Ionizing radiation, from the sun and even the earth, is a daily fact of life. There is little that can be done about this, except to stay away from too much sunlight and protect the skin with sunscreens. On the other hand, people are also sometimes exposed to radiation for medical reasons – such as diagnostic X-Rays or CT scans, or a range of interventional radiology procedures. These procedures offer tremendous benefits for patients and for healthcare providers. The evidence for such benefits has become indisputable in recent years, and covers a wide range of diseases and conditions.

Medical imaging has profound impact on patient management
The American Journal of Roentgenology’ reported in 2011 that abdominal surgeries reduced significantly after CT scans. Physicians planned to admit 75percent of patients to hospital before CT. This level was changed to hospital discharge with follow-up in 24percent of patients after CT. The conclusions of the researchers, from Massachusetts General Hospital, were conclusive: CT ‘changes the leading diagnosis, increases diagnostic certainty, and changes potential patient management decisions.’
Massachusetts General Hospital was indeed one of the first institutions to study the impact of medical imaging. In 1998, a team from the hospital reported that CT was 93-98percent accurate in confirming or ruling out appendicitis. The condition accounted for 1 million patient-days per year in the US, with a similar level eventually found to have other conditions.

From emergency rooms to lung cancer
More recently, the New England Journal of Medicine’ published a study on non-invasive coronary CT imaging in the emergency room. The study found that out of the 8 million visits per year to emergency rooms by patients with chest pain, only 5-15percent were eventually found to be suffering from heart attacks or other serious cardiac diseases. As many as 60percent of patients faced unnecessary admission and testing to exclude acute coronary syndrome.
Meanwhile, it has also been reported that low-dose CT screening reduced lung cancer deaths by at least 20percent in a high risk population of current and former smokers aged 55 to 74. These findings were reported by the National Lung Cancer Trial in the US.

Fight against Alzheimer’s, speeding up clinical trials
In the future, medical imaging holds forth significant promise as a tool in the fight against diseases ranging from osteoporosis to Alzheimer’s, whose incidence is likely to grow sharply as the population ages.
Medical imaging also offers increasing promise as a surrogate endpoint in clinical trials, allowing measurement of the effect of a new drug far earlier than traditional endpoints, such as survival times or clinical benefit.

Concerns about over-use, some alarmist
Nevertheless, there are several concerns about over-use’ – especially for imaging accompanied by radiation such as CT. In the US, according to a June 2012 review in the Journal of the American Medical Association’, CT scans tripled in the period 1996-2010, corresponding to a 7.8percent annual increase. Although this was less than a near four-fold increase in MRI and a 30percent fall in nuclear medicine use, CT has been the target of sometimes emotive campaigns.
One good illustration of this was an Op-Ed in the New York Times’ on January 31, 2014. The article was titled ‘We Are Giving Ourselves Cancer.’ It opened with the observation that we are ‘silently irradiating ourselves to death,’ while its closing sentence urged finding ways to use CTs ‘without killing people in the process.’

The Times’ Op-Ed cited a British study which ‘directly demonstrated’ evidence of the ‘harms’ of CT, and it is here that its authors over-stretched their credibility. The study they referred to was published in Lancet’ in August 2012 and titled Radiation exposure from CT scans in childhood and subsequent risk of leukemia and brain tumours: a retrospective cohort study’. Its authors used data on 175,000 children and young adults and found that the cumulative 10-year risk was higher in relative terms, but translated into one extra case of leukemia and one extra case of brain tumour per 10,000 head CT scans.

ALARA and the principle of necessity and justification
In other words, while few would argue that there is no risk from radiation, it is clear that such risks are small and that even these small potential risks could be controlled further by reducing exposure to radiation.
Both industry and healthcare professionals are endeavouring to ensure that such a goal is achieved.
Manufacturers of CT and other radiation imaging equipment seek to keep exposure to radiation for both patients and medical staff to a minimum – and below their regulatory limits – by using the ALARA (As Low As Reasonably Achievable) principle to design their products. Key methods include use of the most dose-efficient technologies available and seeking to ensure that optimum scan parameters are used for a patient and examination type.
Meanwhile, in the clinical setting, doctors seek to ensure that radiation imaging examination is ordered only when absolutely necessary and justified, while radiographers optimize the radiation dose used during each procedure.

Safety, information and awareness
Since the mid-2000s, radiologists and medical physicists have taken steps to increase controls on radiation risks to patients. These have essentially focused on promoting the safe use of medical imaging devices, supporting informed clinical decision making and increasing patient awareness.
One of these initiatives is known as Image Gently, a collaborative initiative by radiology professional organizations and other concerned groups. Its target is to specifically lower radiation dose during the imaging of children.
A related initiative, led by the American College of Radiology (ACR) and the Radiology Society of North America (RSNA), is Image Wisely. This is essentially an awareness campaign whose goals are to eliminate unnecessary’ procedures and lower doses to minimal levels required for clinical effectiveness when necessary. One aspect of Image Wisely is collaboration between medical radiologists and manufacturers to improve performance of radiology equipment and allow physicians to make real-time assessments of whether radiation levels are acceptable.

Initiatives by professional societies
Such initiatives are closely supported by professional radiology societies. The ACR has developed Appropriateness Criteria (corresponding to the federal requirements on appropriate use) to assist referring physicians and radiologists in prescribing the best imaging examination for patients – based on symptoms and circumstances. One tool consists of the display of imaging options and associated radiation levels for a specific procedure. The aim is to reduce imaging examinations by assuring that the most suitable exam is done first.
In Europe, the European Society of Radiology’s flagship EuroSafe Imaging’ has the same objective, to maximize radiation protection and quality/safety in medical imaging. The initiative was launched at the European Congress of Radiology in 2014 and has so far attracted over 50,000 individual supporters (known as Friends of EuroSafe Imaging’). Over 200 institutions (industry and healthcare providers) have also endorsed the initiative.

