Home 5 Clinical Diagnostics Insider 5 The Benefits of Penetration Tests in Labs

The Benefits of Penetration Tests in Labs

by | Feb 23, 2024 | Clinical Diagnostics Insider, Special Focus-dtet

Cybersecurity expert explains the importance of such assessments, which simulate malicious attacks to identify IT vulnerabilities.

Any clinical laboratory manager who has not evaluated whether to conduct a “penetration test” of the lab’s IT systems just got another unfortunate reason to do so. In January, a cyberattack at Lurie Children’s Hospital of Chicago caused widespread disruption, including to the facility’s lab services. How the criminal parties accessed Lurie Children’s systems was not immediately explained by hospital executives. However, it is reasonable to assume the intruder found a weakness somewhere.

What is a penetration test?

An image of cybersecurity expert Ben Denkers
Ben Denkers, chief services officer at Qwiet

A penetration test can potentially thwart an attack by giving clues ahead of time about a laboratory system’s liabilities, said cybersecurity expert Ben Denkers, chief services officer at Qwiet. Qwiet detects security problems in software code before deployment.

“The penetration test is essentially an activity that not only identifies vulnerabilities, but potentially exploits vulnerabilities from the perspective of a potential attacker to find risks and understand what those risks mean,” Denkers explains. “It’s a simulation of a malicious attacker. What could they possibly do? How could they exploit an application or device? How could they gain access to something?”

A penetration test is among a series of steps that diagnostic laboratories can take to stay ahead of cybersecurity risks.1

Attacks can cost millions to mitigate

After detecting the attack, Lurie Children’s took its phone, e-mail, and electronic medical records systems offline.2 The outage lasted more than a week.

Meanwhile, dozens of news outlets, including television national media, reported on the incident, bringing plenty of unwanted publicity to the hospital.

The cost of the intrusion is to be determined, but research conducted by the Ponemon Institute and analyzed by IBM suggests that Lurie Children’s (or its insurance carrier) will be out millions of dollars in responding to the cyberattack.

In its “Cost of a Data Breach Report 2023,” IBM noted the following:3

  • Since 2020, healthcare data breach costs have increased 53.3 percent.
  • The average cost of a data breach in the healthcare industry is $10.9 million.

IBM considers a data breach to be any security incident that results in unauthorized access to confidential data, such as protected health information.

Penetration test requires outside expertise

A penetration test might cost tens of thousands of dollars for four weeks of work to evaluate a handful of devices or systems in a lab. That is a lot of money up front, but some lab managers will look at that cost as minimal compared to paying millions to mitigate a cyberattack.

“In a clinical setting, you don’t necessarily have that skill set on staff,” Denkers said. “So generally speaking, you would have a third party perform the assessment.”

The first step toward a penetration test is not complicated, he added.

“If you’ve never done a penetration test, you probably have an environment that is ripe with vulnerabilities,” he said. “The first step is to take action, whether that is finding the right firm, figuring out exactly what you want to accomplish, or determining where you feel the risks are highest.”

What a penetration test can reveal

Don’t Worry about Exposure of Patient Information During Simulation

Laboratory managers may worry that a simulated cyberattack, such as through a penetration test, may expose protected health information.

But Ben Denkers of Qwiet dismissed that concern.

“I’ve never really understood that argument,” Denkers explained. “It’s hiding your head in the sand, and it doesn’t accomplish anything because the bad guys are still going to do bad things.”

Denkers agreed there may be minor risks if an outside firm has access to patient information while conducting a penetration test. But those risks pale next to not conducting the assessment and leaving IT security vulnerabilities open to an intruder, he added.

Once a penetration test concludes, labs can expect to get a list of vulnerabilities to address with the IT teams, Denkers said.

Typical weaknesses might include the following, as noted by Denkers:

  • IT credential concerns for employees who must access sensitive information, such as lab test results. Passwords and security tokens are ways to guard credentials, but at times they get improperly shared, which leads to risks.
  • Software vulnerabilities, such as missing security patches. Sometimes lab staff feel they don’t have the time to install patches and instead skip this important safeguard. Remote devices, such as laptops, may be particularly problematic with missing patches, Lab Industry Advisor previously noted.4
  • Subpar security controls, such as ineffective firewalls or antivirus software.

Situations like the incident at Lurie Children’s serve as a stark reminder to clinical lab managers to stay actively vigilant about cybersecurity.

A penetration test may not fit the budget of every lab or parent organization. However, it is a viable tool to push the boundaries of IT security and uncover any vulnerabilities that a hacker might be able to take advantage of.

References:

1. https://www.clinicallab.com/clinical-lab-automation-improving-patient-privacy-and-data-security-27406

2. https://www.luriechildrens.org/en/cybersecurity-matter/

3. https://www.ibm.com/reports/data-breach

4. https://www.g2intelligence.com/expert-qa-trends-in-cybersecurity-and-how-labs-can-protect-themselves/

Subscribe to Clinical Diagnostics Insider to view

Start a Free Trial for immediate access to this article