Address correspondence to this author at: Department of Laboratory Medicine and Pathology, Mayo Clinic, Stabile 3-54, 200 First Street SW, Rochester, MN 55905. E-mail mcclintock.david@mayo.edu.
Search for other works by this author on:Denotes shared first authorship.
The Journal of Applied Laboratory Medicine, Volume 8, Issue 1, January 2023, Pages 145–161, https://doi.org/10.1093/jalm/jfac119
04 January 2023 18 June 2022 26 October 2022 04 January 2023Ankush U Patel, Christopher L Williams, Steven N Hart, Christopher A Garcia, Thomas J S Durant, Toby C Cornish, David S McClintock, Cybersecurity and Information Assurance for the Clinical Laboratory, The Journal of Applied Laboratory Medicine, Volume 8, Issue 1, January 2023, Pages 145–161, https://doi.org/10.1093/jalm/jfac119
Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term SearchNetwork-connected medical devices have rapidly proliferated in the wake of recent global catalysts, leaving clinical laboratories and healthcare organizations vulnerable to malicious actors seeking to ransom sensitive healthcare information. As organizations become increasingly dependent on integrated systems and data-driven patient care operations, a sudden cyberattack and the associated downtime can have a devastating impact on patient care and the institution as a whole. Cybersecurity, information security, and information assurance principles are, therefore, vital for clinical laboratories to fully prepare for what has now become inevitable, future cyberattacks.
This review aims to provide a basic understanding of cybersecurity, information security, and information assurance principles as they relate to healthcare and the clinical laboratories. Common cybersecurity risks and threats are defined in addition to current proactive and reactive cybersecurity controls. Information assurance strategies are reviewed, including traditional castle-and-moat and zero-trust security models. Finally, ways in which clinical laboratories can prepare for an eventual cyberattack with extended downtime are discussed.
The future of healthcare is intimately tied to technology, interoperability, and data to deliver the highest quality of patient care. Understanding cybersecurity and information assurance is just the first preparative step for clinical laboratories as they ensure the protection of patient data and the continuity of their operations.
IMPACT STATEMENTRecently, cyberattacks have caught major healthcare organizations off guard, sending them into extended downtimes that disrupt clinical operations, negatively impact patient care, and cost organizations millions of dollars. A lack of cybersecurity education and awareness has left clinical laboratories, and healthcare overall, at risk of these events, with most not understanding cybersecurity beyond a superficial understanding of passwords, antivirus software, and virtual private networks. In this review, we discuss the importance of cybersecurity, common risks and threats present today, information assurance strategies, and how clinical laboratories can begin to prepare for their own inevitable cyber event.
You are sitting at your desk, eagerly awaiting 5 o’clock before embarking on a well-deserved, week-long vacation. With an hour left, you see 2 new email messages: the first stating your password will expire within 24 h, the second reminding you to complete your (now past due) mandatory online cybersecurity training. You hastily click the first email’s link and enter your username/password to login, noting your institution must have recently redesigned the password self-service portal. You create a new password, close your web browser, and make a note to complete your cybersecurity training after vacation. At 4:55 PM, you notice a popup on your screen demanding a sizable cryptocurrency ransom to unlock the workstation. You frantically check another workstation in the laboratory and see the same banner. As you hurry through the laboratory, you see other staff complaining about how all the workstations are inaccessible and laboratory instrumentation is not working properly. A sinking feeling fills the pit of your stomach as you recall “changing” your password….
In response, the institution shuts down their networks, including all intranet, virtual private network (VPN), and internet connections. While protective in nature, this defensive measure has drastic consequences for hospital operations and patient care. First and foremost, it disables access to all health information systems (HISs) with access to protected health information (PHI), including the electronic health record (EHR), laboratory information system (LIS), primary interface engine, middleware, billing systems, imaging systems, and many others. Communication systems, including voice over internet protocol (VoIP) phones, email, instant messaging, and paging systems also go down. All networked endpoint devices, from desktop workstations to printers, become inaccessible. Cloud-based resources integrated with institutional user authentication servers (e.g., Microsoft Office 365, document management systems, cloud storage platforms) are unreachable, even from outside the hospital network. All laboratory and other medical instrumentation reliant on interfaced messaging and consistent network connectivity to orchestrate complex workflows are now completely inoperable. Hospital internet of things (IoT) devices are further affected, including remote patient monitoring devices, pneumatic tube systems, smart elevators, smart thermostats, infusion pumps, heating ventilation and air conditioning systems, laboratory freezers and refrigerators, liquid handlers, and automated temperature monitoring. Surgeries and clinical procedures are canceled, while radiology, oncology, phlebotomy, and all other outpatient clinic visits are either canceled or drastically delayed.
While the case scenario described here is bleak, it accurately reflects the impact of ransomware attacks observed in hospital systems and beyond ( 1–8). Patient care impacts are crippling, at times requiring affected hospitals to divert patients to alternative facilities, some more than 100 miles away ( 9, 10). Inevitably, a return to analog phones, fax machines, local printing, and handwritten notes occurs ( 4, 7). Additionally, younger physicians, nurses, and allied health staff may not have experience practicing medicine without an EHR, which can manifest unexpected problems such as struggling when interpreting cursive penmanship and unawareness of common issues with handwritten notes and orders ( 11, 12).
In healthcare, interconnectedness has become mission-critical to all stakeholders, creating a unifying dependency on information systems and automated tools ( 13). Our waning ability to sustain normal operations during protracted downtimes therefore demands continual and obsessive focus on preventing unexpected downtimes, in addition to exhaustive disaster recovery planning ( 14). Although ransomware only recently has been more prominent in healthcare cybersecurity risk management, such attacks epitomize the overwhelming challenges hospital information security groups face when balancing between system access and protection, especially since technology-driven systems are seen in practically every aspect of medicine. An explosion of EHR adoption and healthcare data is further fueling these challenges, with an estimated 153 exabytes (EB) of data produced in 2013 increasing to 2134 EB (2.13 zettabytes!) in 2020 ( 15–17).
Pathology informaticians are stewards of clinical laboratory data who strive to deliver “the right information to the right person, at the right place, at the right time, and in the right way” ( 18). They do this by understanding the information systems, connectivity, and clinical workflows within, and contributing to, the clinical laboratories. While this knowledge was sufficient heading into the 2010s, over the past decade information security issues have begun to dominate IT operations such that security has become a bottleneck for both hospital and laboratory IT projects. Further, as clinical laboratories continue to evolve with advances in computational pathology and artificial intelligence, risks accompanying a full digital transformation become unequivocally critical. This review aims to fill the current gap most pathologists and laboratorians have regarding: (a) cybersecurity, information security, and information assurance principles; (b) cybersecurity risks/threats; (c) information assurance strategies; and (d) how clinical laboratories can prepare themselves for when, not if, they are victims of a cyberattack.