Accreditation programmes
Accreditation programmes are also being targeted by the ACR and ECR, in order to assess facilities based on imaging competence, adherence to latest dose guidelines, and personnel training. Given the pace of technology development in imaging, certified radiology and nuclear medicine professionals are increasingly recommended or (in some cases) required to earn continuing education credits on radiation safety.
In Europe, the ECR has joined forces with the European Federation of Organizations for Medical Physics (EFOMP), the European Federation of Radiographer Societies (EFRS), the European Society for Therapeutic Radiology and Oncology (ESTRO), the European Association of Nuclear Medicine (EANM), as well as the Cardiovascular and Interventional Radiological Society of Europe (CIRSE) on an EU-promoted radiation education project called MEDRAPET. The findings, published in 2014, revise the previous Radiation Protection 116 Guidelines on Education and Training.

The Bonn Call for Action sets roadmap for the future
Many of these initiatives have been inspired by a conference held in Bonn, Germany, at the end of 2012, which was sponsored jointly by two United Nations bodies – the International Atomic Energy Agency (IAEA) and the World Health Organization (WHO). The outcome of the conference, which was attended by participants from 77 countries, is known as the Bonn Call for Action, and aims to strengthen medical radiation practices into the 2020s.

The Bonn Call consists of ten major actions. These are described below:

• To enhance implementation of the principle of justification. There is explicit emphasis on the use of clinical decision support (CDS) technology towards such a goal.
• To enhance implementation of the principle of optimization of protection and safety. There is a specific call to ensure the establishment, use and regular updating of diagnostic reference levels for radiological procedures, including interventional procedures, and to develop and apply technological solutions for patient exposure records, harmonize dose data formats provided by imaging equipment and increase utilization of electronic health records.
• Strengthen manufacturers’ role in contributing to the overall safety regime. This seeks to enhance radiation protection features in the design of both physical equipment and software, and to make these available as default features rather than optional extras.
• Strengthen radiation protection education and training of health professionals.
• Increase availability of improved global information on medical exposures and occupational exposures in medicine, with specific attention to developing countries.
• Improve prevention of medical radiation incidents and accidents. One interesting facet here is a call to work towards including all modalities of medical ionizing radiation as part of a voluntary safety reporting process, with specific emphasis on brachytherapy, interventional radiology, and therapeutic nuclear medicine, in addition to external beam radiotherapy.
• Strengthen radiation safety culture in healthcare.
• Foster an improved radiation benefit-risk-dialogue.
• Strengthen the implementation of safety requirements globally.
• Develop practical guidance to provide for the implementation of the International Basic Safety Standards in healthcare globally.

Although some of the Bonn Call points are repetitive, the document is noteworthy in terms of setting a minimal set of common rules for a very wide range of stakeholders – manufacturers, health professionals and professional societies.

Point 6 seeks new work on effective’ dose
Point 6 of the Bonn Call is both ambitious and timely. Although the concept of effective dose’ (or effective dose equivalent) was introduced in the mid-1970s to provide a common framework for evaluating the impact of exposure to ionizing radiation via any means, technology’s uneven leaps have not made it easy to follow through. Data for doses by different radiographic imaging modalities used in radiation therapy are scattered widely through literature, making it difficult to estimate the total dose that a patient receives during a particular treatment scenario. In addition, interventional systems are often configured differently from diagnostic set-ups and imaging systems do not distribute radiation in similar ways. For example, planar kV imaging attenuates rapidly along the line of sight, while CT dose is uniformly distributed through a patient. This makes it difficult to sum dose in a radiobiologically consistent manner.

Digital tomosynthesis creates a three-dimensional (3-D) picture using X-rays. In this respect, tomosynthesis is close to a CT (computed tomography) scan. Nevertheless, there are differences between the two. In fact, the development of CT is considered to be one of the reasons for a decline in interest in tomosynthesis, until recently.
One of the principal applications for tomosynthesis today is breast cancer. The basic difference between a digital breast tomosynthesis (DBT) and conventional mammography lies in detail. DBT removes confusing overlying tissue, thus providing clearer imaging and clarity. It also has improved low contrast visibility over mammography, even at a reduced dose. Some explain the difference between DBT and mammography as that of a ball compared to a circle. Nevertheless, in spite of its higher accuracy, the X-ray dose for DBT is similar to that of a mammogram.

Tomosynthesis and CT
Tomosynthesis is now increasingly seen as a low-dose alternative to CT, and is being evaluated against both CT and radiography in several areas, such as erosion in arthritis, or fractures accompanied by metal artifacts.
Technically, tomosynthesis combines digital image capture with the tube/detector motion of CT. However, there are several differences. In CT, the detector makes at least one complete 180-degree (half circle) rotation around the subject. Images are then reconstructed from this data. Tomosynthesis uses a far smaller rotation angle and a lower number of discrete exposures than CT. The lack of comprehensiveness in projections, compared to CT, is compensated by digital processing – with reconstruction of slices at varying depths and thicknesses. The result is that the images are similar to CT, but have a lower depth of field. The reduction in projections, as compared to CT, cuts down on both radiation dosage and cost.

