Protecting PHI is more important than ever, as cyberattacks on healthcare organizations continue to rise. Safeguard your patient data with these three cybersecurity strategies.

By Ann H. Carlson

Clinical laboratories in the United States collect more than just specimens from patients. Labs must also collect—and safeguard—their patients’ protected health information (PHI), too.

Protecting PHI is more important than ever, as cyberattacks on healthcare organizations continue to rise. Data breaches in healthcare more than doubled between 2018 and 2022, according to The HIPAA Journal1, compromising millions of patient records.

In 2022 alone, U.S. healthcare entities experienced an average of 1,410 weekly cyberattacks per organization, according to a report by Check Point Research2. IBM recently reported that these costly attacks cause healthcare organizations to lose an average of $10.93 million per breach, as opposed to other industries, which spend an average of $4.45 million per breach3, 4.

An attractive target for cyberattacks, PHI remains in high demand on the black market. Stolen medical records fetch between $250 and $1,000 apiece, as compared to credit card numbers, which score only about $100 a pop on the Dark Web5 . This is because medical records contain more valuable personally identifiable information—such as birthdates, social security numbers, and medical histories—that bad actors can exploit in perpetuity.

“Stealing health care records is infinitely more valuable than stealing your credit card because they have your identity for life,” says James F. Jordan, professor of health care and biotechnology at Carnegie Mellon University, as well as the president of StraTactic, a health care and life sciences consulting firm based in Pittsburgh, and is an executive coach specializing in health care, life sciences, medical devices, health care IT, and physician leaders.

While it is generally larger hospital and health care systems that make headlines for data breaches, clinical laboratories are also vulnerable to attack.

“Labs are entrusted with the protection of millions of records of patient health and financial information,” says Lee Kim, senior principal of cybersecurity and privacy for HIMSS. “This makes labs an attractive target.”

Luckily, there are three common-sense cybersecurity strategies you can implement now to help protect your laboratory’s patient data from theft—from training your staff in best practices to working with your vendors to improve cybersecurity throughout your lab.

Strategy #1: Strengthen Your Passwords

In most laboratories, unique usernames and passwords are the twin keys that allow employees to access the databases and other software systems they need to do their jobs. So, it is no surprise that hackers are motivated to guess these credentials to illegally mine patient data.

“Passwords, often, are easily guessed,” says Dennis Winsten, founder of the healthcare systems consulting firm Dennis Winsten and Associates, Tucson, Ariz. “Or, they are so complex that authorized users keep forgetting them or write them down where they can be compromised.”

For this reason, Winsten recommends replacing traditional passwords with biometrics—such as the fingerprint—or face-recognition systems often used to unlock smartphones.

For traditional systems, however, strengthening passwords can be as easy as asking employees to change their passwords regularly is an easy, cost-effective cybersecurity strategy. It is also imperative to change passwords immediately when a cyberattack is suspected.

“Most organizations require that you change your password every 90 days,” says John G. Chromczak, PMP, MLS(ASCP)SH, instrument product manager for Stago North America. He adds that employees should not use any of their previous five passwords during this mandatory update.

Making usernames less predictable for hackers is equally important. “How many of our user IDs start with our e-mail address?” Jordan observes. “We have to stop using e-mail addresses because that’s 50% of the code that we offer publicly.”

Strategy #2: Fend Off Phishing Schemes

Most laboratories and healthcare systems have invested in firewall protection and encryption systems that go a long way toward protecting PHI. Still, hackers exploit any weakness they can to gain entry.

“Nothing is ever going to be perfect,” Chromczak says. “Each day there are vulnerabilities that are discovered that can be exploited by a bad actor, and it’s a challenge for IT departments.”

To protect your data, it is crucial to guard against the most common cyberattacks.

“Phishing, insider threats, and unpatched software are generally the three ways that breaches tend to happen,” Jordan notes.

Phishing schemes are commonly e-mail or text requests for personal information that look like they come from legitimate companies, including banks and healthcare providers. When an employee opens the e-mail and clicks the embedded link, they are directed to a spoofed site where they may unwittingly provide personal or company information to bad actors.

Clicking links in a suspicious e-mail or text may also trigger a ransomware attack, which can shut down a computer or an entire healthcare system until a certain amount of money is paid to the criminals behind it.

“Phishing typically serves as the initial point of compromise for many data breaches,” Kim says. “Phishing is quite common with ransomware campaigns.” 

Training employees to be on alert for these types of schemes can help avoid costly cyberattacks.

