AI and Cybersecurity for Medical Imaging Diagnosis.
AI and Cybersecurity for Medical Imaging Diagnosis.
The European Union Agency for Cybersecurity – ENISA published a report on Cybersecurity and privacy in AI - Medical imaging diagnosis. This report allows a better assessment of the reality that artificial intelligence brings its own set of threats, which consequently insists on the search for new security measures to counter them. Finally, it should be noted that this guide strongly emphasises privacy issues in the same way as cybersecurity issues, privacy being one of the most important challenges facing society today. Security and privacy are intimately related, but both are equally important, and a balance must be made specific to each use.
With the influx of AI tools and services, the entire Medical Industry is on a spree to discover the use case of AI for their device, diagnostics and digital health solutions. Because of this unprecedented burst of Artificial Intelligence in MedTech, manufacturers and software developers are missing the side effects of AI. Through this report, ENISA, aims to highlight some threats and vulnerabilities overlooked by the developers. It also aims to raise awareness of Cybersecurity and privacy threats related to various scenarios using artificial intelligence. This report allows a better assessment of the reality that artificial intelligence brings its own set of threats, which consequently insists on the search for new security measures to counter them.
It indicates that the European Union and all the working groups are collaborating to ensure higher levels of privacy, cyber security and patient safety. Our experts have acknowledged the importance of Cybersecurity and privacy. They are on a mission to provide all companies with end-to-end Cybersecurity, communication gaps and privacy services to enhance patient safety.
While studying this report, we came across the main summarisation point, which should be helpful for you.
According to this chart, there are 12 main threats and vulnerabilities to Medical Imaging Diagnosis resulting from AI applications. These Threats and Vulnerabilities include:
- Compromise of Diagnostic System Components.
- Evasion caused due to lack of detection, training and widespread model information sharing.
- Human Error due to lack of security in design, weak access control and poor data management.
- Disclosure of sensitive data for Machine Learning and Algorithm training.
- Data poisoning due to lack to control, training and detection.
- Unlawful and Unfair processing of data arising from lack of privacy in design.
- Lack of Transparency.
- Bias in ML model, lack of data usage disclosure leading to diversion of purpose.
- Excessive data collection and lack of data pseudonymisation.
- Data storage and maintenance issues.
- Issues in Training Model Compliance.
- Data retention, privacy and no respect of storage limitation.
Are you wondering about the impact of these threats and vulnerabilities?
Because of these ongoing development and the addition of new threats, the MedTech industry will be impacted with:
- Loss of Unique Targeted Opportunities.
- Reputation Degradation.
- Phishing attempt.
- Increase in targeted advertisements.
- Physical and permanent injury to the end user.
- Infringement of fundamental rights.
- Significant sense of invasion of privacy.
When a system becomes vulnerable and open to threats an attacker could attack the exposed APIs and/or human interfaces additionally they can gain access to an account to infiltrate the data lake or the model server. When using an imaging diagnosis tool like x ray software, an attacker could modify the image capturing devices to add additional noise to an image, which could trick the model into making incorrect diagnosis. The noise added to the image can be imperceptible for humans and could only influence the output score of the ML program. This could increase the potential diagnostic error of the radiologist if he only relies on the program output. In the long run, the impact could be a misdiagnosis and lead to reputation degradation, lawsuit, and physical and permanent injury for the patients.
With new updates in the technology, it is important to update the skills of the end user. Frequent updates and advancement in MedTech can increase the chances of human error. A network administrator could incorrectly expose (such as by making public) certain instances of the databases, which would raise the risk profile of the 3 databases. This could leave personal data susceptible to attack, should the database storing personal data and patient files be targeted by attackers. This, in turn, could lead to reputation degradation and lawsuit for the medical practice, significant feeling of invasion of privacy, phishing attempts, or targeted advertising or the loss of unique targeted opportunities for patients. There is a risk that Radiologists may not be careful when handling patient data by bypassing the tool they have been provided with and filling in other media (text files), the creation of which would have very low visibility (shadow IT). This could open a wide, untraceable area of attack and malicious persons could try and get access to the data stored in unprotected/unrestricted applications. This could make personal data leakage easier, leading to reputation degradation for the medical practice, significant feeling of invasion of privacy, phishing attempts, or targeted advertising or even the loss of unique targeted opportunities for patients.
This report highlights several similar scenarios where the application of AI could pose serious threat to the end user. In order to raise awareness, the report provides a summary of Cybersecurity and privacy controls in the following format:
Here are some essential steps and tips that you can take to protect your Medical Devices and the ecosystem:
- Maintaining a holistic Medical Device Inventory
Prevention of cyber-attacks begins with the identification of any possible threats and device breaches. Your protection teams should be well-equipped with clinical asset management systems. In simple words, all healthcare, and healthcare delivery systems, should have complete knowledge of all devices connected to the system.
The protective framework should know a Device’s
- Physical Attributes: Equipment descriptions, serial numbers, model numbers, assigned departments, maintenance cycle.
- Digital Attributes: Mode of connection, are the devices connected through USBs/Bluetooth, data transmission details, storage information
- Relations with OEMs
Apart from creating a holistic framework, significant efforts should be taken to ensure that the Original Equipment Manufacturer (OEM) is flagged with updated requirements. Unlike other electronic gadgets, medical devices don’t have the feature of auto-updating or downloading security patches. In such times healthcare delivery units should ensure that they are in constant touch with the OEMs and let them know of any requirements concerning cyber protection.
Different regions have different regulations regarding Cybersecurity, and the optimum solution, in this case, will be the collaborative working of the entire ecosystem. This means that once the healthcare delivery unit has made a holistic framework, a team of whistle-blowers must update the OEMs with any system upgrade requirement. The clinical evaluations team can play a vital role in ensuring the same.
This relation-building preventive measure will ensure regular system updates and maintenance of all connected devices.
- Regular tabs on system access
All devices must be regularly assessed for potential vulnerabilities, whether connected physically or via remote setup. Healthcare delivery units should proactively manage and review all permissions and authorisations. A robust audit of all clinical assets will be pivotal in the cyber defence mechanism. This step will enable responsible departments to quickly access clinical assets and turn them off as a precautionary measure.
We all know that hackers have no sympathy and have an opportunistic mindset. It is the core responsibility of all ecosystem members to ensure ethical practices are followed. As a regulatory partner, Med-Di-Dia is strongly committed to cyber security and helping clients to define a solid pathway to ensure optimum patient experience enhancement.
Feel free to connect with our experts for all your medical regulatory needs.
Connect now!
Email: mdd@mddltd.com
Or fill out an interest form - https://mailchi.mp/cef1e53ebb00/digitalhealth