Mammography : the approaches
A mammogram is basically an X-ray examination. However, it uses a machine designed specifically for examining breast tissue. The X-ray format in a mammogram is different while radiation dosages are lower than a conventional X-ray. One of the problems with the latter is that X-rays do not easily penetrate breast tissue. In a mammogram, two glass plates compress the breast to spread out the tissue allowing for a better and more accurate image, using less radiation.
Mammography, formally known as full-field digital mammography (FFDM), usually takes two X-rays of the breast from above (cranial-caudal view, CC) and from an oblique or angled view (mediolateral-oblique, MLO). Single-view mammography uses only the MLO view, and was widespread in the early days of screening. However, it has lower sensitivity and higher recall rates, compared to two-view mammography. Theoretically, the only advantages of single-view mammography are less radiation (which is especially important for young women, who are more sensitive to radiation) and quicker examination speed.

Breast cancer and the mammogram
Breast cancer shows as a typically denser zone than adjacent healthy breast tissue in a mammogram, where it appears as an irregular white area or shadow’.
The term digital’ mammography sometimes confuses patients. However, it simply applies to the storage medium. While regular mammography provides film pictures, digital mammography records images on a computer.

The DBT procedure
While a mammogram is a modified X-ray machine, DBT is delivered by a modified mammogram. It positions the breast in the same way as a mammogram. However, the compression required is less than the latter, in effect just enough for preventing the breast from movement. The X-ray tube then moves around the breast in a circular arc, typically taking 11 X-ray images of 1 mm thickness from different angles, usually over 10 minutes. The images are synthesized by a computer into a clear and highly-focused 3-D image throughout the breast. This allows specialized breast radiologists to see clearly through layers of tissue, including dense tissue, and examine zones of concern from a full range of angles.
Patient comfort is a factor clearly favouring DBT. The breast compression required for a mammogram can be uncomfortable and even sometimes painful, deterring several women from getting tested.

The challenge of false negatives and positives
From a clinical perspective, the high degree of breast compression required by a mammogram can also result in causing folds and overlaps in breast tissue, which can hide the cancer. In other words, negative results do not a guarantee that a woman is cancer-free. The false negative rate is estimated to be as much as 15-20percent. It is also higher in younger women as well as in women with dense breasts.
On the other side, mammograms also face major challenges from false positives. A mammogram may show areas that are considered suspicious or abnormal. This is followed by additional tests (further mammograms, ultrasound and MRI, or an invasive breast biopsy).
One study, published in the May 2014 issue of Annals of Internal Medicine’ found that after 10 years of annual screening mammography, more than half of women will receive at least one false-positive recall.
Some estimates find that 75-80percent of all breast biopsies are unnecessary – that is, they do not find cancers, and 7-9percent receive a false-positive biopsy recommendation. In general, the higher effectiveness of DBT means that patients require fewer (unnecessary) biopsies or other tests.

DBT and multiple tumours
Tomosynthesis also has another major advantage. It has a far greater likelihood than mammography of detecting multiple tumours (which occur in about one in 7 breast cancer patients).

History of DBT
Massachusetts General Hospital (Mass General) in the US is generally credited with pioneering the development and implementation of DBT into a screening programme. In 1992, the hospital’s specialized breast imaging team began researching application of tomosynthesis. In March 2011, just one month after breast tomosynthesis was approved by the US Food and Drug Administration (FDA), Mass General announced that it had performed the first clinical DBT exam in the US. In 2014, the hospital adopted breast tomosynthesis plus mammography as standard protocol for all breast screening.
The hospital states that breast tomosynthesis research in large populations consistently shows ‘improved breast cancer detection rates, especially invasive cancers’ as well as a ‘decrease in call backs, which may lessen anxiety for patients.’

DBT not yet standard of care
Even though digital breast tomosynthesis is now FDA-approved for more than five years, it is not yet considered the standard of care for breast cancer screening. A 2009 recommendation from the US Preventive Services Task Force (USPSTF) has recently been updated. However, it observes that current evidence still remains insufficient to assess the benefits and harms of DBT as a primary screening methodology for breast cancer.
Nevertheless, DBT is available at a small but growing number of US hospitals. These are generally licensed and accredited by the FDA as well as the American College of Radiology (ACR).

DBT in Europe
In Europe, the European Reference Organisation for Quality Assured Breast Screening and Diagnostic Services (EUREF) has recently updated its breast tomosynthesis protocol (version 1.01). Key changes concern technique and methodology (back-projection, dosimetry etc.).
European breast cancer experts frequently cite US studies that show a significant decrease in recall rate using DBT as adjunct to mammography, as well as the increase in cancer detection rates.
Meanwhile, there have recently been several European trials on DBT.

STORM: DBT versus 2D mammograms
The results of one of the first European trials, known as Screening with Tomosynthesis OR standard Mammography (STORM), were published in 2013. This was a prospective comparative study conducted at the University Hospital of Trento, Italy. It sought to determine if DBT overcame some of the limitations of conventional 2D mammography for detection of breast cancer.
The findings were conclusive. The authors of the study estimated that conditional recall could have reduced false positive recalls by 17.2percent without missing any of the cancers detected in the study population.

DBT and mammography combinations studied in Norway
Combinations of DBT with reconstructed 2D images or standard (digital) mammography have also been investigated for screening in Norway.
The Norwegian study was led by a team at Oslo University Hospital, Ullevaal. It sought to compare the performance of two versions of reconstructed two-dimensional (2D) images in combination with DBT versus standard FFDM plus DBT.
Cancer detection rates over two different periods were 8.0 and 7.8 per 1,000 screening examinations for FFDM plus DBT, and 7.4 and 7.7 per 1,000 screenings for reconstructed 2D images plus DBT. False-positive scores were 5.3percent and 4.6percent (over the two periods for FFDM plus DBT, respectively), and 4.6percent and 4.5percent (for reconstructed 2D images plus DBT).
The conclusion of the Norwegian study, published in the June 2014 issue of Radiology’ was clear:
‘The combination of current reconstructed 2D images and DBT performed comparably to FFDM plus DBT and is adequate for routine clinical use when interpreting screening mammograms.’

