Journal of Digital Imaging (2019) 32:535–543

https://doi.org/10.1007/s10278-019-00236-w

ORIGINAL PAPER

10 Steps to Strategically Build and Implement your Enterprise

Imaging System: HIMSS-SIIM Collaborative White Paper
Henri Primo 1 & Matthew Bishop 2 & Louis Lannum 3 & Dawn Cram 4 & Abe Nader 5 & Roger Boodoo 6

Published online: 8 June 2019

# The Author(s) 2019

Abstract
An enterprise imaging (EI) strategy is an organized plan to optimize the electronic health record (EHR) so that healthcare
providers have intuitive and immediate access to all patient clinical images and their associated documentation, regardless of
source. We describe ten steps recommended to achieve the goal of implementing EI for an institution. The first step is to define
and access all images used for medical decision-making. Next, demonstrate how EI is a powerful strategy for enhancing patient
and caregiver experience, improving population health, and reducing cost. Then, it is recommended that one must understand the
specialties and their clinical workflow challenges as related to imaging. Step four is to create a strategy to improve quality of care
and patient safety with EI. Step five demonstrates how EI can reduce costs. Then, show how EI can help enhance the patient
experience. Step seven suggests how EI can enhance the work life of caregivers and step eight describes how to develop EI
governance. Step nine describes the plan to implement an EI project, and finally, step 10, to understand cybersecurity from a
patient safety perspective and to protect images from accidental and malicious intrusion.

Keywords Data Capture . Data Integrity . Electronic Health Record . Enterprise Digital Image Archive . Enterprise Image
Viewing . Enterprise Imaging . Governance . Image Data Management . Imaging Informatics . PACS . Universal Viewer .
Workflow

Goal (such as the Chief Executive Officer, Chief Financial

Officer, Chief Medical Officer, Chief Informatics
This white paper (WP) is designed to help care providers Officer, and Chief Medical Informatics Officer) and de-
and informatics professionals champion enterprise imag- partmental directors or other leadership of the importance
ing (EI) at their local healthcare enterprise. The content of enterprise imaging. The WP can even be used to build
that follows will help these enterprise imaging advocates a strategic plan for the design and implementation of an
to build a presentation to convince C-suite executives enterprise imaging program. Some sections in the

* Henri Primo 1
Primo Medical Imaging Informatics, Inc, Chicago, IL 60646, USA
rprimo@pm-ii.com
2
UnityPoint Health, Des Moines, IA, USA
Matthew Bishop
matthew.bishop@unitypoint.org 3
AGFA Healthcare, Mortsel, Belgium
Louis Lannum
louis.lannum@agfa.com 4
The Gordian Knot Group, LLC, Fort Lauderdale, FL, USA
Dawn Cram
5
dcram@gkhit.com Medical Imaging & Medical Imaging Informatics, Inova Health
System, Falls Church, VA, USA
Abe Nader
abe.nader@inova.org 6
Diagnosis Protocol & Clinical Informatics Fellow, University of
Roger Boodoo Illinois Hospital and Health Sciences System, Chicago, IL 60612,
boodoodoll@gmail.com USA
536 J Digit Imaging (2019) 32:535–543