Multiple terms have emerged to describe the spectrum through which systems can be considered perfectly secure or “air-gapped” (i.e., isolated from the network, with no remote access to the system), vs fully user friendly or “open” (unauthenticated easy access to all). Three of the most commonly used terms today are cybersecurity, information security, and information assurance ( Table 1) ( 19). While similar, each of these terms do differ and form the foundation of an institution’s cybersecurity and information risk management program.
Glossary of common cybersecurity terms.
| Term . | Definition . |
|---|---|
| Cybersecurity | Protecting information by preventing, detecting, and responding to network attacks. |
| Information security | Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. |
| Information Assurance | Protecting information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. Measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. |
| Availability | Ensuring timely and reliable access to and use of information. |
| Integrity | Guarding against improper information modification or destruction while ensuring information nonrepudiation and authenticity. |
| Authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. |
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
| Nonrepudiation | Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. |
| Term . | Definition . |
|---|---|
| Cybersecurity | Protecting information by preventing, detecting, and responding to network attacks. |
| Information security | Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. |
| Information Assurance | Protecting information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. Measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. |
| Availability | Ensuring timely and reliable access to and use of information. |
| Integrity | Guarding against improper information modification or destruction while ensuring information nonrepudiation and authenticity. |
| Authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. |
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
| Nonrepudiation | Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. |
Note: Terms above are provided verbatim from the National Institute of Standards and Technology Computer Security Resource Center (NIST CSRC, https://csrc.nist.gov).
Glossary of common cybersecurity terms.
| Term . | Definition . |
|---|---|
| Cybersecurity | Protecting information by preventing, detecting, and responding to network attacks. |
| Information security | Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. |
| Information Assurance | Protecting information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. Measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. |
| Availability | Ensuring timely and reliable access to and use of information. |
| Integrity | Guarding against improper information modification or destruction while ensuring information nonrepudiation and authenticity. |
| Authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. |
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
| Nonrepudiation | Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. |
| Term . | Definition . |
|---|---|
| Cybersecurity | Protecting information by preventing, detecting, and responding to network attacks. |
| Information security | Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. |
| Information Assurance | Protecting information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. Measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. |
| Availability | Ensuring timely and reliable access to and use of information. |
| Integrity | Guarding against improper information modification or destruction while ensuring information nonrepudiation and authenticity. |
| Authentication | Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. |
| Confidentiality | Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
| Nonrepudiation | Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. |
Note: Terms above are provided verbatim from the National Institute of Standards and Technology Computer Security Resource Center (NIST CSRC, https://csrc.nist.gov).
Cybersecurity has leaped to prominence throughout healthcare, affecting a growing cohort of stakeholders striving to understand a rapidly changing digital topography ( Table 2) ( 20). While multiple definitions exist for cybersecurity, pathologists and laboratorians should recognize its fundamental premise of protection, prevention, and defense against malicious attacks. Information security builds on cybersecurity, adding in tactics ensuring data confidentiality, integrity, and availability through protections against improper system access, use, modification, and/or system failure due to internal or external causes. Finally, information assurance includes both cybersecurity and information security measures while also incorporating: (a) HIPAA/PHI compliance principles, (b) system authentication and information nonrepudiation, (c) risk management and mitigation policies, (d) consistent auditing of cybersecurity, information system, compliance, and device policies and procedures, and (e) enforcement of information management and security policies ( 21).
Cybersecurity objectives by healthcare stakeholder.
Abbreviations: CISO, Chief Information Security Officer; CEO, Chief Executive Officer; CIO, Chief Information Officer; COO, Chief Operating Officer; CHIO, Chief Health Information Officer; CMIO, Chief Medical Information Officer; ACMIO, Associate Chief Medical Information Officer.
Cybersecurity objectives by healthcare stakeholder.
Abbreviations: CISO, Chief Information Security Officer; CEO, Chief Executive Officer; CIO, Chief Information Officer; COO, Chief Operating Officer; CHIO, Chief Health Information Officer; CMIO, Chief Medical Information Officer; ACMIO, Associate Chief Medical Information Officer.
An example of the evolving nature of cybersecurity and information assurance practices can be seen in the wake of the SARS-CoV-2 (COVID-19) global pandemic, where hospital IT and laboratory/medical device deployments were accelerated from months/years to days/weeks to meet the testing, treatment, and communication needs of a newly stay-at-home and quarantining population ( 22, 23). These efforts were critical in fighting waves of COVID-19 variants; however, the byproduct was a target-rich environment for malicious attacks as enterprises struggled with securing both the influx of new devices/software and substantial pre-existing portfolios of legacy technology:
Of note, the authors recognize that many of the hardware issues listed here are difficult to fix for clinical laboratories (especially in categories 1–4), both due to the complexity in switching out FDA-regulated lab instrumentation in addition to the capital budget limitations for many institutions. However, the cybersecurity risks with aging workstations and equipment are significant—when brought to the attention of one’s information security office, they can be leveraged when prioritizing new capital requests and hardware replacements within one’s organization.
Further complicating matters is the modern clinical laboratory’s dependence on interfaces to receive orders, transmit results, and orchestrate complex and high-volume automated workflows ( 4, 6). Clinical laboratories rely on interconnected systems and a continuous bidirectional flow of data from many different HISs within a healthcare organization (HCO), leaving laboratories highly vulnerable to disruptions incurred by cyberattacks ( 2).
Although hospitals and laboratories have invested heavily in EHRs, LISs, and other HISs, many institutions have not implemented appropriate information security measures for these essential tools. Modern cybersecurity vendors lack experience with niche healthcare software and legacy medical devices to provide robust protection ( 29). This is especially true with clinical laboratory instrumentation and software, which range from being highly regulated (FDA-cleared) to custom developed (middleware and laboratory developed tests). Also deficient are the IT and business continuity infrastructures required to negotiate an attack, survive an extended downtime, implement a recovery plan, and return to normal operations. Under such conditions, a cyberattack is more likely to disrupt patient care, threaten patient safety, derail medical training, degrade employee well-being, tarnish HCO reputations, and inflict significant financial losses ( 3–6, 30).
Healthcare has seen increasingly frequent, globally reaching cyber threats ( Table 3), ranging from ransomware to distributed denial of service attacks, with some going unnoticed for a year while others strike during inopportune times when disruptions are less likely to be met with a robust response ( 31–34). Although a security breach has the potential to cripple an entire hospital system within minutes, effects may linger for years as the fallout, recovery, and inevitable lawsuits proceed ( 35–37). Previous attacks have required rebuilding entire IT infrastructures with subsequent data and file repopulation from backup systems. Additionally, thousands of infected computers and miscellaneous endpoint devices must be manually assessed for further damages. This effort to recover from an attack is compounded by the additional manual efforts of reverting to downtime procedures by clinical staff. Difficult decisions must be made about “making the EHR whole” vs leaving some patient information only in the paper chart or not billing for all tests performed during the downtime ( 6). This devastating blow to productivity, morale, and patient care is challenging for any organization to absorb.