Sweden: DBT versus mammography, and combinations
Meanwhile, a trial in Sweden, known as the Malmo Breast Tomosynthesis Screening Trial (MBTST), published its results in 2015. MBTST claims to be the first trial designed to assess the efficacy of one-view DBT versus two-view mammography in brast cancer screening, along with a combination of one-view DBT and one-view mammography versus two-view mammography. The authors, from the University of Lund’s Malmo campus found ‘a significant increase in cancer detection rate when using one-view DBT as a stand-alone screening modality, compared to two-view DM (digital mammography). The recall rate increased significantly but was still low.’ They concluded that one-view DBT might be feasible as a stand-alone breast cancer screening modality.

DBT and ultrasound
European researchers have also sought to go beyond comparing DBT with mammography alone. In March 2016, the European CanCer Organisation (ECCO) released interim results from a trial called ASTOUND (Adjunct Screening with Tomosynthesis or Ultrasound in Mammography-negative Dense breasts) at a conference in Amsterdam.
ASTOUND has been recruiting asymptomatic women who attend for breast screening at five imaging centres in Italy and who have extremely dense breasts (defined by the BI-RADS Breast Imaging and Reporting and Data System as being in Categories 3 and 4).
The researchers, led by Dr. Alberto Tagliafico, a radiologist and Assistant Professor of Human Anatomy at the University of Genoa, Italy, have found that adding either DBT or ultrasound scans to standard mammograms could detect breast cancers that would have been missed in women with dense breasts.

Outlook for the future
In general, whether in the US or Europe, more remains to be done to conclusively establish the advantages of DBT in screening. However, it is indisputable that DBT does results in a significant increase in cancer detection rates.
An article in the April 2016 edition of Breast Cancer’ by P. Skane (who led the Norwegian trial mentioned above) argues that ‘DBT should be regarded as a better mammogram that could improve or overcome limitations of the conventional mammography, and tomosynthesis might be considered as the new technique in the next future of breast cancer screening.’

Hospitals straddle a unique crossroads in terms of cybersecurity, crime and potentially, terror. In spite of a rapid shift to computerized prescriptions and electronic records, the hospital business is inherently complex, marked by privacy constraints as well as legacy IT infrastructure. In an era of cost cuts, hospital managers have also been tempted more by imaging scanners and surgical robots, rather than (invisible) firewalls and encryption systems.

by Ashutosh Sheshabalaya and Antonio Bras Monteiro

UCLA 2014: six years after Britney Spears, access still unhindered
As recently as 2014, after a massive hack, one of the world’s most prestigious hospitals, at the University of California Los Angeles (UCLA), acknowledged that its patient data was not encrypted.
At stake was data on 4.5 million patients, some dating to 1990. Six years previously, UCLA had paid out $865,000 ( Euro 778,000) after an employee stole medical data on celebrities including singer Britney Spears and actress Farah Fawcett, and put them up for sale.

Situation challenging in both US and Europe
Many hospitals are accepting they have a serious cybersecurity problem on their hands. This follows mounting public concern – especially in the US – about growth in hospital data theft.
Although American politicians have called for emulating some of Europe’s medical data security practices, the European situation hardly justifies complacence, as we shall see.

Data on 80 million patients hacked, 9.3 million offered for sale
In the broadest terms, healthcare lags other economic sectors in terms of information security. In the US, healthcare accounted for three of the top seven security breaches in 2015. During the year, just one hacking incident at insurer Anthem Inc. potentially compromised medical data on 80 million Americans.
The situation has since worsened. In June 2016, Baltimore-based privacy monitor Protenus reported a staggering 11 million patient records stolen in 29 incidents (24 at hospitals).
During the month, one hacker made two back-to-back online sale offers – for 655,000 medical records, followed a few weeks later by 9.3 million records. The numbers are of course impressive. However, as the hacker underlined to DarkNet news aggregator DeepDotWeb, this was only a start. ‘A lot more,’ he said, was still ‘to come.’

Identity theft – from drugs, explosives and insurance claims to duplicated you-and-me
One of the biggest risks is identity theft. Data on patients, including names, birth dates, social security and insurance policy numbers, diagnostic, treatment and credit card information, can be misused in several ways. Criminals also have an easy choice. If a target refuses to pay ransom, hackers can still sell the data.
Stolen IDs are used to buy drugs and equipment for resale, or to make insurance claims. Certain prescription medicines can be converted into synthetic addictive drugs, or especially potent explosives.
A basic identify kit sells for $1,500 ( Euro 1,350), though certain medical data can raise the price dramatically. This compares to the couple of dollars sought for basic credit card information. Identity kit data can be used to professionally forge follow-on credentials such as new credit cards and lines of credit, insurance and social security subscriptions, driving licenses, marriage certificates (for illegal immigrants) and passports.
Giving criminals the luxury of time, medical identity theft is seldom noticed quickly, again unlike credit cards. Personal medical information, moreover, can be tailored to follow up with blackmail and other kinds of demands.

A fast-growing and expensive problem
A February 2015 study by Ponemon Institute, a think-tank on data protection, shows US identity theft rising annually at about 20% since 2012. An estimated 2.3 million adults were affected by medical identity theft in 2014, up from 1.4 million in 2009.
The cost to patients is substantial. Ponemon found medical identity theft costing an average of $13,500 ( Euro 12,150)in out-of-pocket legal expenses and financial losses.

