Key security considerations when deploying imaging AI in healthcare.
The concerns around IT and data security in healthcare are nothing new, but, as attacks on hospital IT infrastructure become more prevalent, it’s become even more important that any technology that comes into a healthcare environment is appropriately vetted and managed. The growth in third-party AI imaging applications is delivering all kinds of compelling clinical and operational benefits, but it also raises potential security risks.
Clinicians don’t want more logins, they don’t need more passwords. And they really don’t need more products to interface with – not only because they are busy enough already, but also because every time you open up a new interface for the user, you’re potentially opening up another opportunity for an attack. And that should be avoided wherever possible – think about the WannaCry ransomware incident that cost the UK’s NHS £92m in 2018.
One way to avoid having unsecured interfaces with all these new applications is to ensure they are provided as part of your existing radiology IT infrastructure. This can be achieved by ensuring that new applications are integrated within your current PACS architecture – better for clinicians and better for security.
Monitor your monitoring
Another area of concern is the management and monitoring of these new applications. It is a key requirement to be able to monitor the performance of AI products in use and to ensure that the combination of systems are performing as required. And ideally it should manage all of that purely based on data push from the site, without having to have inbound connections to the hospital network.
But how do providers do that without having to access the hospital’s systems from outside on a daily basis?
It’s all about controlling access to hospital networks, and making sure that the keys are all on the hospital side, and that there’s no unsecured regular routine access in from any vendor. You can do it by having an outbound system that is based inside the hospital and that only sends telemetry information out that poses no risk. This should sit behind the firewall and be controlled by the team on the ground in the hospital. The only time that any data should move beyond the firewall, is when the hospital IT team has specifically agreed to it. Look for technologies that aggregate information about the performance of a platform running at a hospital, in a form that’s visible to all parties – the platform provider, the app provider and the hospital itself.
Beware external access
The other area that keeps hospital IT departments up at night is about protecting patients’ personal information. The financial penalty for a HIPAA breach can be severe if you are proven to have exposed a patient’s information.
With the growth in third-party applications, hospitals are increasingly aware of external access to their networks. This should really only ever be an occasional collaborative endeavour between a site and a vendor, rather than something that’s happening every day, hour or minute.
There are plenty AI providers that do transfer some PHI into the cloud to be processed and then send it back. And that can be completely acceptable. But hospitals need to be aware that there is some risk in doing that. Hospitals have to ensure that they are comfortable that a vendor is able to appropriately deliver the level of security they require. So those processes should be audited very carefully.
Ultimately, hospitals need to ensure that they are in control of all the data processes. If they’re comfortable, and they’re in control, it’s okay. If they’re not comfortable, they need to consider other options, such as de-identifying data before it goes off-site.
Download our eBook to find out how you can take advantage of the platform strategy: