one occur. Isolating critical systems and data from less secure parts of your network ensures your data remains safe in the event of an attack. Additional access controls on your segmented networks keep only the people authorized to access the data in and everyone else out.

Keeping your software and IoT devices updated with the latest security patches helps to decrease their vulnerability during a cyber-attack.  Cybercriminals know where to look once they have access to your network and oftentimes, vulnerabilities in systems not frequently used or older IoT devices on your network could be the key they need to cripple your organization. Once your data is locked by a cybercriminal, they may demand you pay a ransom to unlock your network and systems.  Regular updates to your antivirus and anti-malware programs also ensure you are better protected against the latest known threats.

InsiteOne Tip

Network segmentation is a common practice used to keep outside traffic away from sensitive IT systems and data.  With greater access controls in place, in the event of a breech, your sensitive data can oftentimes be kept safe and not compromised.  InsiteOne understands how to segment medical imaging data so that in the event of a cyber-attack, your patient imaging data will be extremely difficult to access. Locking down common ports and using advanced security measures are just a few of the ways we help ensure a data breach will not impact your imaging data.

Action #5: Perform Regular Risk Assessments and Security Audits

Conducting frequent security audits and risk assessments is critical to success. Identifying vulnerabilities and weaknesses in your networks and systems helps prepare you for how to defend against a cyber-attack.  Understanding the vulnerabilities and addressing the issues promptly helps you to mitigate potential risks to your organization. 

Another important part of security assessment is creating a detailed incident response plan. Your plan should outline the steps staff needs to take in the event of a cyber-attack. Having a good incident response plan can limit the damage of a breach, since your team can respond quickly to avert further damage. Your plan should include procedures for reporting incidents, isolating affected systems, and communication protocols for all staff and relevant stakeholders.

InsiteOne Tip

Companies like Cloudwave can help prepare your organization for a cyber-attack. They also offer services like risk assessment and security audits.  Random, professionally organized cyber-attack drills prepare your staff how to react should a cyber-attack occur. With that knowledge, plus real-time practice could make a huge difference in the outcome of an actual cyber-attack in the future.  Understanding how your processes are followed during a staged event provides a real-time method with guidance on ways to improve your processes and communication protocols when a real cyber-attack occurs. 

Conclusion

Cybercrime is on the rise and healthcare organizations continue to be vulnerable. Aging technology, IoT devices that cannot be patched, and limited spending on cybercrime prevention provide easy access for cybercriminals to breach your network and gain access to sensitive data.  This blog only scratched the surface while providing a few tips on preparing for cybercrime in your organization. Hopefully, it will encourage you to work with your vendors and companies like InsiteOne to establish a safe environment for your data.  Limiting your exposure when a cyber-attack occurs is just as important as preventing it in the first place.  InsiteOne has a long history of keeping clinical data safe and the methods we use to protect your data keep cybercriminals out. 

If you want to learn more about the benefits of InsiteOne’s archiving and security solutions, be sure to reach out to us today to start a conversation about modernizing your infrastructure and ensuring your patient imaging data remains safe and secure.

What’s Old is New Again: The Resurgence of the RIS

By Doug Rufer, BSBA, RT(R)

Introduction

What’s old is new again as the resurgence of the RIS is making a comeback. RIS stands for Radiology Information System, once a critical information management solution for busy radiology departments in the 1990s. Then, around 2010 organizations began to adopt electronic health record systems (EHRs) and stand-alone RIS solutions began to be phased out. EHRs had their own RIS capabilities as part of their core offering. This enticed CIOs to consolidate their IT systems with a single vendor (instead of best-of-breed) causing the trend to shift away from best-of-breed solutions.

The downside was EHR based RIS solutions were typically less robust than best-of-breed solutions. Organizations lost useful functionality and optimized workflows. This required re-engineering of established workflows to accommodate the new EHR based RIS. 

Being involved with RIS throughout my career, I’ve watched this up and down trend take place.  However, I now find it interesting that the market growth predictions for RIS was on a decline years ago but is now enjoying a resurgence. This started in the early 2020s making best-of-breed RIS solutions popular again.  Organizations need better ways to cope with staff shortages and new technology is clashing with outdated workflows, providing an opportunity for RIS to make a comeback. Today, there are multiple vendors that provide best-of-breed RIS solutions offering enhanced workflow tools that can positively impact radiology departments everywhere.

What is a RIS Anyway?

A RIS is a software suite of networked workflow and administrative tools used to manage the entire patient journey within a radiology department or imaging practice.  A RIS manages everything from patient scheduling, order management, patient tracking, technologist documentation, file management (in the old days, patient jackets with hard copy films were stored and moved to various storage locations based on an age out methodology), inventory tracking, exam statuses, radiology reporting, report generation, and report distribution.  Some manage the billing process or front-end eligibility checking, along with other unique workflows, like patient engagement solutions, peer review, and follow-up management, as a few examples.  Today’s RIS no longer need to manage where films are stored, as PACS (Picture Archival Communication Systems) has taken that under control since most images are now digital. 

There are multiple vendors that provide RIS solutions, and they all have their own unique benefits.  RIS solutions are provided as on-premises or cloud-based solutions, and some are focused on departmental workflows while others bring in workflows to manage the complexities of teleradiology. A while back, there was a lot of debate around how a RIS should work with a PACS.  A RIS could be implemented as a stand-alone solution and interfaced with a PACS, or they could be a single database integrated RIS/PACS solution. This created the debate of which was better, PACS driven workflow or RIS driven workflow. Realistically, the best choice really comes down to the requirements of the organization and the workflows they are taking advantage of.

