Clinical laboratories take heed: With cyberattacks continuing to increase across the globe, it’s not a question of if you will be attacked but when you will be attacked. From hacking emails to phishing and ransomware, all devices that have some connection to the Internet are at risk, and all organizations—including clinical labs—must take steps to protect themselves.
According to data from the Department of Health and Human Services’ Office of Information Security, the number of attempted health care cyberattacks increased by 9,851 percent between 2019 and 2020, with almost 240 million attacks attempted in 2020. Many of these were ransomware attacks, which have been increasing rapidly.
Ransomware is a significant threat to the confidentiality, integrity, and availability of information, notes the Healthcare Information Management Systems Society (HIMSS) in a guide on how health care organizations can protect themselves. When a machine or device is infected by ransomware, the files and other data are typically encrypted, access is denied, and ransom is demanded. Basically, the data is held hostage and a demand is made to pay the ransom for the data to be returned to the user. However, paying the ransom is not a guarantee that the data will be restored.
If your clinical lab is hit with a ransomware attack, experts advise against paying the ransom, noting that often the attackers sell or leak the data anyway. “With ransomware, it is best to make sure it doesn’t happen in the first place,” says Algirdas Sakys, information security manager at NordLayer, a cybersecurity solution for business. “Having up-to-date data backups kept separately is also a good idea.”
Health care organizations are among the most sought-after targets for cybercriminals, says Sakys. “Due to the critical nature of the service they provide, threat actors target health care institutions, including clinical laboratories, believing these organizations can’t afford to halt operations even for a brief amount of time, hence, would opt to pay the ransom if their systems got compromised or disabled.”
Cyberattacks are becoming more common
According to a report by the Health Sector Cybersecurity Coordination Center (HC3), the first truly significant health care cybersecurity event occurred in 2014, when Anonymous attacked the Boston Children’s Hospital with distributed denial-of-service (DDoS) attacks. Since then, attacks have become common, although ransomware schemes really picked up in 2020. In May 2021, attacks on Accellion, CaptureRX, and Scripps, along with the Colonial Pipeline attack, raised general awareness of the threats of cybersecurity. In addition, the May 2021 cyberattack on the Irish Health Service Executive (HSE) devastated the HSE’s systems and served as a cautionary tale for health care organizations worldwide.
While there have been many high-profile cybersecurity attacks against health care providers since 2014, attacks on clinical laboratories typically don’t make the news unless they are large enough to require the lab to file a report with state or federal agencies. However, in the past year there have been at least two documented large-scale breaches at clinical laboratories, according to a government website that tracks cases that are under investigation.
Nationwide Laboratory Services in Boca Raton, FL, in May 2021 reported a breach that exposed the personal health information of more than 30,000 patients. According to the lab, which has since been acquired by Quest Diagnostics, a ransomware infection began encrypting files stored on its network and also removed a limited number of files from its system. Nationwide engaged external cybersecurity experts to investigate the breach and notified individuals who may have been affected.
Bako Diagnostics (Alpharetta, GA) also experienced a data breach between December 21–28, 2021, which it says potentially exposed the personal health information of more than 25,000 people. The lab “promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident to prevent further activity,” Bako said in a notice on its website. In response to the incident, Bako enhanced its security and monitoring capabilities, as well as hardened its systems to minimize the risk of any similar incident in the future.
In addition, in December 2019, LifeLabs, the largest lab in Canada, said that it had made a payment to cybercriminals to retrieve the sensitive information of about 15 million customers. The attack reportedly occurred in October 2019. However, the company did not say how much it paid to retrieve the information.
Protecting your lab’s assets from cyberthreats
To protect your assets, including patient information and intellectual property, HC3 recommends labs focus on defending against phishing and locking down remote access technologies. In addition, health care organizations—including clinical laboratories—should prioritize vulnerability management and operate with cyber resilience in mind. Organizations should protect their internal infrastructure, but also put more emphasis on protecting the supply chain and individual software components, recommends HC3.
In a report written for HIMSS, Cedric Truss, DHA, MSHI, CPHIMS, program director and clinical assistant professor, health informatics at the Byrdine F. Lewis College of Nursing and Health Professions, Georgia State University, recommends that all organizations take the following steps to prevent being a victim of a ransomware attack:
- Back up your network and systems on a regular basis.
- Provide adequate security awareness training to all employees on information security.
- Ensure security software is current on systems.
- Perform regular risk assessments.
- Validate firewalls that protect your network.
“Taking into consideration that all health care organization are different in size, there is no one plan that fits all that can prevent them from being victims of ransomware attackers,” writes Truss in the HIMSS report. “Cybercriminals have successfully targeted small and large health care organizations. It is important for IT leadership to work within their organizations to implement an action plan that will be effective across the entire organization.”
Protecting your laboratory from cyberattacks does not necessarily have to be expensive, notes Sakys. “Currently, most organization don’t have to invest excessive resources to get adequate security,” he says. “Most cybersecurity solutions operate on a software-as-a-service basis, and it doesn’t take cybersecurity personnel to run them. If a given laboratory is unsure what services they need, hiring a consultant to audit their current cybersecurity posture would be a good starting point.”
Sakys advises that clinical laboratories make cybersecurity an integral component of the general business strategy. “Don’t expect a cybersecurity vendor to solve all of your problems—always remember that the weakest link in cybersecurity is the people,” he says. “Invest in cybersecurity training. Make cybersecurity a part of the company culture—a fundamental tenet. Companies, including clinical laboratories, currently can’t afford to treat cybersecurity as an afterthought.”