Common cybersecurity risks and threats.
| Threat . | Definition (risk families grouped together by color) . |
|---|---|
| Malware | Software or firmware intentionally designed to exploit network vulnerabilities via automated, unauthorized access compromising user privacy and computer usability via data theft and/or destruction of data. Variants of malware include ransomware, Trojans, spyware, worms, and viruses. |
| ȃRansomware | Denies access to victim data by either locking (nonencrypting) or encrypting the target user system, with subsequent demands to publish or destroy data unless a ransom is met, usually in the form of untraceable cryptocurrency. |
| ȃTrojan | Mimics (“spoofs”) legitimate software tricking users into running a program that causes damages via backdoor (bypassing security authentication) entry into a host; does not spread automatically and remains within the infected host. |
| ȃSpyware | Spreads without user knowledge while collecting, recording, and transmitting user activities, data, and information to an unauthorized third party. Data later can be used to initiate other malware attacks. |
| ȃWorm | Subset of the Trojan family of malware; spreads without user knowledge; standalone program that self-replicates throughout a network without human activation following a breach in vulnerable software. |
| ȃVirus | Causes alteration of system operations via attachment to a legitimate program followed by propagation throughout an entire network; require a host to replicate. |
| Phishing | Social engineering method used to trick targets into divulging sensitive information via transmission of legitimately disguised fraudulent communications. Variants of phishing include spear phishing, voice phishing, SMS phishing, and whaling. |
| ȃSpear phishing | Phishing attempts targeting specific individuals or groups within an organization. |
| ȃVishing | Voice phishing compels victims to divulge sensitive information by inciting a panic response following voice-communication, e.g., phonecall. Devices utilized to aid threat actors in vishing attempts include voice-changing and VoIP software, caller ID spoofing. |
| ȃSmishing | SMS phishing; leverages SMS text messages to target victims including live chat tools facilitating patient and provider communication. |
| ȃWhaling | Whaling: variant of spear phishing specifically targeting high-level executives, e.g., C-suite, employees. |
| Man in the Middle (MitM) | Disruption of data via third-party interception of communication between 2 parties or instruments, e.g., medical devices. MitM attacks may be executed through IP spoofing, session hijacking, and eavesdropping. |
| ȃInternet Protocol (IP) Spoofing | An attacker modifies their source IP address to disguise their identity so that they may impersonate a computer from a legitimate network, fooling the receiving system into thinking the modified IP address is from a trusted source. |
| ȃSession Hijacking | Takeover of an internet session via theft of a valid session ID from a legitimate user. Hackers may then assume user identity to steal data and gain unauthorized access to additional systems via single sign on (SSO). |
| ȃEavesdropping Attacks | Executed by attackers passively listening to weak or insecure network connections, e.g., nonencrypted connections between a client and user, reading and stealing data as it is transmitted between 2 devices. |
| Insider Threats | Originate from within the targeted organization, either wittingly or unintentionally by those who have or had authorized access or knowledge of an organization's resources including personnel, facilities, information, equipment, networks, and systems. |
| Cross-Site Scripting | Malicious scripts are inserted into trusted web pages or applications that then deliver the malicious code to the target browser on access. Vehicles commonly used are forums, message boards, and web pages allowing comments. |
| IoT Attacks | Vulnerabilities in medical devices connected to a network that may be breached for access to sensitive user data. |
| Zero-Day Exploit | Attacks exploiting previously unknown software vulnerabilities before organizations have time to patch them. |
| Distributed Denial of Service (DDoS) | Hinders the access of legitimate users to a target system or services by overwhelming the network with traffic. DDoS attacks may serve as a foothold for threat actors to deploy malware, e.g., ransomware, while distracting victims. |
| Threat . | Definition (risk families grouped together by color) . |
|---|---|
| Malware | Software or firmware intentionally designed to exploit network vulnerabilities via automated, unauthorized access compromising user privacy and computer usability via data theft and/or destruction of data. Variants of malware include ransomware, Trojans, spyware, worms, and viruses. |
| ȃRansomware | Denies access to victim data by either locking (nonencrypting) or encrypting the target user system, with subsequent demands to publish or destroy data unless a ransom is met, usually in the form of untraceable cryptocurrency. |
| ȃTrojan | Mimics (“spoofs”) legitimate software tricking users into running a program that causes damages via backdoor (bypassing security authentication) entry into a host; does not spread automatically and remains within the infected host. |
| ȃSpyware | Spreads without user knowledge while collecting, recording, and transmitting user activities, data, and information to an unauthorized third party. Data later can be used to initiate other malware attacks. |
| ȃWorm | Subset of the Trojan family of malware; spreads without user knowledge; standalone program that self-replicates throughout a network without human activation following a breach in vulnerable software. |
| ȃVirus | Causes alteration of system operations via attachment to a legitimate program followed by propagation throughout an entire network; require a host to replicate. |
| Phishing | Social engineering method used to trick targets into divulging sensitive information via transmission of legitimately disguised fraudulent communications. Variants of phishing include spear phishing, voice phishing, SMS phishing, and whaling. |
| ȃSpear phishing | Phishing attempts targeting specific individuals or groups within an organization. |
| ȃVishing | Voice phishing compels victims to divulge sensitive information by inciting a panic response following voice-communication, e.g., phonecall. Devices utilized to aid threat actors in vishing attempts include voice-changing and VoIP software, caller ID spoofing. |
| ȃSmishing | SMS phishing; leverages SMS text messages to target victims including live chat tools facilitating patient and provider communication. |
| ȃWhaling | Whaling: variant of spear phishing specifically targeting high-level executives, e.g., C-suite, employees. |
| Man in the Middle (MitM) | Disruption of data via third-party interception of communication between 2 parties or instruments, e.g., medical devices. MitM attacks may be executed through IP spoofing, session hijacking, and eavesdropping. |
| ȃInternet Protocol (IP) Spoofing | An attacker modifies their source IP address to disguise their identity so that they may impersonate a computer from a legitimate network, fooling the receiving system into thinking the modified IP address is from a trusted source. |
| ȃSession Hijacking | Takeover of an internet session via theft of a valid session ID from a legitimate user. Hackers may then assume user identity to steal data and gain unauthorized access to additional systems via single sign on (SSO). |
| ȃEavesdropping Attacks | Executed by attackers passively listening to weak or insecure network connections, e.g., nonencrypted connections between a client and user, reading and stealing data as it is transmitted between 2 devices. |
| Insider Threats | Originate from within the targeted organization, either wittingly or unintentionally by those who have or had authorized access or knowledge of an organization's resources including personnel, facilities, information, equipment, networks, and systems. |
| Cross-Site Scripting | Malicious scripts are inserted into trusted web pages or applications that then deliver the malicious code to the target browser on access. Vehicles commonly used are forums, message boards, and web pages allowing comments. |
| IoT Attacks | Vulnerabilities in medical devices connected to a network that may be breached for access to sensitive user data. |
| Zero-Day Exploit | Attacks exploiting previously unknown software vulnerabilities before organizations have time to patch them. |
| Distributed Denial of Service (DDoS) | Hinders the access of legitimate users to a target system or services by overwhelming the network with traffic. DDoS attacks may serve as a foothold for threat actors to deploy malware, e.g., ransomware, while distracting victims. |
Common cybersecurity risks and threats.