document have a technical orientation, especially when Examples

addressing mechanisms and instruments in EI. This tech-
nical content is not important for the C-level but it helps & Images can be used in a store-and-forward workflow to
EI Advocates to have a deeper insight into these matters. consult with other specialists; the archived images can be
compared over different time points for comparisons.
Images from radiology and cardiology are usually repre-
sented by the Digital Imaging and Communications in
Overview
Medicine (DICOM) format. Even if these VL images are
created in a non-DICOM format such as jpeg or PDF, e.g.,
Enterprise imaging (EI) has been defined as “a set of strate-
with point-and-shoot cameras, smartphones, flatbed doc-
gies, initiatives and workflows implemented across a
ument scanners, medical cameras, microscopes, or pathol-
healthcare enterprise to consistently and optimally capture,
ogy slide scanners, these images can be encapsulated in a
index, manage, store, distribute, view, exchange, and analyze
DICOM object after image capture. In other words, the
all clinical imaging and multimedia content to enhance the
images can be compliant with the DICOM standard and
electronic health record.” [1]
stored in the Enterprise Vendor Neutral Archive (VNA).
An EI strategy is an organized plan devised to optimize the
Also, many VNA brands can consume non-DICOM im-
electronic health record (EHR) so that healthcare providers have
ages in their native format.
intuitive and immediate access to all patient clinical images and
& The ability to view any image from a single viewer via the
their associated documentation, regardless of source. Healthcare
EHR system with a single login at the point of care.
providers must be able to both contribute image and video con-
& Availability of historical images during the interpretation of
tent to the electronic health record and access images and video
a current image can improve the quality of interpretation.
created by other clinic appointments and procedures, such as
& Diminish inappropriate utilization (duplicate exams) by
radiology, cardiology, pathology, dermatology, ophthalmology,
making prior and new images easily accessible.
point of care ultrasound, and endoscopy. Leveraging EI capabil-
& Diminish radiation exposure to the individual patient and
ities enables a number of important imaging-based use cases that
general population by avoiding unnecessary exam
will be explained in this paper. How precise are written textual
duplication.
descriptions of skin lesions in the field of dermatology, retinal
& Not having to navigate multiple departmental systems to
damage in ophthalmology, and wound conditions written by the
locate the imaging information will motivate the caregiver
wound care team? Words can only paint a subjective mental
to view not only the patient’s clinical information in the
picture. Supplementing descriptive text with images better con-
EHR but to also view images from many sources.
veys a precise depiction of the area of interest. [2]
The following 10 steps address different benefits and re-
quirements of an EI strategy.
Ubiquitous Image Access

Integrated Delivery Networks (IDN) have resources and ser-

Step 1: Access to all the Images vice lines working in multiple sites and locations, such as
and Documentation for Better different hospitals, imaging centers, and ambulatory care of-
Decision-Making to Impact Patient Outcomes fices. The information technology infrastructure needs to sup-
port this distributed organization model by enabling
In contrast with radiology and cardiology, where images are enterprise-wide consolidation of tools and a paperless
created by X-ray apparatus, magnetic resonance (MR) imaging, workflow. Work should be automatically allocated to re-
computed tomography (CT), or ultrasound (US) scanners, most sources who are appropriately credentialed to do the work
images produced outside these departments are actually images and who have sufficient bandwidth to handle the work. This
in the visible light spectrum (VL), not in the X-ray, MR, or US can only be granted by a system that enables access indepen-
wavelength spectrum. VL imaging may serve evidentiary and dent from where and how the data was gathered.
documentation purposes. Departments such as, but not limited Consolidation of systems is a best-in-class process when
to, dentistry, pathology, dermatology, wound care, GI endosco- IDN’s acquire more institutions and expand the EHR system
py, surgery, and others use VL in their care workflow in addition into these new locations. With an EI strategy in place, care-
to X-ray, MR, or US. Today, these images are often not available givers across the IDN can now have access to the patient’s
through the EHR and are seldom securely digitally archived. EHR and imaging information combined. Enabling caregivers
This can be a challenge to patient care and patient experience, with accurate and precise information, anytime and anywhere,
the caregiver’s quality of work, costs containment, and value- is a powerful tool to enable improvements in patient care.
based care delivery. An effective EI strategy can help. Further, a decrease in cost can be expected by avoiding
J Digit Imaging (2019) 32:535–543 537

