Surviving a Cyberattack

Cyberattacks are on the rise worldwide—and healthcare systems are especially popular targets. Attacks on the healthcare sector rose 74 percent between 2022 and 2023,¹ with an average cost of almost $11 million per breach, by far the highest of any industry.² The potential financial burden for labs is staggering—and that’s before factoring in the impact on privacy and patient safety. With some attacks taking months to resolve fully, lab operations can face unacceptable downtime, driving up costs and putting patients’ health at risk.

With so much at stake, labs need to be alert to the risk of cyberattacks—and understand what needs to be done to prevent, contain, and recover from them.

How great is the risk?

“The risk of attacks remains huge,” says Nate Warfield, director of threat research and intelligence at cybersecurity firm Eclypsium. “As we’ve seen starting in 2020, healthcare institutions and labs have been heavily targeted by ransomware gangs. This year, we saw medical facilities crippled twice in a row from the UnitedHealthcare and Change Healthcare attacks.” Why is healthcare such an attractive target? “The motivation behind these attacks is typically monetary; criminals know that healthcare is a critical industry and the victims don’t have as much flexibility to simply incur the downtime, not pay the ransom, and rebuild from scratch. The probability is high that attackers can turn a profit.”

Warfield notes that major areas of vulnerability for clinical labs are common across industries: phishing, lack of multifactor authentication, and unpatched perimeter devices. “All of these attack vectors are extremely useful and network appliance vulnerabilities are being found as zero-days on a nearly weekly basis.” (A zero-day is a previously unknown vulnerability for which no patch exists; the term refers to the fact that, because the vulnerability has been discovered or exploited, there are “zero days” to address it.) “In terms of what can be done to improve, I would say the most important item is enforcing strong passwords and multifactor authentication; after that, prioritize patching perimeter devices.”

Are you ready for a cyberattack?

“Unfortunately, I think most healthcare providers—especially labs, clinics, and regional medical facilities—are underprepared to withstand a cyberattack,” says Warfield. “Unlike large corporations, who may have hundreds or even thousands of people in their security organizations, medical providers may be staffed by a small IT department or possibly even a single person whose job may also include helpdesk, PC setup and troubleshooting, and myriad other responsibilities.”

Because applying security patches can be complex and time-consuming, especially with respect to network appliances, it’s often deprioritized in favor of more urgent tasks. The consequences can be devastating.

“Consider that huge companies exist primarily to help large businesses with remediation [after a cyberattack],” says Warfield. “If all computing systems of even a small lab are wiped out, it’s more than any IT department can handle alone—and the challenge increases exponentially with the size of the lab. Small labs are typically under-resourced in both humans and capital, so if the attack is severe enough, there is a very real risk of the business failing.”

You’ve been targeted—now what?

Experts like Warfield consider the risk of cyberattacks on healthcare systems so high that they’re essentially inevitable.³ That’s why every lab should have a plan in place for containing the attack, dealing with the aftermath, and alerting organizations they partner with. “Labs need to understand that even something small, like a single user machine suddenly being infected with malware, may be the first indication of a larger attack,” Warfield explains. “Criminals make mistakes too; a single infection could simply be an error during part of a larger operation. Less protected entry points like labs may have VPNs or connectivity back to larger hospitals, insurance providers, and so on. Those should be put on alert to monitor for suspicious activities in their environment, as the lab might only be the entry point for a larger campaign.”

He also recommends notifying patients of the incident as soon as reasonably possible, especially if there is a chance that personally identifying information has been compromised. “An attack will erode patient trust to a degree, but transparency goes a long way. If my hospital were breached, I would rather find out about it from them than hear about it on the news.”

Although mitigation and remediation are important, in cybersecurity—as in health—prevention is better than a cure. Disaster recovery plans should be tested regularly to ensure that they function as intended and that no unexpected obstacles arise when they need to be implemented. Regularly creating and testing backups can help labs get up and running again quickly after an incident. Training staff on not just avoiding, but also recovering from cyberattacks can reduce the overall impact of such incidents and speed up the lab’s return to normal operation.

What’s next for cyber-safety?

“Lab cybersecurity is going to be challenging for a considerable amount of time,” Warfield cautions. “Security is complex, expensive, and time consuming—billion- and trillion-dollar software companies get it wrong every day. Add to this the fact that, for labs, cybersecurity is a cost center—it’s money that could be spent on upgrading equipment that literally saves lives—and it should come as no surprise that equipment and systems tend to be older and infrequently updated. Even the most powerful advancements in security don’t help a lab whose budget can’t afford them.”

In the meantime, a holistic approach to cybersecurity is key. Lab staff should be trained to recognize and report security concerns and labs should establish processes for managing and patching vulnerabilities—especially in network appliances, which are infrequently updated, but whose vulnerabilities are rapidly exploited once discovered. “Medical labs predate the shift to heavy reliance on computers and, over the years, have adopted technology as part of doing business—similar to the shift from newspaper advertising to online,” says Warfield. “As healthcare has gone digital, these systems are now the most mission-critical components of an industry that operates outside cyberspace, but cannot do business without it.”

References:

1. Check Point. Check Point Software Releases its 2023 Security Report Highlighting Rise in Cyberattacks and Disruptive Malware. February 8, 2023. https://www.checkpoint.com/press-releases/check-point-software-releases-its-2023-security-report-highlighting-rise-in-cyberattacks-and-disruptive-malware.
2. IBM Security. Cost of a Data Breach Report 2023. July 24, 2023. https://www.ibm.com/downloads/cas/E3G5JMBP.
3. Wasserman L, Wasserman Y. Hospital cybersecurity risks and gaps: review (for the non-cyber professional). Front Digit Health. 2022;4:862221. doi:10.3389/fdgth.2022.862221.