| Threat . | Definition (risk families grouped together by color) . |
|---|---|
| Malware | Software or firmware intentionally designed to exploit network vulnerabilities via automated, unauthorized access compromising user privacy and computer usability via data theft and/or destruction of data. Variants of malware include ransomware, Trojans, spyware, worms, and viruses. |
| ȃRansomware | Denies access to victim data by either locking (nonencrypting) or encrypting the target user system, with subsequent demands to publish or destroy data unless a ransom is met, usually in the form of untraceable cryptocurrency. |
| ȃTrojan | Mimics (“spoofs”) legitimate software tricking users into running a program that causes damages via backdoor (bypassing security authentication) entry into a host; does not spread automatically and remains within the infected host. |
| ȃSpyware | Spreads without user knowledge while collecting, recording, and transmitting user activities, data, and information to an unauthorized third party. Data later can be used to initiate other malware attacks. |
| ȃWorm | Subset of the Trojan family of malware; spreads without user knowledge; standalone program that self-replicates throughout a network without human activation following a breach in vulnerable software. |
| ȃVirus | Causes alteration of system operations via attachment to a legitimate program followed by propagation throughout an entire network; require a host to replicate. |
| Phishing | Social engineering method used to trick targets into divulging sensitive information via transmission of legitimately disguised fraudulent communications. Variants of phishing include spear phishing, voice phishing, SMS phishing, and whaling. |
| ȃSpear phishing | Phishing attempts targeting specific individuals or groups within an organization. |
| ȃVishing | Voice phishing compels victims to divulge sensitive information by inciting a panic response following voice-communication, e.g., phonecall. Devices utilized to aid threat actors in vishing attempts include voice-changing and VoIP software, caller ID spoofing. |
| ȃSmishing | SMS phishing; leverages SMS text messages to target victims including live chat tools facilitating patient and provider communication. |
| ȃWhaling | Whaling: variant of spear phishing specifically targeting high-level executives, e.g., C-suite, employees. |
| Man in the Middle (MitM) | Disruption of data via third-party interception of communication between 2 parties or instruments, e.g., medical devices. MitM attacks may be executed through IP spoofing, session hijacking, and eavesdropping. |
| ȃInternet Protocol (IP) Spoofing | An attacker modifies their source IP address to disguise their identity so that they may impersonate a computer from a legitimate network, fooling the receiving system into thinking the modified IP address is from a trusted source. |
| ȃSession Hijacking | Takeover of an internet session via theft of a valid session ID from a legitimate user. Hackers may then assume user identity to steal data and gain unauthorized access to additional systems via single sign on (SSO). |
| ȃEavesdropping Attacks | Executed by attackers passively listening to weak or insecure network connections, e.g., nonencrypted connections between a client and user, reading and stealing data as it is transmitted between 2 devices. |
| Insider Threats | Originate from within the targeted organization, either wittingly or unintentionally by those who have or had authorized access or knowledge of an organization's resources including personnel, facilities, information, equipment, networks, and systems. |
| Cross-Site Scripting | Malicious scripts are inserted into trusted web pages or applications that then deliver the malicious code to the target browser on access. Vehicles commonly used are forums, message boards, and web pages allowing comments. |
| IoT Attacks | Vulnerabilities in medical devices connected to a network that may be breached for access to sensitive user data. |
| Zero-Day Exploit | Attacks exploiting previously unknown software vulnerabilities before organizations have time to patch them. |
| Distributed Denial of Service (DDoS) | Hinders the access of legitimate users to a target system or services by overwhelming the network with traffic. DDoS attacks may serve as a foothold for threat actors to deploy malware, e.g., ransomware, while distracting victims. |
| Threat . | Definition (risk families grouped together by color) . |
|---|---|
| Malware | Software or firmware intentionally designed to exploit network vulnerabilities via automated, unauthorized access compromising user privacy and computer usability via data theft and/or destruction of data. Variants of malware include ransomware, Trojans, spyware, worms, and viruses. |
| ȃRansomware | Denies access to victim data by either locking (nonencrypting) or encrypting the target user system, with subsequent demands to publish or destroy data unless a ransom is met, usually in the form of untraceable cryptocurrency. |
| ȃTrojan | Mimics (“spoofs”) legitimate software tricking users into running a program that causes damages via backdoor (bypassing security authentication) entry into a host; does not spread automatically and remains within the infected host. |
| ȃSpyware | Spreads without user knowledge while collecting, recording, and transmitting user activities, data, and information to an unauthorized third party. Data later can be used to initiate other malware attacks. |
| ȃWorm | Subset of the Trojan family of malware; spreads without user knowledge; standalone program that self-replicates throughout a network without human activation following a breach in vulnerable software. |
| ȃVirus | Causes alteration of system operations via attachment to a legitimate program followed by propagation throughout an entire network; require a host to replicate. |
| Phishing | Social engineering method used to trick targets into divulging sensitive information via transmission of legitimately disguised fraudulent communications. Variants of phishing include spear phishing, voice phishing, SMS phishing, and whaling. |
| ȃSpear phishing | Phishing attempts targeting specific individuals or groups within an organization. |
| ȃVishing | Voice phishing compels victims to divulge sensitive information by inciting a panic response following voice-communication, e.g., phonecall. Devices utilized to aid threat actors in vishing attempts include voice-changing and VoIP software, caller ID spoofing. |
| ȃSmishing | SMS phishing; leverages SMS text messages to target victims including live chat tools facilitating patient and provider communication. |
| ȃWhaling | Whaling: variant of spear phishing specifically targeting high-level executives, e.g., C-suite, employees. |
| Man in the Middle (MitM) | Disruption of data via third-party interception of communication between 2 parties or instruments, e.g., medical devices. MitM attacks may be executed through IP spoofing, session hijacking, and eavesdropping. |
| ȃInternet Protocol (IP) Spoofing | An attacker modifies their source IP address to disguise their identity so that they may impersonate a computer from a legitimate network, fooling the receiving system into thinking the modified IP address is from a trusted source. |
| ȃSession Hijacking | Takeover of an internet session via theft of a valid session ID from a legitimate user. Hackers may then assume user identity to steal data and gain unauthorized access to additional systems via single sign on (SSO). |
| ȃEavesdropping Attacks | Executed by attackers passively listening to weak or insecure network connections, e.g., nonencrypted connections between a client and user, reading and stealing data as it is transmitted between 2 devices. |
| Insider Threats | Originate from within the targeted organization, either wittingly or unintentionally by those who have or had authorized access or knowledge of an organization's resources including personnel, facilities, information, equipment, networks, and systems. |
| Cross-Site Scripting | Malicious scripts are inserted into trusted web pages or applications that then deliver the malicious code to the target browser on access. Vehicles commonly used are forums, message boards, and web pages allowing comments. |
| IoT Attacks | Vulnerabilities in medical devices connected to a network that may be breached for access to sensitive user data. |
| Zero-Day Exploit | Attacks exploiting previously unknown software vulnerabilities before organizations have time to patch them. |
| Distributed Denial of Service (DDoS) | Hinders the access of legitimate users to a target system or services by overwhelming the network with traffic. DDoS attacks may serve as a foothold for threat actors to deploy malware, e.g., ransomware, while distracting victims. |
While clinical laboratories may feel somewhat removed from their organization’s information assurance efforts, it is important for laboratory directors, managers, and supervisors to be familiar with the different types of cybersecurity risk and threat present today ( Table 3), in addition to the cyber kill chain. Briefly, the cyber kill chain ( Fig. 1A) is a reproducible model describing the different stages of a typical cyberattack, with each stage an opportunity to identify vulnerabilities and proactively defend against or react to an attack ( 38). The common stages include: (a) Reconnaissance; (b) Weaponization; (c) Delivery; (d) Exploitation, (e) Installation; (f) Command and control; and (g) Action. The kill chain has been used to trace the various steps adversaries pass through before successfully breaching a network or specific system, such that the progression of an attack can be understood and potentially mitigated ( 39).