Endangering patients
Beyond costs lie other dangers. These are often exacerbated by delays in hospitals informing patients about medical data theft. As we shall see, such a lapse is hardly rare, and victims can end up with a thief’s health data incorporated into their own. A patient record may show a diabetic as being diabetes free, with other misinformation about allergies or blood type being potentially fatal.
Reversing this is not always straightforward.
In summer 2015, the Wall Street Journal’ reported an identity theft at Centerpoint Medical in Independence, Missouri, leading to erroneous billing about a non-existent injury. Although the error was pointed out to the hospital in January 2014, the hospital and a collections agency remained in hot pursuit until the year end for payments – and interest.
The intervention by the influential US newspaper led to Centerpoint dropping the bills and charges. However, when the (real) patient’s record was found to contain wrong information about an allergy, a review was not permitted, in order to protect the thief’s health information – covered by the privacy provisions of HIPAA (Health Insurance Portability and Accountability Act).

USBs, laptops – physical theft remains a major problem
In spite of such growing threat awareness, the risk management spectrum remains immature. Most hospitals lack protocols to prevent data transfer to small, high-capacity USB sticks and CD-ROMs, or control access for laptops. Indeed, Department of Health and Human Services (HHS) data show that over 40% of US medical data breaches involve portable media devices.
One good example is Chicago’s Advocate Medical Group where a laptop theft from an unmonitored’ room in 2013 led to the loss of data, including social security numbers, on 4 million people. Advocate Medical took one month to notify patients, although many faced a clear risk of identity theft.

No encryption, not even passwords
One year previously, Howard University Hospital notified 35,000 patients that their medical data had been compromised, after a contractor at the hospital downloaded files onto a personal laptop, which was then stolen. The data, included names, addresses, Social Security numbers and medical information. It was password-protected but unencrypted.
Several non-technical hospital staff, unfortunately, remain unaware about this crucial difference.
For example, at the end of 2013, Kaiser Permanente’s Anaheim Medical Center reported a breach of 49,000 records from an unencrypted, missing USB drive. A similar situation occurred again in May 2016 after 29,000 emergency room patient records were compromised at Indiana University’s Arnett Hospital, after being accidentally’ downloaded to a USB drive. This time the data was neither encrypted nor password protected.

Europe has similar problems as US
The situation in Europe, too, is hardly encouraging. As far back as 2007, Britain’s Nottingham University Hospitals Trust faced the theft of a USB stick with patient data from a doctor. The theft came to light after a whistle-blower wrote to the British Medical Journal’ and noted that it was common for doctors to carry patient data around on USB sticks in order to permit patient hand-overs. Although the Trust’s policy required confidential data storage on USB sticks to be limited to 128-bit encryption and be used solely on hospital computers, only the naive (continue to) believe that enforcing such a policy is possible.
One year later, a manager at Colchester Hospital in Essex was sacked after his laptop containing medical data was stolen by thieves who broke into his car while he holidayed in Edinburgh. At the time, the hospital’s CEO said the sacking was a clear endorsement about ‘how seriously’ he took ‘security and patient confidentiality.’ However, there was no explanation about why private medical data was present, and then too in an unencrypted form, on the laptop of a holidaying executive, when it could well have been accessed via a secure online network.

Theft of laptop with 8.3 million (unencrypted) UK records
The quantity of physical data theft from UK hospitals also continues to grow, even as security practices remain stuck. In 2011, an (unencrypted) laptop was stolen from an (unlocked) office in the headquarters of Central London NHS (National Health Service). The laptop contained hospital records of 8.3 million identifiable patients.
Overall, according to an investigation by Pulse’ magazine, 55 UK hospitals have reported breaches, including records dumped in public places, or provided to the wrong patients.
The lack of a risk management policy was demonstrated emphatically in April 2014. In spite of claims that the (massive) UK national records database ‘has never been compromised,’ Freedom of Information disclosures showed four serious medical data security breaches since 2009.

French hospitals: laconic about cybercrime
France, too, is in a similar quandary. It is implementing a single national medical database with information on 66 million residents. This complements an electronic medical record (known as DMP 2) with open architecture to make it easier for sharing data among hospitals and healthcare professionals.
In May 2016, the journal Le Nouvel Observateur’ noted though several French hospitals had been targeted by cybercriminals, there was a deafening silence about the issue. In addition, it said, there was little clarity about whether patients would be informed in case of a data breach. What was especially alarming was that only 50 experts were responsible for computer security at 1,000 French hospitals.

US Senate tightens the screws at end of 2012
In the US, meanwhile, although the privacy of medical health data is codified by HIPAA and reporting rules from 2009 require hospitals to notify both the authorities and the media if a data breach affects 500 or more patients, there are no requirements for criminal prosecution.
Until November 2012, in spite of more than 22,000 complaints about HIPAA privacy violations, the US government imposed just one fine. During that month, after a particularly feverish spell of attacks, the US Senate took HHS to task in a public hearing. By June 2013, HHS had made fines of over $1.5 million ( Euro 1.35 million).

Howard University hospital attacked twice in 2012
2012, the year of the Senate hearings, was clearly a turning point in US attention to medical data safety.
In May, prosecutors charged Laurie Napper, a technician at Howard University Hospital for using her position at the hospital to gain access to patients’ names, addresses and Medicare numbers and selling this information. This was barely a few months after the same hospital had notified 35,000 patients about their medical data being compromised.

