Digital Radiography Detectors: How Secure Are Your Medical Images?
Reading Time: 3 minutes read
The security within your digital X-ray detector.
Digital radiography detectors capture what seems like the most personal of data: an image of our inner selves. For this reason, hospital administrators and radiology directors occasionally ask us about the ways we secure this most private of data. And with good reason.
As evidenced by the WannaCry ransomware attack, healthcare continues to be the most expensive industry for data breaches. Healthcare data breaches cost organizations $380 per stolen record—more than twice the average global cost across all industries, according to the 2017 Cost of Data Breach Study sponsored by IBM Security. Ask a chief information officer or IT director what keeps them up at night, and undoubtedly the security of patient data will be high on their list. It’s also a top priority for Carestream Health.
Secured and anonymous transmissions of digital X-rays
Here is a look inside the security of our DR detectors.
First and foremost, no PII is ever captured, stored, or sent from our DR Detectors. PII stands for “Personally identifiable information” – it is any data, such as a birthdate, that could potentially identify a specific individual.
When a console is ready to acquire a medical image, it sends the detector a “Globally Unique Identifier” or GUID. This is a randomly generated string of characters. That is the only information that the digital X-ray detector receives about the image and/or the patient. After imaging takes place, the console requests the DR detector to send the image associated with that GUID.
We also have safeguards to secure medical X-rays when they are in transmission to the console. Our most popular detectors for digital radiography are wireless cassettes. These cassettes and the associated console are preconfigured with a unique and private network. Before sending the image, the detector authenticates with the wireless access point. Our authentication protocol is WPA2- PSK, an industry standard.
After the detector successfully authenticates and connects to the wireless network, all data, including image data, is encrypted and therefore private between the detector and the console. We use the Advanced Encryption Standard (AES). This is a ubiquitous and well-tested algorithm that encrypts information on a wireless network.
For added security, the console disables packet forwarding. This precaution denies network access to the detector from hosts other than the console.
Security hand off to hospital network and staff
After the data arrives at the access point, it is transmitted to the console via an embedded private Ethernet network. From this point on, any transmission of the radiograph from the console – to the PACS for example – takes place over the hospital’s network. The transmission is now dependent on the network security protocols in place at the hospital or imaging center.
Of course, there are many factors that can put data at risk that are beyond the secure ecosystem that Carestream Health has developed between our DR detectors and the console.
Healthcare IT reports that user education is one of your strongest defenses.Weak and/or shared passwords are a major vulnerability. We strongly recommend that customers routinely change the password to their wireless access point, including anytime a staff member with knowledge of it is no longer employed at the imaging facility.
Physical access is another potential point of failure. Access to imaging rooms, consoles, and mobile X-ray carts should be secure.
I hope this brief overview of the security protocols that Carestream uses to secure medical X-rays acquired and transmitted by our Digital Radiography Detectors has been helpful. I recommend you also read our blog on 11 Tips for Handling DR Detectors.
About the author: Scott Rogerson has 20 years experience in network development, with special expertise in networking equipment ethernet switches layer 2 and layer 3, and MAP devices. Additionally, he has six years experience developing detectors at Carestream Health.