The cyber kill chain, common clinical laboratory vulnerabilities, and information security strategies. (A), Malicious attacks follow a typical pattern of activity, with each stage an opportunity to detect and mitigate the effects of the attack. Common clinical laboratory vulnerabilities present today are best represented by the reconnaissance, exploitation, and installation stages of the cyber kill chain; (B), Information security strategies work to minimize risk and maximize defenses at each stage of the cyber kill chain. Traditional information security strategies utilize the castle-and-moat model (top), where the bulk of one’s cybersecurity defenses are focused on keeping network “invaders” outside the organization’s (castle) network security perimeter (moat). Once inside, e.g., by being on-site or remotely via a secure VPN, the user can potentially achieve full access to the organization’s internal data and IT resources. Conversely, in a zero-trust security model (bottom), no user or application is trusted by default and it is assumed security risks are present both inside and outside the network. Zero-trust security principles require every network user and device to consistently authenticate their identity and request authorization before being granted access to specific internal data and/or applications. Implementing unified identify and access management, such as single sign on (SSO) and providing users with only the data and permissions they need through contextual access policies are principal components of zero-trust frameworks. Abbreviations: FDA, Food and Drug Administration; USB, universal serial bus; COVID-19, coronavirus SARS-CoV2; POCT, point of care testing; HLA, human leukocyte antigen; PDF, portable document format.
For clinical labs, the most pertinent cyber kill chain stages are reconnaissance, exploitation, and installation—these stages are linked to the many different potential security vulnerabilities present within clinical laboratories as related to their instrumentation, software, and system infrastructure. As shown in Fig. 1A, there are several instrumentation and software issues within the clinical labs associated with the presence of older, legacy systems that are no longer fully supported by the vendor or cannot be updated with present day cybersecurity fixes. Further, the presence of a diversity of LISs/LIS modules for specific laboratory functions, custom-developed or vendor-supplied middleware, and potentially >100 instrument and system interfaces add complexity to clinical laboratories that is generally under documented by cybersecurity groups in health care institutions. These unknown vulnerabilities, combined with aging/out of date system infrastructures, makes laboratories prime targets for cybercriminal exploitation.
Cybercriminals may remain dormant and undetected for many months following establishment of a foothold within a target network. Depending on the hacker’s monetization strategy, sensitive information might be siphoned off or data backups compromised before the overt ransomware attack is initiated. Ransomware attempts to encrypt as much of an organization’s data as possible, using military grade encryption algorithms practically irreversible via brute force. On ransom payment, the encryption key is provided, allowing for instantaneous decryption; however, even with ransom payment, a long process of cleansing systems and evaluating for lingering malware must still occur. For HCOs, the threat of the ransomware’s operational impact typically generates the most value for an attacker ( 40). Currently, ransoms, if paid, costs organizations roughly US$762 000 on average (not counting the remediation/recovery costs), which is a sum that must be measured against the far more costly clinical service line disruptions and loss of revenue an extended downtime brings. For example, the 2017 “WannaCry” ransomware attack crippling the United Kingdom’s National Health Service resulted in losses reaching GBP£92 million (or approximately US$115 million) ( 41), and the recent University of Vermont Medical Center and Scripps Health cyberattacks had losses of approximately US$63 million and US$113 million, respectively ( 35, 42).
Ransomware and other malware attacks are increasingly utilizing 0-day exploits, or previously unknown or undisclosed vulnerabilities, for which an absence of existing patches or threat signatures for the exploited vulnerability make defense against these types of attack immensely difficult (i.e., you have 0 days to react to them) ( 43, 44). Ideally, once a vulnerability is disclosed, a patch is developed by the original supplier of the system (e.g., Microsoft for Windows 10, Apple for MacOS) and made available as quickly as possible, although this is not always the case ( 45, 46). Unfortunately, if the system affected is old enough, software vendors will not typically provide patches for “outdated” systems (e.g., Windows XP, Windows 7). In the clinical laboratories, and healthcare in general, the propensity to not upgrade systems and devices on both a frequent and regular basis translates to a greatly increased risk for 0-day exploits. Following an analysis of 1.2 million IoT devices across enterprise IT and HCOs in 2020, an IoT threat report found that up to 83% of medical devices were running on unsupported, and therefore unpatched, operating systems, e.g., Windows 7, Windows XP, and older versions of Linux ( 47).
Given escalating cybersecurity risks and threats, it is only natural that cybersecurity programs have evolved from reacting to intrusions after they occur to proactively preventing and deterring threats before they happen ( Table 4). A combination of both reactive and proactive controls forms the cybersecurity foundation of information assurance strategies. While all controls in Table 4 are pertinent to the clinical laboratories, we ask that laboratory leadership and staff take notice of the proactive preventive controls and reactive recovery controls given they are ones the lab can actively participate in and influence.
