Blog

Cybersecurity for Diagnostics

Is Your Digital Pathology Network Secure? A Comprehensive Security Checklist for 2025
The digital pathology revolution is transforming diagnostics, offering incredible potential for faster, more accurate diagnoses and collaborative care. But this shift to digital also introduces new and complex cybersecurity challenges. Beyond the standard data breaches that plague healthcare, digital pathology systems face unique threats like data integrity breaches (where image data is altered or corrupted), image manipulation, and unauthorized access to sensitive diagnostic images.
This comprehensive checklist will help you proactively address these challenges and build a secure foundation for your digital pathology workflow. Whether you are a hospital, laboratory, or vendor, use these key questions to assess your security posture and ensure patient data and diagnostic integrity remain protected.
1. People Power:
Who has access?
  • Identify all physical company locations and specify which are covered by your security program.
  • Determine the number of employees in the covered business units, including:
  • How many are 100% remote?
  • How many authenticate via a central authority (e.g., Active Directory)?
  • Do you have a formal process for reviewing user access and enforcing the principle of least privilege?
  • Have you implemented multi-factor authentication, especially for remote access?
Is everyone trained? Do you have a mandatory information security awareness training program for all employees and contractors?
2. Asset Protection:
What needs protecting?
  • Do you have an Asset Management program and a current Asset Inventory?
  • Does your inventory include:
  • Hardware (servers, endpoints)
  • Network equipment
  • Applications
  • Databases
  • Network shares
  • Whole slide images and associated metadata
  • Third-party hardware
  • Can you produce a list of all assets, their locations, and their intended purpose?
3. HIPAA Compliance and Data Security
Data Security:
  • How is PHI secured in compliance with HIPAA requirements, including encryption in transit (e.g., TLS, VPN) and at rest (e.g., AES-256)?
  • How is retired media sanitized to ensure PHI is irrecoverable?
  • Does your organization handle PHI? If so, are you a Covered Entity or Business Associate, and what types of PHI do you handle?
  • Describe your access controls, data classification policy, and incident response process for PHI.
  • Do you provide HIPAA training and have Business Associate Agreements (BAAs) in place?
HIPAA Policies and Procedures:
  • Do you have written HIPAA policies and procedures that are regularly reviewed and updated?
  • How do you ensure patients' rights under HIPAA?
  • What administrative, physical, and technical safeguards are in place to protect PHI?
  • Do you have a process for reporting HIPAA breaches?
What about end-user devices?
  • Are endpoints owned by the organization or employee-owned (BYOD)?
  • Are these devices protected by an Endpoint Protection Platform (EPP)? If so, which one?
How is data shared?
  • What file-sharing platform is used within the organization and with third parties?
  • Are access controls configured to restrict access to authorized individuals and groups?
4. Risk Management:
What are your biggest risks?
  • What are your organization's biggest internal and external security risks?
Do you have a plan?
  • Is there a formal information security program in place?
  • When was your last independent information security risk assessment?
  • Have you implemented a written information security plan to address identified gaps?
  • Are you covered by Cyber or Cyber Liability insurance?
  • Do you have a ransomware response plan?
  • Do you have a data loss prevention (DLP) program? If so, which DLP system are you using?
  • Do you have a tested business continuity plan?
  • Have you identified how your business would be affected by a catastrophe?
5. Software Security:
Is your code secure? If you develop software:
  • How is version control maintained?
  • How are code changes attributed to developers?
  • Do you review security at each phase of the SDLC?
  • Do you use automated tools for security testing and code review?
  • How are secure code reviews performed?
  • Are compiled binaries digitally signed?
  • What methodologies are used for security testing your products?
  • Do you have a dedicated team to assess and respond to vulnerabilities?
  • What is your patch release strategy and what tools do you offer for deployment?
  • How do you inform customers of vulnerabilities?
  • Do you provide severity ratings for vulnerabilities?
  • Do you disclose all vulnerabilities?
  • Do you participate in any bug bounty programs?
6. Third-Party Risk:
Who are your vendors?
  • Do you have a vendor management program and a formal vendor security due diligence process?
  • How are vendors granted access to information assets?
7. Security Controls:
Are you monitoring?
  • Do you have a SIEM/Log manager implemented and regularly reviewed?
  • Are all assets/devices centrally logged?
Are you filtering? Do you utilize monitoring and filtering of network activity?
Are you authenticating?
  • What authentication solutions are in place?
  • Is MFA used for access and control?
Other controls:
  • What anti-virus measures are utilized?
  • How are firewalls deployed throughout the organization?
8. Documentation:
Can you prove it? Are you able to produce copies of all written standards, procedures, and policies referenced above?
Taking Security Seriously
Protecting patient data and diagnostic integrity in the digital age requires a comprehensive and proactive approach to security. DigitCells is your partner in building a secure foundation for your digital pathology implementation. Contact us today for a complimentary information security review and let our experts help you navigate the complexities of digital pathology security.
Question asker:
Scott Kilcoyne

DigitCells Cofounder & COO
2024-12-17 09:47