US military medical records compromised
In November 2012, TRICARE, the health insurer for the US military, announced the theft of backup computer tapes with 5 million names, Social Security numbers, and, in some cases, clinical notes and lab test results. The fact that these records also contained the home addresses of military personnel added another category of security risk to the theft.

Whether due to larger fines for medical privacy violations and/or a fast-growing number of cybercriminals, Ponemon Institute found that 40% of US healthcare organizations reported a criminal cyber attack in 2013, twice the level of 20%
in 2009.

After Chinese attack, FBI heightens attention to hospital cybersecurity
One key development has been the FBI’s entry in 2014 into hospital cybersecurity. One of the trigger events was a theft by Chinese hackers of data on 4.5 million patients held by one of the US’ largest hospital operators, Community Health Systems Inc.
Soon after, as noted previously, US health insurance giant Anthem Inc. reported what may be the biggest medical record hack in the world. Anthem holds data on 80 million Americans, including names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as diagnostic and medical/surgical procedural data. Ironically, only a few weeks before, Anthem’s CEO announced that his company and the health insurance industry ranked at the end of the list in customer service.
The risk of attacks by hostile foreign interests was, however, not new. Indeed, in the tipping point year of 2012, Utah’s Department of Health reported that hackers from eastern Europe had stolen medical information on 800,000 people, or almost 25% of the State’s residents.

Shutting down a hospital: the problem of ransomware
Beyond medical identity theft lies ransomware, which may be the fastest growing security risk. Rather than stealing data, ransomware locks down systems and encrypts files. Typically, a pop-up screen then demands ransom in exchange for a key to decrypt files and return access to a user.
Ransomware offers one of the best risk-reward portfolios for criminals who target hospitals. The technology is relatively unsophisticated and versatile, and hackers can make money quickly via extortion rather than seeking to sell data on the black market.
In February 2016, Hollywood Presbyterian Medical Center called in the FBI after ransomware forced its IT systems offline. Physicians could not access electronic records or communicate via email. Some emergency patients were diverted to other hospitals while outpatients missed treatments. Although reports about a $3.6 million ( Euro 3.24 million) ransom payment were reduced to $17,000 ( Euro 15,300), the fact that ransom money was paid is likely to increase the risk of copycat cybercriminals. The FBI recommends organizations do not pay ransom.
At the end of March, MedStar Health, a ten-hospital group in Maryland with over 100 outpatient facilities and 30,000 staff, became the largest medical entity to be successfully attacked by ransomware. Though MedStar stated there was ‘no evidence of compromised information,’ the bulk of its electronic operations was shut down. This time too, the FBI, was called in.
By June 2016, at least a dozen US hospitals had been targeted by ransomware. The number is likely to grow.

Ransomware forces German hospital to use pen and paper, postpone surgeries
The threat of ransomware is also serious in Europe.
In February 2016, the respected German publication Deutsche Welle’ (DW) reported that a number of hospitals in the country had fallen prey to ransomware, disrupting core healthcare services and internal systems. DW named several leading hospitals, including the Lukas Hospital in Neuss and the Klinikum Arnsberg hospital in North Rhine-Westphalia.
The Lukas Hospital was forced to revert to phone calls, fax and pen-and-paper records for several weeks, with high-risk surgeries postponed until handwritten notes had been filed.
On the other hand, Klinikum Arnsberg fared far better. A quick response saved it after the ransomware, entering via email, was detected on one server. All other servers, some 200 in total, were switched off to prevent contagion.

From IP to terror: other cyber-risks associated with healthcare
The healthcare threat spectrum extends beyond hospitals.
In October 2013, the US Food and Drug Administration (FDA) reported an alarming security breach at its Center for Biologics Evaluation and Research. The hack compromised 14,000 accounts, including proprietary pharmaceutical company data.
Issues of intellectual property (drug formulae, manufacturing processes etc.) and trade secrets are of evident interest, to competitors, both at home and abroad. This is not a trifling matter, given the billions of dollars spent in developing and marketing a drug, and the billions more expected from its sale.
The interest in biologics in particular, shown by the hack at the FDA, has been of concern since several biologic products have recently begun to come off patent, while many more are expected to do so in the future.
Last but not least, biological products include vaccines – with all their attendant implications for terrorist attacks. At the end of May, one of France’s biggest hospitals, the Pitie-Salpetriere at Paris, was subject to a break-in at a laboratory storing bacteria. In November 2015, just after the Paris terrorist attacks, another city hospital, Necker, had reported the theft of Hazmat suits – which can be used to protect against bacteria/biowarfare agents. Whether there is a connection between the two is something one can only speculate about.
There will no doubt be other risks. For example, we know of one case of theft of a hospital’s fire safety plans. These identified storage areas for radioactive substances and hazardous waste. Here again, the authorities seem to be at a loose end.
Until hospitals and other actors in the healthcare industry develop and implement security best practices, the threat of disruptions, caused by petty criminals and ranging through to foreign corporate spies and terrorists, will clearly persist.

The authors
Ashutosh Sheshabalaya and Antonio Bras Monteiro
SolvX Solutions
Email: office@solvx.com

SolvX provides security and risk consulting services out of offices in Europe, the Middle East and Asia.

