 Home 5 Lab Industry Advisor 5 Essential 5 Cybersecurity: What Your Lab Needs to Know

Cybersecurity: What Your Lab Needs to Know

by Tara Cepull, MA | Oct 1, 2024 | Essential, Lab Industry Advisor, Legislation-lca

Recent government efforts to address increased cyberattacks in the healthcare space, and how your lab could benefit

An illustration of a digital hand reaching toward a shield with a healthcare “cross” symbol, showing the concept of healthcare cybersecurity — iStock, ArtemisDiana

The healthcare industry collects and processes sensitive data on patients, and laboratories are no different. Cybercriminals have been targeting more healthcare organizations as of late, leading to breaches costing, on average, nearly $11 million dollars each.¹ Not only is a breach costly, but it can contribute to additional problems such as delays in patient care or interruption of services altogether. Breaches can also negatively affect the finances of the targeted healthcare agency going forward, on top of the cost of the attack itself. With evolving technologies making such attacks even more sophisticated, what efforts are afoot to address the situation, and how may labs benefit?

What is the government doing to address increasing cybersecurity incidents?

Earlier this year, a wide-reaching cyberattack on Change Healthcare significantly impacted billing, eligibility checks, prior authorization requests, and prescription drug fulfillment.² In a press release issued by the White House on June 10, 2024, the administration noted that one of every three healthcare claims were affected by the attack, leading to a delay in payment to providers and likely to patient care, too.³

Because of the critical role that cybersecurity plays in accessing health care, the Biden-Harris administration vowed to help enhance the resiliency of cybersecurity across the healthcare sector, both through federal programs and partnerships with privately-owned companies. The press release notes that the administration:³

Created a cybersecurity website to simplify access to the Department of Health and Human Services’ (HHS’s) information and resources for healthcare-specific cybersecurity. Recommended goals designed to assist with prioritizing cybersecurity practices were also published.

Assembled chief information security officers and other healthcare executives (including care delivery organizations, medical technology companies, and industry associations) to advance cybersecurity solutions.

Launched the Universal Patching and Remediation for Autonomous Defense (UPGRADE) program, an effort that pledged to invest more than $50 million to create tools to better protect hospital data.

Recognized that most rural hospitals are critical access hospitals and play a vital role in the communities they serve, so additional assistance via free or low-cost resources from Microsoft and Google was offered to these roughly 2,000 facilities.

There are also other government efforts to enhance cybersecurity in the healthcare sector. In July, Senator Jacky Rosen, a Democrat from Nevada, co-sponsored a bipartisan bill with two other senators to strengthen the healthcare industry’s cybersecurity.⁴ The Healthcare Cybersecurity Act proposes that the Cybersecurity and Infrastructure Security Agency (CISA), along with HHS, collaborate on improving cybersecurity and create a liaison role that would help coordinate responses during cyberattacks.⁵

Expert insights

But will these government efforts to step up healthcare cybersecurity make a difference?

Marc Machin, chief information security officer and director of technology at FrontRunnerHC, says that current governmental initiatives designed to enhance cybersecurity are good first steps to developing a national approach that provides minimum security baselines for the healthcare sector to follow. By establishing said baseline, clarity is gained in what labs need to focus on in terms of cybersecurity. He emphasizes that these national guidelines are minimum standards, however, and that each state and/or regulatory body can set higher standards.

What does a cyberattack typically look like for a lab?

Ransomware attacks are quite common. In this type of cyberattack, a device is infected with ransomware, the data is encrypted and access denied, and a ransom is requested in order to return the data and access.⁷ Most experts advise against paying the ransom, as the data is oftentimes leaked or sold anyway, as was apparently the case in the Change Healthcare attack.⁸ As a result, the best thing a lab can do is to avoid such an attack in the first place.

Experts suggest the following actions to prevent a ransomware attack:⁹

1. Backing up all systems regularly
2. Providing training on information security to all employees
3. Ensuring all systems are running current security software
4. Performing risk assessments regularly
5. Validating firewalls

His main concern is each individual hospital’s and lab’s ability to follow the guidelines, as the costs and details of any regulatory changes like these can be difficult to navigate, especially at first.

Machin is hopeful that national legislation will take into account that any regulations aimed at hospitals will need to keep in mind the alignment with other parts of the healthcare industry, including laboratories, in order to avoid undue burden. He first recommends, “a focus on strengthening and securing supply chain and vendor links (for example, incident response reporting and notification), because we are seeing a major focus by the threat actors on these links.”

In terms of the costs associated with beefing up security, Machin agrees that the subsidies offered by Microsoft and Google are good to help small facilities get started but emphasizes that investing in cybersecurity can and will be costly regardless. He advocates for additional incentives to help financially stretched facilities reach the minimum cybersecurity requirements. Support from the top of any organization is also critical. “Executive and management support for implementing a security program within a healthcare organization is paramount,” he says.

Cybersecurity insurance coverage

Financial protections in the form of cybersecurity insurance policies also now exist, however, they are not cheap. Depending on the coverage, annual premiums can cost up to $30,000 for small facilities and even top six figures for larger hospital networks. New partnerships are emerging to offer more affordable coverage, but until there are more options, many laboratories may be unable to afford such protection. Thus, without an insurance safety net, labs need to take securing their networks and data seriously.⁶

Final thoughts

Many information security experts agree that it’s not a question of if but when a system will fall under cyberattack. Being prepared is the best way to avoid a breach and maintain security for your lab and its patients. While governmental agencies work to develop national baseline standards for healthcare cybersecurity, labs and health systems will benefit from proactively ensuring their networks and data are secured against hackers looking to steal the sensitive information they contain. Machin stresses that the costs of cybersecurity are worth it for labs and other healthcare organizations. Investing in processes designed to help thwart the success of potential attacks will save labs the cost, time, and frustration expended during breaches, allowing staff to continue providing critical testing to patients.