unnecessary duplication of resources such as local image stor- hardware and storage systems. Centralized data manage-
age management systems in different departments in different ment will reduce maintenance costs and reduce or elimi-
geographical locations. Collaboration between primary care nate the need for future data migrations.
and specialty physicians in different IDN locations can be
facilitated. This effect is already experienced by the early
adopters of EI.
Step 3: Understand the Specialties and Their
Clinical Workflow Challenges as It Relates
Step 2. Demonstrate how EI Is a Powerful to Imaging
Strategy
There are at least four types of imaging data created and con-
The Triple Aim—enhancing the patient experience, improv- sumed in the healthcare enterprise as part of clinical
ing population health, and reducing costs—is widely accepted workflows.
as a compass to optimize health system performance [3]. The
industry is moving towards a Quadruple Aim, adding the goal 1. Traditional imaging data: The first (and most com-
of improving the work life of healthcare providers, including mon) is the imaging data created in radiology and
clinicians and staff due to workload burnout. EI has the po- cardiology. This data is typically created by X-ray,
tential to help organizations achieve Quadruple aim. This CT, ultrasound, nuclear medicine, and MR devices.
includes: The data created here are well defined and normal-
ized to correspond with the data in the EMR. The
1. Enhancing patient and caregiver experience: As hos- systems used to manage the imaging data are enter-
pitals and health systems move to entirely EHR- prise class picture archiving and communication sys-
based (centric) models, a patient-centric view of all tems (PACS) and provide good integration with the
clinical information (including images), from within EMR for “in context” viewing of the images by
the EHR and at the point of care, enables the care providers from multiple specialties.
provider to make quick, informed, and accurate clin-
ical decisions. An EI strategy of combined image & Radiology is an example of a specialty that creates images
and EHR access eliminates the care provider’s frus- and reports data primarily for use outside of the specialty.
tration with searching for images in several depart- Examples of specialties that consume radiology studies
mental IT systems. EI enables quicker diagnosis and for diagnosis and pre-treatment or pre-surgical planning
treatment allowing the provider to spend more time include orthopedics, oncology, obstetrics and gynecology,
with the patient. It also allows the provider to keep emergency medicine, and surgery.
the patient informed with accurate information, in- & Cardiology is an example of a specialty that creates im-
cluding images, about their condition and treat- ages and reports primarily use within the specialty.
ments. This can give the patient a sense of confi- Examples of sub-specialties within cardiology that use
dence that they are indeed receiving the best care imaging data are diagnostic cardiology, interventional car-
available. diology, electrophysiology, cardiac ultrasound (echocardi-
2. Improving population health: Imaging analytics and arti- ography), and cardiac surgery.
ficial intelligence applications can provide the informa-
tion needed (population surveillance) to facilitate preven- 2. Visible light imaging data: The second (and rapidly grow-
tative programs to manage the health of populations. ing) imaging data type is the visible light imaging. This
Mammography, colonoscopy for colon cancer, abdominal data is created by a wide variety of specialties and devices
aortal aneurysm, and low-dose CT lung screening are as already mentioned earlier. The data created here are
good examples. The importance of having these data typically managed by small, department level systems.
available in the EHR is well recognized. Adding the evi- The images are not usually available for viewing outside
dence images to the textual information increases the val- the system they were created on and are not well integrat-
ue of the information in the EHR for Population Health ed to the EMR.
Management (PHM) staff. Further, the EI VNA provides
a centralized and straightforward data access point for & Endoscopy is an example of a tool to create visible light
both clinical and business analytics tools. imaging data as part of the procedure. These images are often
3. Reducing costs: By consolidating imaging data into a sin- combined with other imaging modalities for hybrid imaging
gle (or fewer) repositories substantial financial savings data sets. These data sets consist of visible light images com-
can be realized through consolidation of existing bined with either ultrasound or X-ray images. Examples
538 J Digit Imaging (2019) 32:535–543

would include endobronchial ultrasound bronchoscopy or look for possible improvements to the acquisition, storage,
endoscopic retrograde cholangiopancreatography proce- retrieval, and display of data.
dures. Reports are often communicated to patients or other
providers in a printed paper format with text and images
creating an additional imaging document that will need to
Step 4: Create a High-Reliability Healthcare
be stored and managed to be available from within the EHR.
Strategy to Improve Quality of Care
& Dermatology, wound care, and plastic surgery, general
and Patient Safety with EI
surgery, and ophthalmology primarily create visible light
images through traditional or specialty photography or
Having all patient images and associated reporting data easily
video. These specialties are a good example of imaging
accessible from within the EHR and at the point of care is
data sets that cross specialties to complete a course of
essential for the quality of care. Imaging data combined with
treatment for a patient.
the textual and discrete data in the EHR can present a com-
plete longitudinal view of the patient’s situation.
Example: A patient may have a wound that is caused by a
dermatological condition. Treatment of the condition could
1. For patients and providers, centralized access to patient
involve collaboration between a dermatologist and wound
data is critical for making quick, well informed, and ac-
care physician. Once the wound is sufficiently healed, a plastic
curate clinical decisions that improve both patient safety
surgeon may be engaged to perform a reconstructive proce-
and the quality of the care they receive. Combining im-
dure. The images captured during this episode of care would
ages with textual data provides a comprehensive view of
be useful to all three-specialty areas and should be easily ac-
patient information.
cessible to all three to facilitate quality care with a minimum
2. For health information management (HIM), having cen-
amount of diagnostic noise created by dissimilar imaging sys-
tralized access to all patient information, including the
tems.
images can make release of information (ROI) much eas-
ier while requiring less effort to gather the information.
3. Multimedia imaging data: The third source of imaging
3. For population health management, providing a consoli-
data is multimedia documents. These are typically created
dated, single, and easily accessible view of the entire pa-
by department level systems such as endoscopy manage-
tient record allows access to a view of patient information
ment and pulmonary function test systems. They can also
that has already been normalized to a single standard. This
be created by combining textual result data from the EMR
makes the job of the analytics team easier by providing
with imaging data from multiple sources.
accurate data with fewer opportunities to corrupt or lose
data through efforts to normalize across multiple sources
& Multimedia documents are stored in various locations de-
of data.
pending on the system that created them. These multime-
dia documents could be stored in a number of external
locations (PACS, document management system, etc.)
based on the systems configuration or requirements or
remain in the system that created them. This makes it Step 5: Demonstrate how EI Can Reduce Costs
difficult for caregivers to locate and view the various doc-
uments in a format that enables clinical comparison. Having a robust EI (EI) infrastructure in place enables the
creation of new or revised workflows in multiple clinical
4. Waveforms: The fourth source of imaging data is wave- and operational areas. The nature of the ROI’s to be harvested
forms. These include electrocardiography and electroen- will most likely be different for different healthcare delivery
cephalogram graphs, pressure-volume curves, and flow organizations. Some examples include the following:
diagrams. Written reports with waveforms are often stored
in departmental systems. Making these reports available 1. ROI could come from improved workflows in the differ-
with the waveforms through the EHR makes these docu- ent disciplines and the associated gains in efficiency and
ments easier to consume effectiveness.