The medical device industry is continually improving diagnostic imaging systems in order to lower radiation dose without compromising image quality, and both company articles and studies by cardiologists published in peer-reviewed journals stress the benefits for patients. However, much less emphasis is given to radiation exposure of relevant healthcare workers, a problem that is particularly acute in the catheterization lab where the use of albeit low radiation dose imaging approaches has increased exponentially. Diagnostic procedures utilizing ionizing radiation, such as coronary angiography, are now standard, as are interventions such as coronary artery angioplasty and stenting. Interventions such as atrial fibrillation ablation can take several hours and require up to an hour’s screening time. And the huge growth in the number of trans-catheter aortic valve implantation (TAVI) procedures carried out in the cath lab also impacts on the cumulative radiation dose to which operators are exposed.
The potential hazards of operator exposure include skin erythema from hands being constantly within the primary beam, and damage to eyes. Relatively low radiation doses can irreversibly damage the lens; higher doses can affect the conjunctiva, iris, sclera and retina. And of most concern, increasing radiation exposure can result in irreversible damage to cellular DNA and carcinogenesis; the brain, thyroid and skin are most susceptible to cancers. A survey published earlier this year in the American heart association journal compared 466 healthcare personnel with an average of ten years cath lab experience with 280 personnel working in cardiology but without radiation exposure. The prevalence of skin lesions, cataracts and cancers were all significantly higher in the radiation-exposed group, as were hypertension and orthopedic problems such as back pain. But in the high stress environment of the cath lab, exacerbated because these healthcare workers are frequently on call’ after completing their regular shifts, it is understandable that monthly reports of radiation exposure are not scrutinized by staff, and that effective protective measures such as special glasses, thyroid collars, gloves and lead aprons- the wearing of which has been linked to lower back pain- are not always utilized.
So surely it is essential that hospitals provide intensive training in radiation protection for the whole cath lab team, ensure that all staff know the relevant protocols and adhere to them, and regularly examine shielding equipment for defects. In addition radiation protection supervisors should monitor exposure on a monthly basis, via operator badges and ideally by the systems available that can provide real-time data throughout every procedure involving ionizing radiation.

Liver disease is a growing problem across the world. It includes a large range of disorders, such as fatty liver disease (both alcoholic and non-alcoholic), drug-induced liver damage, primary biliary cirrhosis and hepatitis (viral and autoimmune).

Biopsy is gold standard for liver disease
Fibrosis is a relatively common consequence of chronic liver diseases, and its staging, alongside exclusion or confirmation of early compensated cirrhosis, are considered to be vital for surveillance and treatment decisions.
The gold standard for the confirmation of hepatic fibrosis is biopsy. However, biopsy of the liver has several disadvantages. First of all, it is invasive. It is also associated with rare but serious complications. Finally, it can sample only a small portion of the parenchyma (functional rather than connective tissue). This makes it vulnerable to sampling errors.

Non-invasive tests becoming norm
To overcome such constraints, a variety of non-invasive imaging and serological methodologies have been researched and developed for assessing fibrosis. Aside from staging, an ever-growing corpus of data from non-invasive liver tests is also yielding considerable insights for prognostic patient care.
Liver biopsy is now largely restricted to patients showing unexplained discordances in non-invasive testing or those where hepatologists suspect additional etiologies of the disease.
Indeed, non-invasive tests are fast becoming the norm in much of the world, outside the US, although there are several exceptions. The reasons for the lower penetration of non-invasive tests in the US are discussed later.

Ultrasound at forefront
New non-invasive methods for assessing liver fibrosis consists of ultrasound elastography, a diagnostic methodology to evaluate stiffness of tissue, magnetic resonance elastography and serologic testing.
To some of its proponents, elastography is simply a form of the centuries-old systems of diagnosing and assessing diseases via palpation, now extending beyond the scope of physical touch.
While a biopsy is invasive and carries bleeding and infection risks, elastography is seen as a way to get the data needed by clinicians to diagnose and stage liver diseases without the associated complications.

Ultrasound-based elastography is not only used as an alternative to liver biopsy for measuring fibrosis, but also to predict complications in patients with cirrhosis. Another advantage is that elastography, like other non-invasive imaging modalities, can be repeated as often as required to monitor disease progression. Due to their risks, this is simply not feasible with biopsy.

Strain elastography and shear wave elastography
The best-known commercial ultrasound-based techniques for assessing fibrosis include strain elastography and shear wave elastography (SWE). SWE is a real-time two-dimensional elastography technique which enables making quantitative estimates of tissue stiffness in kilopascals (kPa) by virtue of the shear wave speed.
Technologically, even though strain elastography predates SWE, the latter is more easily reproducible than strain elastography, and has rapidly gained interest as the preferred technique. The two are quite different, and outside the hepatology area, seem to have significant complementarities.
Broadly speaking, strain imaging is a qualitative/semi-quantitative method influenced by histotype and lesion size. The use of semi-quantitative indices does not improve performance. Neither does it reduce interoperator variability.

SWE provides accuracy, comparability
Shear wave, on the other hand, is a quantitative method which provides a more accurate and easily comparable assessment of spatial distribution of tissue stiffness.
Most practitioners see SWE as quick and easy to perform, and easily repeated to monitor liver disease progression and measure the effect of a particular treatment. An ultrasound shear wave propagates like ripples of water, as it spreads across tissue. A coherent pattern indicates that a pulse has been applied properly and that there are no artifacts (e.g. from vessels) that would provide erroneous results.
SWE systems provide variable depth of measurement. A depth of 5-6 cms may make it difficult to scan the liver in a large or obese patient, but depths of up to 8 cms are available in certain SWE systems. However, results are not reproducible at such depths, across commercial SWE vendors.

Ease of use not universally accepted
Nevertheless, not everyone agrees that the procedure is easy, especially if SWE results need to be matched against reproducible serological tests. The Society of Radiologists in Ultrasound notes the considerable training required for precision. SWE begins with the positioning of a patient in a left posterior oblique position with the arm raised. Patients need to also breathe slowly, and when asked, suspend breathing, since movement of the liver can reduce accuracy in measurement.