Key Benefits of a Modern RIS

Consider your RIS as a radiology specific patient record and management system.  Not only will this database system track and maintain your patient histories, but you will also use it to manage your department.  One of the key reasons most imaging organizations opt for a RIS over an EHR is the specific workflows designed within the RIS to improve workflow efficiencies and patient throughput.  Streamlining tasks is a key benefit that RIS solutions provide.  When patients check in at your front desk, alerts (offered as notifications or color changes in technologist worklists) inform the tech that their next patient is here, filling out paperwork, and when they are ready for their exam. This eliminates back-and-forth calls from the front desk to notify the technologist the patient is ready for their exam.  

Another workflow ability is to inject a QC process once images are acquired and sent from the modality to the PACS.  Technologists can keep radiologists from reading a study until it is completed (such as adding 3D reconstruction images, for example) and all images are available.  They can update the status at that time, which places the study with all available images on the radiologist worklist.

A RIS offers the benefit of improving data integrity throughout the workflow process.  In hospital-based workflows, patient data will flow from the EHR into the RIS via HL7.  From the RIS, the modality will query the RIS for scheduled or ordered studies and update the modality worklist with patient data.  This electronic movement of data prevents data duplication or mis keying of information due to repetitive typing.

Improved efficiency helps improve revenue and profitability.  Today’s RIS solutions offer robust data analytics and reporting capabilities so you can monitor departmental performance month over month and year over year.  Having insight to your workflow operations, throughput capabilities, exam counts, top referrers, and other key metrics, provides insight to your operations so proper adjustments can be made to keep your department running at peak performance.  Understanding who your top referring physicians are allows you to focus additional marketing efforts to those physicians to maintain or increase referrals while offering them tools that provide a competitive advantage for using your imaging services.

Finally, improving efficiency, better information tracking, enhanced patient documentation, and information sharing provide the keys to improving patient care.  When radiologists have all the information they need on a patient’s condition (including new information that may have been captured during their pre-exam interview process), the accuracy of their interpretation and recommendations they provide of their findings can be shared with the patient’s referring physician, and this can definitely enhance patient care in the long run.

Future Trend Predictions

As the imaging market continues to evolve, there are significant opportunities for RIS systems to evolve and continue to provide value in the patient care process.  A few areas where there are opportunities for RIS solutions to provide innovations include artificial intelligence, patient engagement, follow-up workflows, and real-time analytics.

Artificial Intelligence

Machine Learning (ML) and Artificial Intelligence (AI) are making significant headway in providing advanced tools to improve the diagnostic interpretation process.  But AI and ML can also add enhanced workflow capabilities to the RIS and streamline processes by removing human intervention (speeding processes and time to diagnosis or improve report turn-around times).

For example, AI in a RIS could detect if there was a discrepancy in the patient’s history vs. the exam that was ordered and alert a radiologist to review the case prior to performing an inappropriate or wrong study.  AI early in the scheduling process could help balance patient scheduling and open timeslots based on denials or patients that tend to be frequent no-shows, allowing for departments to better manage their schedule to keep revenue flowing.

Patient Engagement

Patient engagement solutions give more control to the patient over their care.  Providing tools to allow self-scheduling can be simplified to show only timeslots available yet keep the complexities of the scheduling process behind the scenes. Once the exam is complete, providing easy tools to download or share images, access reports, request appointments, and send timely reminders with exam prep instructions are all ways a RIS can improve the patient experience.

Follow-up Workflow Automations

Not following through on exams that require follow-up is a large revenue loss for many organizations.  AI could determine from the radiology report that a follow-up procedure is necessary.  The AI could prompt the referring physician to create the order for the follow-up procedure.  The AI could help close the loop and ensure that the referring physician has indeed sent the order for the follow-up, the insurance company was notified for the follow-up, and the patient engagement system was notified to ping the patient to schedule the exam. Timely on-going reminders can help ensure they show up for the study once the exam date approaches.

Closing the loop on exam follow-up can bring a higher revenue stream to most organizations since procedure follow-up often doesn’t have a well-defined closed loop workflow.

Real-Time Analytics

Imagine your RIS being able to analyze everything in your department and making real-time adjustments to the schedule while notifying the patients in the waiting room that their study will be moved up or slightly back due to backups in the department.  AI could analyze the inbound reading workflow for radiologists and determine if the number of available radiologists can keep up with the current workload while maintaining service level requirements that may be set by various physician or organizational contracts.  Auto adjusting the worklists while offloading excess studies to a contracted teleradiology firm, can keep patients, referring physicians, and department managers happy since timely report turn-around would continue regardless of workload. 

AI can provide updates to managers as data is captured real time and inform them of automated changes being made to improve the workflow of the department, all while focusing on efficiency.

Conclusion

Radiology Information Systems were once written off as a dying technology that would be replaced by the EHR.  Time has proven that incorrect as a resurgence in the technology and the value it brings in improving efficiency and workflow is well understood.

Today’s RIS solutions offer more options to improve workflows, better department insights and analytics, and new capabilities and automations from artificial intelligence that can improve efficiency and optimize patient care.  If you are looking for a next generation Radiology Information System for your organization, be sure to check out InsiteOne’s modern cloud native RIS and the workflow optimization capabilities it provides our customers every day.