The EI advocate should visit all the departments which use & ROI could be the result of a consolidated IT infrastructure
imaging in their daily practice and observe how these depart- by eliminating local departmental IT infrastructure.
ments have embedded imaging in their respective workflows. Maintenance and technical services could be consolidated.
Then, the EI advocate should analyze the workflow, discuss & An EI infrastructure, through its centralized storage and
with the department the issues with the current workflow and management of imaging data, can reduce duplicate
J Digit Imaging (2019) 32:535–543 539

imaging studies performed on a patient by enabling shar- & The human resources required to maintain
ing of imaging data both internally and externally. workflows requiring uploading imaging exams from
& The ability to ingest and normalize imaging studies from CD/DVDs
other facilities, with different systems and data formats, & The human resources required to walk the CD/DVDs pro-
into local systems and formats can reduce the need for vided by a clinic patient to the nearest radiology depart-
additional (duplicate) imaging studies. ment, which can sometimes require walking to a different
building or utilizing a courier service to deliver to a dif-
2. Traditional workflows like radiology and cardiology can ferent campus
be modified and improved using the EI infrastructure.
This could include global worklists based on specialty, From the perspective of a patient, providing patient access
geography, criticality, or any number of clinical or opera- to their own image record offers a progressive, yet increasing-
tional factors enabling the optimum use of resources ly expected approach in a rapidly evolving world of social
across the enterprise. media and online access driving consumer choices.
In June 2016, a Connected Care and the Patient Experience
3. Specialties that utilize imaging but do not have a tradition- survey was conducted by Kelton Global; 94% of patients feel
al imaging workflow can easily provision and enable one their medical information and records should be centrally
using the EI infrastructure. These specialties can create stored and electronically accessible, with a notable dissatisfac-
orders based or encounters-based workflows depending tion with current limitations rendering them unable to access
on requirements. These workflows will capture data that and share their own health records [4].
was previously only available locally and integrate it into Organizations should also consider other factors contribut-
the enterprise (EMR). ing to enhanced patient experience during their clinical and
emergency visits, including:
& Unnecessary duplicative imaging procedures
& Duplicative imaging infrastructure in departments using & The ability for images to be received electronically and
imaging (examples such as GI, dermatology, wound care, reviewed by a specialist or emergency care provider, prior
pulmonology) to the patient arriving. Not only can this help improve
& Optimal use of resources across the enterprise (e.g., global outcomes for emergent care but also reduces the possibil-
worklist for all radiologists in the enterprise) ity of additional radiation exposure and insurance rejec-
& Centralized image storage infrastructure instead of a costly tion for reimaging.
distributed infrastructure & Offering patients more time with their provider, due to a
& Centralized maintenance of unified imaging IT decrease in provider time and effort trying to locate previ-
infrastructure ous or current imaging and results.

Step 6: Show how EI Can Help Enhance Step 7: Enhance the Work Life of Caregivers
Patient Experience
EI provides value to your providers, including the ability to
Imagine having the ability to offer your patients complete access multidisciplinary imaging in a single “click” and
access to view their own image record. This would go a long workflow enhancements such as supporting encounter-based
way towards improving patient experience and can result in imaging without requiring orders [5].
better patient retention. Imaging acquired outside radiology and cardiology depart-
From the perspective of staff productivity and operating ments is often performed by clinical care providers whose
costs, this can significantly reduce: primary role is not imaging, such as medical assistants, nurses,
and even the physician. Greater emphasis on intuitive
& The human and supply resources required to maintain workflows is ultimately important within these specialties
workflows requiring burning imaging exams to CD/ [6]. Attempting to implement traditional order-based imaging
DVDs workflows or tying imaging modalities used in these areas to
& Mailing of CD/DVDs to external organizations and pro- desktop dependence, frequently, results in provider frustration
viders, including overnight, same-day and courier and non-compliance.
deliveries When capturing photos, scope video waveforms and other
& Turn-around times for final imaging results awaiting prior clinical multimedia within visit or procedure-based specialties
exams for comparison such as dermatology, otolaryngology, or surgery, it is not
540 J Digit Imaging (2019) 32:535–543

intuitive for providers to pause patient assessment and care to initiatives across the healthcare environment. The SIIM-
place an order solely for proper compliance with a workflow. HIMSS EI workgroup published a white paper on EI gover-
Manual workflow steps resulting from poor interoperabil- nance in 2017 [9].
ity, such as connecting a camera to PC to download images, EI governance is an emerging need in health enterprises to-
introduce workflow gaps usually addressed once the provider day. This white paper highlights the decision-making body,
has time to complete. This workflow can be wrought with framework, and process for optimal EI governance inclusive
errors and non-compliance, only sporadically completed. of five areas of focus: program governance, technology gover-
Accessing images, previously acquired using non-intuitive nance, information governance, clinical governance, and finan-
and gap prone workflows, can further increase provider frustra- cial governance. It outlines relevant parallels and differences
tion and reduce efficiencies. Searching through a network di- when forming or optimizing imaging governance as compared
rectory of stored photos for a photo taken on a patient 6 months with other established broad horizontal governance groups, such
ago, to determine if a skin lesion has grown, requires time and as for the electronic health record. It is intended for CMIOs and
additionally creates data security concerns. Equally inefficient health informatics leaders looking to grow and govern a pro-
and frustrating is searching through an image, or external me- gram to optimally capture, store, index, distribute, view, ex-
dia, archive with limited or no information labels to indicate change, and analyze the images of their enterprise (Fig. 1).
what the clinical media is, or when it was performed. The EI education workgroup recommends the EI advocates
Enterprise imaging, through the delivery of enhanced to study this whitepaper and familiarize themselves with the
workflows, including encounter-based imaging, alleviates content which provides in-depth information to create an EI
many of these challenges by: governance strategy. [9]

& Offering intuitive workflows to visit and procedure-based

imaging specialties, improving provider satisfaction and
compliance Step 9: Implement an EI Project
& Blending mobile and desktop access and acquisition
& Providing capture devices with modality worklists and The first decision to make as an enterprise is who do you want
patient schedules comprised of appropriate metadata for to be? If the decision is to be innovative and have a fully
content indexing within the image archive and unified image-enabled EHR to facilitate better patient care, then the
with the EHR record hard work begins. Typically, an informatics expert from an
& Validating images against the patient and EHR-associated imaging-heavy department, such as radiology, initially sees
visit, effectively linking the images to the appropriate pa- the need and spearheads the initiative. The champion gives
tient encounter an EI presentation to the executive staff in an effort to educate,
& Eliminating the need for manual entry and workflows and inform, and clarify any misconceptions. The most significant
contributing to errors, non-compliance and dirty data misconception is that EI mostly benefits radiology or it is a
& Scaling across multiple service lines for application with radiology project and not an enterprise initiative. The most
varied clinical images and multimedia such as photos,
scope video, and point-of-care ultrasound
& Mitigating medico-legal issues [7] and patient care chal-
lenges presented if image records are inaccessible or
unavailable
& Improving economies of scale and interoperability limita-
tions associated with multiple image archives and the rap-
id increase in non-DICOM content [8]
& Complimenting the patient longitudinal record in the
EHR, ultimately enhancing value for care plan decisions