“Every clinical laboratory should be doing quarterly phishing training programs,” Chromczak says. “Educating all personnel on the importance of just pausing a moment and being present when you’re interfacing with your computer or reviewing e-mails is the single most effective program any laboratory can implement.”

Even with training, no laboratory employee can detect 100% of potential cybersecurity threats 24/7. That’s where antivirus software comes in.

“AI can be used to detect any anomalies by persons trying to access the system; for example, multiple password entry failures,” Winsten says. “AI could also learn the typing patterns of authorized users, recognize unusual or inconsistent requests for data, monitor access requests coming via the Internet or external sites, and require further validation by contacting an authorized person’s phone for confirmation.”

AI programs are also designed to continuously monitor medical devices and systems for new and emerging threats.

“End-point detection and response (EDR) programs can be installed on medical equipment in the clinical laboratory so that the IT person—regardless of where they are—is getting continual monitoring,” Chromczak says. “They’re quite effective, and it’s becoming the standard to have those types of EDR services in a hospital setting.”

Of course, hackers can use other AI-based technologies to exploit patient data.

“AI has the potential to secure lab data at scale and with greater accuracy,” Kim says. “However, AI can also be used for malicious purposes.” For example, she notes that AI-generated deep-fake audio recordings or videos could be used to impersonate a real individual without their consent.

If a cyberattack does occur, make sure your staff knows the protocol to follow [https://www.nist.gov/cyberframework], including contacting the IT department right away.

“Best practices include ensuring that your workforce and vendors know who to contact if there is an actual or suspected breach,” Kim says. “Additionally, the cybersecurity department should involve legal counsel, the compliance team, and the communications team. A timely and expedient investigation and, as applicable, breach notification are typically required. Don’t forget any contractual obligations you may also have in terms of reporting a suspected breach, an actual breach, or even a security incident.”

After reporting the incident, the next step is mitigation. “Isolate the affected system by unplugging it from the network,” Jordan says.

It is also good practice to have a database backup at the ready that you can access if the original database is ever compromised. “Maintain a separately hosted secure copy of the entire database that is updated periodically, but only after assuring that the primary database is secure,” Winsten advises. 

Strategy #3: Vet Your Vendors

The third-party vendors that provide the software and medical devices for your laboratory play a critical role in protecting your data against breaches.

“There’s so much information that the laboratory is responsible for, and even one patient data leak can cause a ripple effect and can be very expensive,” Chromczak says. “So, from a vendor perspective, we have to demonstrate how we do patch management, what type of hardening activities that we do, and that we are using the most current operating system.” He notes that vendors should be able to work with your lab’s antivirus system, too.

Before signing the dotted line, it is now common practice for health care organizations to submit a detailed questionnaire to potential vendors about their approach to cybersecurity.

“You need to make sure that they’ve got compliance certificates, that the company has a patch-management system, and that there are security features, such as encryption, built into the hardware that you’re using,” Jordan says.

Your vendors must also consistently provide patches and updates to their systems and agree to a regular maintenance schedule.

“The longer an organization waits to patch critical systems and devices, the longer the window of opportunity is for hackers to infiltrate the systems and devices,” Kim says. “Outdated software can also be vulnerable to exploitation. You must be proactive with your patch management program.” 

You also want to ensure that the vendor will keep meticulous records whenever their team accesses your system.

“When granted access, the vendor must disclose the purpose of the access, expected duration, and the identity of the person accessing the system,” Winsten says.

A good vendor will also provide support and clarification on your laboratory’s cybersecurity concerns whenever you need it.

“Never be afraid to ask for help,” Chromczak says. “I’m a laboratorian myself and never trained on any of this while I was in the laboratory. We vendors can be a conduit for support to help the laboratory and IT personnel be confident that the equipment that we provide is secure in their environment.”

To help reduce healthcare cyberattacks, the FDA recently implemented requirements for medical cyber device manufacturers to include a software bill of materials (SBOM) with their premarket approval application6 

The SBOM is essentially an ingredients list that divulges the vendor’s “recipe” for the software being used in an effort to improve transparency with the healthcare community, according to Walt Szablowski, co-founder and chairman of Eracent, an automated software solutions provider based in Riegelsville, Pa.

“For healthcare organizations, it’s extremely important to know what is in the devices, what kind of software, and what vulnerabilities are in the packages that they’re buying,” Szablowski says. “The SBOM needs to be part of an overall vulnerability management system.”