Proactive vs reactive information security controls.
| Control type . | Definition/examples . |
|---|---|
| Proactive controls | Preemptive identification and mitigation of an organization’s security weaknesses through policies, procedures, training, and active processes to identify threats and vulnerabilities before they occur |
| ȃPreventive | Ensure attacks against a target are not possible or not successful. • Establishment of a cybersecurity culture and program (training, education, funding) • Active protection of networks, servers, and software applications (preemptive vulnerability detection, ethical hacking) • Regular maintenance of the EHR, LIS, and other HIS and IT systems (upgrades, patches, fixes) on a timely basis to match security standards • Managed device policies and limited network access for systems, users, and vendors, in particular holding vendors to similar system access requirements as internal users • Align systems tied to vendor instrumentation to regular operating system, server, and software maintenance, even if the vendors do not require upgrades for system use • Integrate cybersecurity language into vendor contracts to ensure systems are updated per modern security standards |
| ȃDeterrence | Increases the effort an attacker needs to succeed, making the target opportunity less attractive • Strong password practices/passphrases • Multifactor authentication • Encrypting data in transit and at rest • Strong network security (multiple firewalls) |
| ȃDeflection | Redirects an attacker’s efforts to another target • Honeypots, i.e., attractive, nonproduction system (targets) for hackers that fool them/lead them down a blind alley • Monitoring and deflecting traffic on unused network ports/services |
| Reactive controls | Identification, tracking and response to cybersecurity incidents/attacks after they occur |
| ȃDetection | Real-time notifications or documentation showing an incident has occurred • Intrusion detection systems • Logging systems to provide documentation of incident events, helpful in recovering from and preventing future attacks • Email spam filters • Scheduled antivirus and malware scans |
| ȃMitigation | Controls that reduce the impact or a cyberattack • Network segmentation, splits networks up based on use so hackers don’t get access to all of an organization’s network at one time (e.g., clinical vs research networks) • Restricting administrator privileges on endpoint devices |
| ȃRecovery | Reverses the effects of an attack as soon as possible to resume normal operations • Off-site/cloud backups to restore affected systems • Preplanned documentation in the event of an attack, including incident response plans, information system contingency plans continuity of operations plans, and disaster recovery plans • Regular (at least annual) active cyberattack response practice (simulations) by laboratory staff, in conjunction with IT and information security staff, to ensure all are familiar with extended downtime policies, processes, and documentation |
| Control type . | Definition/examples . |
|---|---|
| Proactive controls | Preemptive identification and mitigation of an organization’s security weaknesses through policies, procedures, training, and active processes to identify threats and vulnerabilities before they occur |
| ȃPreventive | Ensure attacks against a target are not possible or not successful. • Establishment of a cybersecurity culture and program (training, education, funding) • Active protection of networks, servers, and software applications (preemptive vulnerability detection, ethical hacking) • Regular maintenance of the EHR, LIS, and other HIS and IT systems (upgrades, patches, fixes) on a timely basis to match security standards • Managed device policies and limited network access for systems, users, and vendors, in particular holding vendors to similar system access requirements as internal users • Align systems tied to vendor instrumentation to regular operating system, server, and software maintenance, even if the vendors do not require upgrades for system use • Integrate cybersecurity language into vendor contracts to ensure systems are updated per modern security standards |
| ȃDeterrence | Increases the effort an attacker needs to succeed, making the target opportunity less attractive • Strong password practices/passphrases • Multifactor authentication • Encrypting data in transit and at rest • Strong network security (multiple firewalls) |
| ȃDeflection | Redirects an attacker’s efforts to another target • Honeypots, i.e., attractive, nonproduction system (targets) for hackers that fool them/lead them down a blind alley • Monitoring and deflecting traffic on unused network ports/services |
| Reactive controls | Identification, tracking and response to cybersecurity incidents/attacks after they occur |
| ȃDetection | Real-time notifications or documentation showing an incident has occurred • Intrusion detection systems • Logging systems to provide documentation of incident events, helpful in recovering from and preventing future attacks • Email spam filters • Scheduled antivirus and malware scans |
| ȃMitigation | Controls that reduce the impact or a cyberattack • Network segmentation, splits networks up based on use so hackers don’t get access to all of an organization’s network at one time (e.g., clinical vs research networks) • Restricting administrator privileges on endpoint devices |
| ȃRecovery | Reverses the effects of an attack as soon as possible to resume normal operations • Off-site/cloud backups to restore affected systems • Preplanned documentation in the event of an attack, including incident response plans, information system contingency plans continuity of operations plans, and disaster recovery plans • Regular (at least annual) active cyberattack response practice (simulations) by laboratory staff, in conjunction with IT and information security staff, to ensure all are familiar with extended downtime policies, processes, and documentation |
Proactive vs reactive information security controls.
| Control type . | Definition/examples . |
|---|---|
| Proactive controls | Preemptive identification and mitigation of an organization’s security weaknesses through policies, procedures, training, and active processes to identify threats and vulnerabilities before they occur |
| ȃPreventive | Ensure attacks against a target are not possible or not successful. • Establishment of a cybersecurity culture and program (training, education, funding) • Active protection of networks, servers, and software applications (preemptive vulnerability detection, ethical hacking) • Regular maintenance of the EHR, LIS, and other HIS and IT systems (upgrades, patches, fixes) on a timely basis to match security standards • Managed device policies and limited network access for systems, users, and vendors, in particular holding vendors to similar system access requirements as internal users • Align systems tied to vendor instrumentation to regular operating system, server, and software maintenance, even if the vendors do not require upgrades for system use • Integrate cybersecurity language into vendor contracts to ensure systems are updated per modern security standards |
| ȃDeterrence | Increases the effort an attacker needs to succeed, making the target opportunity less attractive • Strong password practices/passphrases • Multifactor authentication • Encrypting data in transit and at rest • Strong network security (multiple firewalls) |
| ȃDeflection | Redirects an attacker’s efforts to another target • Honeypots, i.e., attractive, nonproduction system (targets) for hackers that fool them/lead them down a blind alley • Monitoring and deflecting traffic on unused network ports/services |
| Reactive controls | Identification, tracking and response to cybersecurity incidents/attacks after they occur |
| ȃDetection | Real-time notifications or documentation showing an incident has occurred • Intrusion detection systems • Logging systems to provide documentation of incident events, helpful in recovering from and preventing future attacks • Email spam filters • Scheduled antivirus and malware scans |
| ȃMitigation | Controls that reduce the impact or a cyberattack • Network segmentation, splits networks up based on use so hackers don’t get access to all of an organization’s network at one time (e.g., clinical vs research networks) • Restricting administrator privileges on endpoint devices |
| ȃRecovery | Reverses the effects of an attack as soon as possible to resume normal operations • Off-site/cloud backups to restore affected systems • Preplanned documentation in the event of an attack, including incident response plans, information system contingency plans continuity of operations plans, and disaster recovery plans • Regular (at least annual) active cyberattack response practice (simulations) by laboratory staff, in conjunction with IT and information security staff, to ensure all are familiar with extended downtime policies, processes, and documentation |
| Control type . | Definition/examples . |
|---|---|
| Proactive controls | Preemptive identification and mitigation of an organization’s security weaknesses through policies, procedures, training, and active processes to identify threats and vulnerabilities before they occur |
| ȃPreventive | Ensure attacks against a target are not possible or not successful. • Establishment of a cybersecurity culture and program (training, education, funding) • Active protection of networks, servers, and software applications (preemptive vulnerability detection, ethical hacking) • Regular maintenance of the EHR, LIS, and other HIS and IT systems (upgrades, patches, fixes) on a timely basis to match security standards • Managed device policies and limited network access for systems, users, and vendors, in particular holding vendors to similar system access requirements as internal users • Align systems tied to vendor instrumentation to regular operating system, server, and software maintenance, even if the vendors do not require upgrades for system use • Integrate cybersecurity language into vendor contracts to ensure systems are updated per modern security standards |
| ȃDeterrence | Increases the effort an attacker needs to succeed, making the target opportunity less attractive • Strong password practices/passphrases • Multifactor authentication • Encrypting data in transit and at rest • Strong network security (multiple firewalls) |
| ȃDeflection | Redirects an attacker’s efforts to another target • Honeypots, i.e., attractive, nonproduction system (targets) for hackers that fool them/lead them down a blind alley • Monitoring and deflecting traffic on unused network ports/services |
| Reactive controls | Identification, tracking and response to cybersecurity incidents/attacks after they occur |
| ȃDetection | Real-time notifications or documentation showing an incident has occurred • Intrusion detection systems • Logging systems to provide documentation of incident events, helpful in recovering from and preventing future attacks • Email spam filters • Scheduled antivirus and malware scans |
| ȃMitigation | Controls that reduce the impact or a cyberattack • Network segmentation, splits networks up based on use so hackers don’t get access to all of an organization’s network at one time (e.g., clinical vs research networks) • Restricting administrator privileges on endpoint devices |
| ȃRecovery | Reverses the effects of an attack as soon as possible to resume normal operations • Off-site/cloud backups to restore affected systems • Preplanned documentation in the event of an attack, including incident response plans, information system contingency plans continuity of operations plans, and disaster recovery plans • Regular (at least annual) active cyberattack response practice (simulations) by laboratory staff, in conjunction with IT and information security staff, to ensure all are familiar with extended downtime policies, processes, and documentation |
As mentioned before, information assurance involves protecting information and information systems by ensuring their availability, integrity, authentication, authorization, confidentiality, and nonrepudiation (see Table 1), in addition to providing institutional measures to protect, detect, and react against cybersecurity threats, assess risk, and plan for eventual data and information system loss and restoration ( 21, 48). While a full discussion of each information assurance component is not possible here, a couple of points are worth mentioning, in particular gaining unauthorized access to systems, information security strategies, and cybersecurity frameworks.
