ACR expands cybersecurity help

The American College of Radiology has expanded its cybersecurity help for imaging practices as ransomware and data-breach pressure keeps rising across U.S. healthcare. (acr.org) The group’s Cybersecurity Resource Hub now packages basic controls and radiology-specific guidance in one place, including phishing prevention, strong-password guidance, secure data sharing, incident reporting, recovery planning, and a white paper on protecting radiology data and devices. (acr.org) The American College of Radiology also links members to a video library and a “Cybersecurity Primer for Radiology Professionals,” alongside case material on the University of Vermont cyberattack and guidance on “the first minute” and recovery after an incident. (acr.org) Radiology runs on picture archives, scanners, reporting systems, and outside software vendors, so a cyberattack can hit both patient privacy and daily operations at the same time. The college said technology is changing care delivery and connectivity, but those same systems are “increasingly exploited” by criminals and hackers. (acr.org) Federal health officials have been tightening the message. On December 27, 2024, the Department of Health and Human Services proposed the first major update to the HIPAA Security Rule since 2013, citing more frequent cyberattacks on the healthcare system. (hhs.gov) HHS said reports of large healthcare breaches rose 102% from 2018 to 2023, while the number of people affected rose 1,002%; in 2023 alone, more than 167 million people were affected by large breaches. (hhs.gov) The agency’s sector-specific Cybersecurity Performance Goals tell providers to prioritize baseline controls first, then add stronger layers, using frameworks built with the Cybersecurity and Infrastructure Security Agency and industry groups. Those goals are voluntary, but HHS says they are meant to protect patient information and keep care delivery resilient during attacks. (hhs.gov) The Change Healthcare attack pushed that issue beyond hospital IT departments. HHS said the incident had “unprecedented” effects on patient care and privacy nationwide and reminded providers they still have to maintain business associate agreements and breach-notification processes with vendors. (hhs.gov) Enforcement has also reached imaging providers. HHS’s Office for Civil Rights lists a HIPAA Security Rule settlement with Northeast Radiology on April 4, 2025, and a HIPAA cybersecurity investigation settlement with Vision Upright MRI on May 15, 2025, among its recent cases. (hhs.gov) For radiology groups, that leaves a practical checklist: lock down access, test recovery plans, train staff against phishing, and scrutinize the vendors that store, route, or read images. The American College of Radiology’s expanded hub is built around that reality that one outage can stop both scans and care. (acr.org)