Szablowski also cautions against buying tools that promote cybersecurity without having comprehensive cybersecurity strategies that will maximize the benefits of these tools. For example, just because you purchase one device that offers zero-trust authentication capabilities does not mean that your entire system is automatically protected. Understanding the connections between your devices and the system is crucial to securing your lab.

“Most labs probably have bought a truckload of cybersecurity tools, but they don’t have a designed cybersecurity process with risk analysis, with responsibilities, with a whole plan for cybersecurity,” Szablowski says, adding that having guidelines and checklists in place is key to securing your data. “It’s not that you work harder, you work easier. If you implement better cybersecurity, you’ll have fewer attacks. Your patients will be safer, your intellectual property won’t be stolen. You’ll make more money.”

Be Prepared with Cybersecurity Strategies

The rapid evolution of health care technology promises improved outcomes and access for patients. However, with each new breakthrough comes new software vulnerabilities that could be exploited.

“The challenge that we have is that, at the most basic level, the desire for increased security and the desire for open access to data are mutually exclusive,” Jordan says. “For the cybersecurity person, every connection is a risk, and so it’s going to take a team of people to balance the risk/reward inside these institutions.”

Going forward, Jordan sees investing in cybersecurity as more than just a defense strategy. It is an opportunity to strengthen relationships between your laboratory, patients, and healthcare providers.

“Cybersecurity is part of your brand,” he says. “I think we’re going to move away from investing for defensive reasons and start thinking of it as a way to create brand and trust.”

Chromczak agrees. “As a patient, you have to have trust in the facility,” he says. “That goes beyond the quality of care that you’re receiving, but also trusting that your healthcare providers have the protection of your data in mind as well.”

To meet this goal, laboratories will need to regularly evaluate, update, and fortify their cybersecurity strategies to safeguard their patient data.

“Cybersecurity, necessarily, is a moving target,” Kim says. “The best we can do is to minimize any vulnerabilities today so that we can be better protected tomorrow.”

Cybersecurity Strategies: Resources You Can Use

Here are a few helpful resources to help you evaluate and expand your current cybersecurity plan:

National Institute of Standards and Technology

[https://www.nist.gov/cyberframework]

This government-provided framework offers the building blocks for a robust cybersecurity program centered on five core functions: identify, protect, detect, respond, and recover. Check out their Quick Start Guide to get started. [https://www.nist.gov/cyberframework/getting-started/quick-start-guide]

HHS: Knowledge on Demand

[https://405d.hhs.gov/knowledgeondemand]

Take advantage of these five free online training resources from HHS designed specifically to help educate healthcare staff about cybersecurity threats and how to protect patient data.

Health Industry Cybersecurity Practices (2023)

[https://405d.hhs.gov/Documents/HICP-Main-508.pdf]

Published annually by the HHS, this year’s edition offers helpful statistics about current threat trends and a deeper dive into how to manage today’s cybersecurity threats and protect patients.

Open Web Application Security Project (OWASP)

[https://owasp.org/www-project-top-ten/]

Familiarize yourself with the top ten Web application security risks that could compromise your data.

Implement Critical Security Controls

[https://www.cisecurity.org/controls/cis-controls-list]

Guard against cyberattacks—particularly via e-mail—by implementing these critical security controls in your laboratory.

HHS Breach Portal

[https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf]

Keep abreast of ongoing investigations into cyberattacks against specific healthcare organizations.

About the Author

Ann H. Carlson is a regular contributor to CLP.

REFERENCES

  1. “Healthcare Data Breach Statistics.” Murray-Watson, Rebecca. The HIPAA Journal. Undated. https://www.hipaajournal.com/healthcare-data-breach-statistics/
  2. “Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks.” Check Point Research Team. Check Point. Jan. 5, 2023. https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/
  3. “Cost of a Data Breach Report 2023.” IBM. Undated. https://www.ibm.com/reports/data-breach
  4. “Average cost of healthcare data breach rises to nearly $11M.” Southwick, Ron. Chief Healthcare Executive. July 24, 2023. https://www.chiefhealthcareexecutive.com/view/average-cost-of-healthcare-data-breach-rises-to-nearly-11m
  5. “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” 405(d) Task Group. U.S. Health and Human Services. 2023. https://405d.hhs.gov/Documents/HICP-Main-508.pdf
  6. “FDA’s Medical Device Cybersecurity Program and SBOM.” Wilkerson, Jessica. U.S. Food & Drug Administration. Undated. https://csrc.nist.gov/csrc/media/Presentations/2023/fda-s-medical-device-program-and-sbom/images-media/JWilkerson-ssca-forum-053123.pdf