Step 8: Develop EI Governance

Governance is the keystone to any transformation process

driving enterprise change. One transformation is the creation
of an enterprise-wide, multi-department image management Fig. 1 The integrated nature of EI governance: many non-imaging
strategy that will align IT technology and clinical imaging considerations impact EI decision-making in all five areas of focus
J Digit Imaging (2019) 32:535–543 541

prominent mistake I have seen multiple times is the failure to wide to consistently and optimally capture, index, manage,
not consider EI in the early steps of replacing or upgrading the store and distribute, view, exchange, and analyze all clini-
EHR. When an EHR replacement stretches the IT staff, it is cal imaging and multimedia with the end goal being able to
challenging to add-on EI in the middle of the process or during enhance the EHR. Moving from the current state to the
the EHR optimization phase. Concurrent planning works best future state can be challenging. However, with the right
and similar resources such as a physician or nurse informatics leaders, an excellent roadmap, and symbiotic vendor rela-
groups can be leveraged for both initiatives. Once approval for tions, the journey will be rewarding.
the project is secured, form a small team of leaders to start the
preplanning.
There are many paths to begin the journey of implementing Step 10: Understand Cybersecurity for EI
an EI project. To obtain more information, attend a national
conference such as the Radiological Society of North America In recent years, we have seen a staggering increase in cyber-
(RSNA) or the Healthcare Information and Management security attacks directly impacting healthcare delivery
Systems Society (HIMSS) or the Society for Imaging organizations.
Informatics in Medicine (SIIM). The major vendors are pres- In March 2018, their Internet Security Threat Report [10]
ent who can demonstrate their products and answer any ques- Symantec states: “From the sudden spread of WannaCry and
tions. A few companies will provide a return on investment Petya/NotPetya, to the swift growth in “coin miners,” 2017
projections or recommend their consulting arm to perform a provided us with another reminder that digital security threats
full review of the organization. Secondly, research and rank- can come from new and unexpected sources.” Further, the
ings of the top vendors are available from data analytic plat- Ponemon Institute reported already in 2016 that healthcare
forms such as KLAS. These reports can help guide you to providers are in the crosshairs of cyber attackers [11].
which vendors to visit at RSNA, SIIM, or HIMSS. Lastly, The trend of hospital consolidation has created the emer-
independent consultants can be hired to perform a thorough gence of EI service lines which consist of multiple depart-
analysis of your current state of imaging and guide you ments in different hospitals belonging to an Integrated
through the process to your desired state. Delivery Network or IDN. As an example, the dermatology
Meanwhile, having a better idea for your current im- and imaging service line can now consist of the different der-
aging footprint will guide future enterprise decisions. matology and radiology departments in the different hospitals
Our IT staff compiled a list of over twenty different that once did not belong to the same IDN organization. These
imaging applications installed at our institution. More service lines hold the promise to provide higher quality ser-
importantly, knowing the maintenance costs, contract vice at a lower cost to patients and their care teams due to
expirations, and end of life dates will assist with vendor efficiency gains and savings made through economies of
selection. To lessen the workload and improve efficien- scale. The downside is that such organizational structure can
cies, consolidating applications should be on the make cybersecurity threats even more acute and potentially
roadmap. Prioritization of heavy imaging departments more impactful.
might suggest that only vendors with robust pathology, Why? All computer-based equipment and various applica-
radiology, and cardiology PACS and software solutions tions such as image viewers in the service lines are becoming
be considered. For example, sophisticated cardiology more and more interconnected or consolidated into a central-
software can eliminate redundancies such as individual ized system. Through the IT network infrastructure
niche cardiac MR image management, an echocardio- connecting the different service lines locations in the
gram program, and an EKG application. Pathology de- healthcare enterprise, cyber-attacks now have another avail-
partments may convert to whole slide digital imaging, able vector to quickly spread malware and compromise these
and this needs to be supported by an EI VNA. service lines operations.
The first few steps include forming a steering committee,
developing a meeting schedule, establishing goals (short, me- Cybersecurity for EI Initiatives
dium, and long-term), and agree on the logistics of a kick-off
meeting. Weekly status reports are useful to keep the major EI deployments are augmenting the risk of exposure to a
stakeholders engaged and informed. Short-term goals may computer virus or other malware infections and significant
include conducting interviews to determine workflows and threats including denial of service, phishing e-mails,
the current state of EI. Furthermore, short-term goals may phishing websites, social phishing, brute forcing, and
provide the opportunity for quick wins such as improved ef- FTP server compromises. As already mentioned in this
ficiencies with changes to existing workflow. white paper, numerous departments are using imaging in
EI is a strategic goal which contains strategies, initia- the visible light spectrum as diagnostic, procedural, and
tives, and workflows. EI is for entire healthcare, enterprise evidence data. Images from endoscopes, point and shoot
542 J Digit Imaging (2019) 32:535–543