As noted in the introductory scenario, phishing is the one of the primary vectors used today to trick users into providing their authentication information to malicious agents, i.e., verification of who you are (typically through login credentials). This is especially true given the rise of elaborate social engineering techniques, which ultimately create low-hanging fruit for potential hackers vs having them expend significant effort “cracking” your password ( 49, 50). These techniques are designed to exploit vulnerabilities in human nature by automating trial-and-error “brute force” techniques to decrypt commonly used passwords (date-of-birth, children/pet names, “admin,” and “password”) or by leveraging login credentials reused throughout multiple sites ( 49–52). Amplified password complexity dramatically increases the time needed to brute force decrypt a password ( 53). Hackers stealing “hashed” (scrambled) passwords from websites may crack these passwords through compiling all keyboard character combinations and hashing these combinations themselves until a match is found. A 10-character, complex password (using a combination of numbers, upper/lowercase letters, and symbols) can be cracked anywhere between 5 months (using cloud computing resources) to 5 years (using a modern graphics card) with freely available hashing software ( 53). With the addition of just one more character, an estimated 34–400 years can be added to the process. Conversely, a simple 10-character, numbers-only password (like a phone number) can be cracked instantly by cloud computing or graphics card alike ( 53). Likewise, “dictionary attacks” targeting lists of passwords from past data breaches can quickly crack common passwords; one large online compilation contains nearly 1.5 billion passwords and yes, odds are good one of your login/password combinations is contained within ( 54).
Given these password issues, authentication strategies have undergone significant scrutiny and changes recently. One of the most common proactive deterrent security controls used today is multifactor authentication, which uses something you know (your password) combined with something you have (your phone, an app, email account, or physical token) and/or something you are (fingerprint, facial recognition, retina scan), to confirm your identity (see Table 4). Further, frequent mandatory password expirations are no longer required by all organizations given user propensity to choose shorter, weaker passwords when forced to change them often ( 55). In fact, longer passphrases (e.g., Cybersecur1tyreviewsR@wes0me!) are now typically preferred over shorter passwords, although not all login processes have adapted their character requirements to allow for passphrases ( 56). One new exciting proposition that has the promise of leading us to a potential “passwordless future” is FIDO (fast identity online) Alliance open authentication sign-in standards ( 57). Through FIDO, you will soon be able to store an encrypted FIDO credential, or passkey, on your personal phone/device that securely unlocks all participating accounts on your phone, or even a neighboring device (tablet, PC, smart TV), once the personal device itself is securely unlocked ( 58). To date, 3 of the largest technology companies (Apple, Google, and Microsoft) have all committed to implementing FIDO sign-in standards on their devices, with Apple most recently announcing full FIDO passkey compatibility in their iOS 16 mobile operating system ( 59).
Strengthening authentication strategies to use multiple factors or enable interoperable encrypted passkeys show how modern information assurance strategies are transitioning away from older models. Traditionally, information security used variations of the “castle-and-moat” model ( Fig. 1B, top) that concentrated the bulk of cybersecurity defenses and controls, e.g., firewalls and intrusion detection/prevention systems, into a strong network security perimeter (moat) with the goal of keeping out malicious agents from the inner networks (castle) ( 60). Users gain access to the organization’s networks via secure pathways, such as using managed devices on-site or externally connecting through a VPN. This approach enables data accessibility through a layered framework, with users granted increasing levels of “trust” to gain access to the innermost layers of the network and the data contained within. Unfortunately, the castle-and-moat model’s most significant constraint is its intrinsic vulnerability to internal attacks and insider threats (both intentional and unintended), especially once a malicious attack has managed to overcome the outer-layer defenses and gains the proverbial “keys to the kingdom” ( 60). Email and network servers have become the number 1 entry point for healthcare data breaches, with most organizations penetrated by Trojan Horses that employees themselves usher inside the fortress ( 61, 62). Database servers without passwords and user/machine accounts with weak/no passwords are the most common reasons for these attacks ( 62).
Given the inherent internal risks associated with the castle-and-moat types of model, information assurance strategies now focus instead on zero-trust security principles. The notion of implicitly trusting all layers beyond a network perimeter is disrupted by zero-trust architecture, as the concept of a security perimeter within this framework is nonexistent—as the name implies, the primary assumption is that no one can be trusted ( 63). Zero-trust security models presume risks are present both inside and outside the organization and therefore verify all incoming connections and source controls throughout all layers of a network. Many HCOs have taken this approach over the past few years, with users/devices now having to authenticate themselves when accessing practically every application within the organization. Although still not infallible to end-user errors, zero-trust networks embrace an approach to the modern interconnected healthcare landscape that traditional castle-and-moat systems increasingly shy away from.