Liver is principal application for SWE
So far, SWE has been used to evaluate and quantify liver fibrosis/cirrhosis of multiple etiologies or with complicating co-morbidities, including chronic hepatitis, liver cancer, steatohepatitis, and biliary atresia. The two-dimensional shear wave elastographic technique offers better performance for assessing liver fibrosis as compared to conventional transient elastography, according to a May 2016 study in the Chinese publication, World Journal of Gastroenterology’.

SWE and hepatitis C
SWE practitioners see it as a tool to assist in earlier detection of conditions such as hepatitis C, and both fatty liver and alcoholic liver disease. Alongside lab studies, SWE offers a means to closely monitor the impact of treatment and assess if the liver will normalize. For many hepatologists, fighting a liver condition before Stage 4 cirrhosis provides a good chance of reversibility.
SWE can also provide information on which hepatitis C patients might benefit from viral therapy. There are numerous reports of patients who would not have been suspected of severe fibrosis or cirrhosis, based on traditional ultrasound grey scaling. At best, the latter provides indicators such as anomalies in the liver contour. However, it does not show signs of cirrhosis such as surface nodularity which are immediately apparent in elastography.

Guiding biopsies
Some clinicians have sought to use SWE to guide liver biopsies and in certain cases, avoid or postpone biopsy. As part of this process, they have addressed one of the major limitations of biopsy, namely restrictions to choice of affected areas, erroneous samples, or inadequacy in sample size enough for interpretation. SWE allows multiple sampling across the liver and generating a mean value. This reduces what in the past would have been a large number of unnecessary biopsies, and minimizes the morbidity of liver biopsy.

SWE in children
SWE has shown specific advantages in pediatric patients. Cincinnati Children’s Hospital Medical Center is gathering data on normal’ stiffness values in children, and on rates of progression, given that published data is almost wholly based on adults.
The study groups cover children with liver transplants, metabolic disorders, cystic fibrosis and those on prolonged intravenous feeding (TPN). One specific area for attention is biliary atresia, a rare but life-threatening condition where the bile ducts in an infant’s liver lack normal openings. The bile builds up and causes damage to the liver.
The pediatric data collection for SWE on newborns with jaundice or cholestasis makes ten measurements. This adds just 5 minutes to a typical ultrasound exam.
Nevertheless, pediatric SWE also has its limitations. According to Dr. Sara O’Hara, who heads the Ultrasound Department at Cincinnati Children’s Hospital, SWE can give variable results in areas such as children with non alcoholic steatohepatitis (NASH) and fatty liver disease.

Breast applications benefit from SWE-plus-strain elastography
In adults, aside from the liver, SWE is seen as a useful technique for evaluation of breast lesions and prostate imaging. In both cases, the technique seems to provide best results in combination with another elastography mode.
For instance, a literature review published in the Journal of Ultrasound’ in 2012 reported that SWE and strain elastography complement each other and overcome mutual limitations in the evaluation of breast lesions.
Clearly, when both types of elastography provide similar results, there is a greater degree of confidence – especially in terms of a near-total elimination of false negatives, which sharply cuts the need for breast biopsies which later prove unnecessary.
There are however some limitations which have been reported in measuring shear wave velocity in the stiffest of breast lesions. Here, rather than propagating through the tumour, the shear wave tends to bounce back. Nevertheless, ongoing improvements in SWE, which have been further reducing examination time and enhancing field of view, means that at some point it could be a tool for breast cancer screening.

Prostate applications benefit from SWE-plus-MR elastography
The use of SWE in prostate cancer, too, shows similar potential for benefits as with breast screening. The first factor is a reduction in biopsies, which prove to have been unnecessary post facto. Studies are under way which seek to correlate stiffness with abnormalities (as well as aggressiveness of tumours) and to assist urologists determine when patients with low-grade prostate cancer must start treatment.
As with SWE and strain elastography in the breast, best results in terms of the prostate are obtained by complementing SWE with another imaging modality – magnetic resonance (MR) elastography. Some findings reveal SWE significantly superior in detecting prostate cancer in the peripheral zone – which is where most tumours occur. However, MR seems to show greater promise in the anterior gland and transitional zone.
Again, as with the breast, the fusion of two modalities permits multiple sampling and tackles a major limitation of prostate biopsy, namely inconvenience and risk, as well as limited choice of affected areas. A few experimental procedures have also targeted fusing MR and SWE images to help guide biopsies.

Using SWE in other organs
SWE has also demonstrated considerable (if still early-stage) promise for evaluating thyroid nodules, indeterminate lymph nodes and uterine fibroids. Another area for investigating SWE include kidney transplants, in order to to avoid excessive biopsies. However, limitations to shear wave captured depth remains a technology challenge for manufacturers to address.

US remains laggard in ultrasound elastography
While most of the world’s regions (Europe, Asia and Latin America) are seeing growth in the use of ultrasound elastography (both SWE and strain), in the US neither is eligible for reimbursement, even in the largest application area – the liver. This is unlike transient elastography, although critics allege it is a blind methodology which neither directly measure fibrosis and often over-estimates it.
Currently, studies in both the US and other parts of the world are seeking to establish the clinical and economic benefits of SWE and strain elastography, including unnecessary invasive biopsies with their associated costs and complications. Eventually, the results of ongoing trials are expected to produce the data which will make ultrasound elastography eligible for reimbursement.
The most self-evident advantage of ultrasound elastography is its non-invasive nature. Unlike a biopsy, it is clearly more feasible to use SWE to screen for patients at greatest risk of chronic liver disease and in need of referral or treatment.