cameras, specialized medical cameras, and image flatbed departmental staff. It is all about the trinity of people, process-
scanners were acquired and stored completely offline, ei- es, and technology.
ther as digital images, e.g., in jpeg format on a local PC or IBM stated already in their 2014 Cyber Security
plain hard copy in a patient folder, and were not connect- Intelligence Index [14] that over 95% of all incidents investi-
ed to the hospital’s intranet. EI changes this paradigm gated recognize “human error” as a contributing factor.
completely. Caregivers will send their digital images The CTF white paper also discusses the HIMSS/NEMA
straight into the IDN’s intranet and these images or videos HN 1-2013 Manufacturer Disclosure Statement for Medical
will be routed to their repository destination: the IDN’s Device Security (MDS2) [15]. MDS2 was developed by
data center where all patient’s images are stored in the MITA and members of the HIMSS Medical Device Security
enterprise vendor neutral central archive and digitally Task Force in collaboration with multiple industry associa-
linked to the patient’s electronic health record. This in- tions, government agencies, and other stakeholders. This stan-
creases the risk of a computer virus being introduced into dard specifies a device manufacturer’s model-specific descrip-
the EHR. tion of a device’s ability to maintain/transmit electronic
Medical imaging acquisition devices, like all computer- protected health information (ePHI) and the security features
based systems, are subject to cybersecurity risks that might associated with the device. MDS2 provides most of the re-
harm patient safety and even patient lives if a hacker interferes quired information if you decide to perform an ISO 80001-
with the safe operation of an imaging device, PACS, EHR, or 1-based cybersecurity risk management audit in collaboration
any other IT-based system [12] by blocking access or falsify- with your IT department.
ing the content. As a consequence, vital patient data may not We all need to be aware that cybersecurity prevention is
be available for caregivers. Then, there is the risk that hackers based on an ecosystem of people, processes, and technologies.
can steal the patient’s medical records gaining access to elec- Imaging staff must be aware of cybersecurity threats and best-
tronic protected health information (ePHI). Last but not least, in-class practices. Imaging service lines need to build their
hackers may also steal the user’s or patient’s log-in credentials cybersecurity strategy and operational plans in close collabo-
allowing for unauthorized access to ePHI. ration with IT departments.
The NEMA MITA Cybersecurity Task Force (CTF) pub-
lished a white paper cybersecurity for medical imaging [12]
that identifies a set of best practices and guidelines that both
medical imaging manufacturers and the user community can Conclusion
implement to minimize the possibility that bugs, malware,
viruses, and exploits can be used to negatively impact patient It is probably clear to the readership that substantial re-
safety, product operation, or compromise ePHI and patient sources will be needed to reap the benefits of EI for pa-
safety. The paper was developed in collaboration with the tients, caregivers, and the healthcare provider organiza-
American College of Radiology, a professional organization tion. The authors feel that this white paper addresses the
for medical imaging. many points that need to be taken in consideration when
The guidelines and best practices described in this docu- developing a presentation to the leadership of a healthcare
ment, aimed at radiology departments, can, to a great extent, organization and how to answer many detailed questions
also be applied to EI initiatives. The CTF team came to a that C-suite advisory bodies may ask. Further, the infor-
major conclusion: advancing cybersecurity measures within mation can also be used to fuel EI discussion groups for
healthcare and public health relies on a whole community different audiences in the Integrated Delivery Network
approach, requiring manufacturers, installers, service staff, who will become important stakeholders in the EI strategy
and caregivers to accept shared ownership and responsibility. development. The authors have all substantial experiences
The FDA agrees with NEMA MITA that this problem requires in EI, from a perspective of management strategy, gover-
a collaborative approach. [13] nance, clinical, financial, and technical experience, and
are all involved in “real-world” EI implementations. Feel
Prevention of Cybersecurity Breaches free to contact the HIMSS-SIIM EI workgroup.

We all know the axiom “an ounce of prevention is worth a

pound of cure.” Prevention of cybersecurity breaches will re- Open Access This article is distributed under the terms of the Creative
quire cyber awareness. The CTF white paper takes this ap- Commons Attribution 4.0 International License (http://
proach and refers to standards and best practices in cyberse- creativecommons.org/licenses/by/4.0/), which permits unrestricted use,
curity. However, a truly robust cybersecurity plan can be only distribution, and reproduction in any medium, provided you give appro-
priate credit to the original author(s) and the source, provide a link to the
achieved when cybersecurity processes are clearly defined Creative Commons license, and indicate if changes were made.
and effectively and consistently followed by well-trained
J Digit Imaging (2019) 32:535–543 543

References Imaging 29(5):539–546, 2016. https://doi.org/10.1007/s10278-

016-9883-z
1. Roth, C: What is Enterprise Imaging? SIIM.orghttps://siim.org/ 10. Internet Security Threat Report. Symantec.com. https://www.
general/custom.asp?page=enterprise_imaging. Accessed Jan 2019. symantec.com/content/dam/symantec/docs/reports/istr-23-2018-
2. Informative Images. W3.org. https://www.w3.org/WAI/tutorials/ en.pdf. Published March, 2018. Accessed Jan 2019.
images/informative/ Published Sept., 2014. Updated Sept. 2017. 11. Sixth Annual Benchmark Study on Privacy and Security of
Accessed Jan 2019. Healthcare Data. Ponemon Institute LLC. https://www.ponemon.
3. Stiefel M, Nolan K: A Guide to Measuring the Triple Aim: org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%
Population Health, Experience of Care, and Per Capita Cost. IHI 20%26%20Data%20Security%20Report%20FINAL%206.pdf.
Innovation Series white paper. Institute for Healthcare Published May ,2016. Accessed Jan 2019.
I m p r o v e m e n t . h t t p : / / w w w. i h i . o r g / r e s o u r c e s / P a g e s / 12. MITA Releases NEMA/MITA CSP 1–2015 Cybersecurity for
IHIWhitePapers/AGuidetoMeasuringTripleAim.aspx. Published Medical Imaging at RSNA 2015. MITA. https://www.
2012. Accessed Jan 2019. medicalimaging.org/2015/12/02/mita-releases-nemamita-csp-1-
4. 2016 Connected Care and the Patient Experience. Healthcare. 2015-cybersecurity-for-medical-imaging-at-rsna-2015/. Published
https://www.slideshare.net/surescripts/2016-connected-care-and- December, 2015. Accessed Jan 2019.
the-patient-experience-70073294. Published December, 2016. 13. MITA Encouraged by FDA Efforts to Reduce Post-Market
Accessed Jan 2019. Cybersecurity Risks to Medical Devices. MITA. https://www.
5. Cram D, Roth CJ, Towbin AJ: Orders- Versus Encounters-Based medicalimaging.org/2018/11/02/mita-encouraged-by-fda-efforts-
Image Capture: Implications Pre- and Post-Procedure Workflow, to-reduce-post-market-cybersecurity-risks-to-medical-devices/.
Technical and Build Capabilities, Resulting, Analytics and Published November, 2018. Accessed Jan 2019
Revenue Capture: HIMSS-SIIM Collaborative White Paper. J 14. IBM Security Services 2014 Cyber Security Intelligence Index.
Digit Imaging 29(5):559–566, 2016. https://doi.org/10.1007/ IBM. https://media.scmagazine.com/documents/82/ibm_cyber_
s10278-016-9888-7 security_intelligenc_20450.pdf. Published June, 2014. Accessed
6. Griffith v. Aultman Hosp. Court of Appeals for Stark County, Ohio. Jan 2019.
http://www.supremecourt.ohio.gov/rod/docs/pdf/0/2016/2016- 15. Manufacturer Disclosure Statement for Medical Device Security.
Ohio-1138.pdf. Published March 2016. Accessed Jan 2019. NEMA. http://www.jira-net.or.jp/commission/system/files/MDS2-
7. Meyerhoefer CD, Sherer SA, Deily ME, Chou S-Y, Guo X, Chen J, 2013_en.pdf . Published 2013. Accessed Jan 2019.
Sheinberg M, Levick D: Provider and patient satisfaction with the
integration of ambulatory and hospital EHR systems. J Am Med
Publisher’s Note Springer Nature remains neutral with regard to
Inform Assoc 25(8):1054–1063, 2018. https://doi.org/10.1093/
jurisdictional claims in published maps and institutional affiliations.
jamia/ocy048
8. IHS report: ‘Medical Enterprise Data Storage, World 2013’; https://
ihsmarkit.com/products/medical-enterprise-data-storage-vna-
report.html
9. Roth CJ, Lannum LM, Joseph CL: Enterprise Imaging
Governance: HIMSS-SIIM Collaborative White Paper. J Digit