No matter the information assurance strategy used, HCOs are most often infiltrated via exploitation of their weakest link, their employees, and other end-users ( 64–67). Studies have reported that HCO cybersecurity breaches are associated with reduced employee cybersecurity awareness, with analysis strongly suggesting human error to be among the most common inciting factors for security incidents in hospitals ( 66, 67). Investigations have reported that medical professionals (including laboratory professionals!) lack sufficient training in cybersecurity, with a lack of cybersecurity culture often cited as a significant factor impacting the adoption of proactive involvement in organization-level training and policy adherence ( 68–71). Only after efforts examining attitudes, behaviors, knowledge, and awareness of common cybersecurity risks and threats to protected information systems/assets can a holistic approach to healthcare personnel cybersecurity be developed ( 72–76). Ultimately, all organization stakeholders, including clinical laboratory directors, pathologists, managers, and staff, must work together to create and maintain a strong information assurance culture, one that establishes good cybersecurity practices and hygiene throughout both the labs and the institution.
Finally, it is worth mentioning that regulatory and standards working groups have developed certifications and standards useful for guiding development of a robust cybersecurity framework (see Table 5). For example, the NIST cybersecurity framework is frequently used by organizations, focusing on the identification, protection, detection, response, and recovery of key, risk-based attributes ( 77). This comprehensive outline is based on international standards, serving as a living document shaped from the perspectives of academic, private, and public sectors, and is adaptable to an array of technologies, lifecycle phases, arenas, and uses.
Information assurance associated regulatory and standards groups.
| Acronym . | Working group name . | Key distinction . |
|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act of 1996 | Federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge |
| HITRUST | Health Information Trust Alliance | A certifiable framework providing global organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management; serves as a way to demonstrate HIPAA Compliance; note that lab vendors can become HITRUST certified |
| H-CISSP | HealthCare Information Security and Privacy Practitioner | Certification for an individual to demonstrate their knowledge of best practices for security and privacy controls of a healthcare organization |
| CSA | Cloud Security Alliance | Similar to H-CISSP, but with a focus on cloud-based security practices |
| NIST | National Institute of Standards and Technology | NIST authors the HIPAA Security Rule, which safeguards electronic PHI, and the Computer Resource Security Center (CRSC) |
| ISO/IEC 27001 | International Organization for Standardization | Dozens of international standards designed to provide requirements for an information security management system |
| SOC2 Type 2 | Service Organization Control | An audit on how well a cloud-based service provider handles sensitive information |
| Acronym . | Working group name . | Key distinction . |
|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act of 1996 | Federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge |
| HITRUST | Health Information Trust Alliance | A certifiable framework providing global organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management; serves as a way to demonstrate HIPAA Compliance; note that lab vendors can become HITRUST certified |
| H-CISSP | HealthCare Information Security and Privacy Practitioner | Certification for an individual to demonstrate their knowledge of best practices for security and privacy controls of a healthcare organization |
| CSA | Cloud Security Alliance | Similar to H-CISSP, but with a focus on cloud-based security practices |
| NIST | National Institute of Standards and Technology | NIST authors the HIPAA Security Rule, which safeguards electronic PHI, and the Computer Resource Security Center (CRSC) |
| ISO/IEC 27001 | International Organization for Standardization | Dozens of international standards designed to provide requirements for an information security management system |
| SOC2 Type 2 | Service Organization Control | An audit on how well a cloud-based service provider handles sensitive information |
Information assurance associated regulatory and standards groups.
| Acronym . | Working group name . | Key distinction . |
|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act of 1996 | Federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge |
| HITRUST | Health Information Trust Alliance | A certifiable framework providing global organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management; serves as a way to demonstrate HIPAA Compliance; note that lab vendors can become HITRUST certified |
| H-CISSP | HealthCare Information Security and Privacy Practitioner | Certification for an individual to demonstrate their knowledge of best practices for security and privacy controls of a healthcare organization |
| CSA | Cloud Security Alliance | Similar to H-CISSP, but with a focus on cloud-based security practices |
| NIST | National Institute of Standards and Technology | NIST authors the HIPAA Security Rule, which safeguards electronic PHI, and the Computer Resource Security Center (CRSC) |
| ISO/IEC 27001 | International Organization for Standardization | Dozens of international standards designed to provide requirements for an information security management system |
| SOC2 Type 2 | Service Organization Control | An audit on how well a cloud-based service provider handles sensitive information |
| Acronym . | Working group name . | Key distinction . |
|---|---|---|
| HIPAA | Health Insurance Portability and Accountability Act of 1996 | Federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge |
| HITRUST | Health Information Trust Alliance | A certifiable framework providing global organizations a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management; serves as a way to demonstrate HIPAA Compliance; note that lab vendors can become HITRUST certified |
| H-CISSP | HealthCare Information Security and Privacy Practitioner | Certification for an individual to demonstrate their knowledge of best practices for security and privacy controls of a healthcare organization |
| CSA | Cloud Security Alliance | Similar to H-CISSP, but with a focus on cloud-based security practices |
| NIST | National Institute of Standards and Technology | NIST authors the HIPAA Security Rule, which safeguards electronic PHI, and the Computer Resource Security Center (CRSC) |
| ISO/IEC 27001 | International Organization for Standardization | Dozens of international standards designed to provide requirements for an information security management system |
| SOC2 Type 2 | Service Organization Control | An audit on how well a cloud-based service provider handles sensitive information |
In the past, the LIS was considered by most as a “best of breed” solution, giving clinical laboratories the luxury of being able to operate when other HISs were down, even if those systems had to send orders via paper requisitions. While third-party LIS installs are still common in HCOs, integrated EHR-based LIS modules implementations are on the rise. This trend, along with increased interconnectedness of all HISs, now means any cyberattack induced downtimes almost certainly will affect the clinical laboratories, and most likely in a significant to catastrophic way ( 2–6). Therefore, clinical laboratories must operate on the assumption of WHEN, not if, a cyberattack will affect their operations.
Complete shutdown of all HCO IT systems and services, i.e., “total downtime” scenarios, have traditionally been off an organization’s radar since incidents levying this level of disruptive magnitude were both difficult to comprehend/prepare for and, prior to the last 5 years, unprecedented in nature. Besides participating in active cybersecurity education and training for laboratory staff, the primary way a clinical laboratory can prepare for the inevitable cybersecurity incident is to fully embrace the creation of robust incident response, information system contingency, continuity of operations, and disaster recovery plans for each laboratory/section (see Table 4). For clinical laboratories associated with hospitals and larger HCOs, these plans should be coordinated with institutional cybersecurity incident response plans since most IT functions necessary for recovering networks, servers, databases, and applications will not be in the hands of laboratory staff, with priority given to previously defined critical patient care processes ( 78).
Given hospital and laboratory regulations for downtime procedures only require these protocols to exist without specifying their content, clinical laboratory leadership must take the initiative to familiarize their laboratories with the cybersecurity and information assurance information presented before. Cybersecurity downtimes can affect institutions for days to weeks, with these time periods quickly exhausting the temporary downtime measure most laboratories have in place today. Unfortunately, publications such as this one only begin to scratch the surface of what can be done to prepare for a cyberattack—for this reason we have included additional supplemental materials in the form of 5 comprehensive tables to help laboratories better understand cybersecurity threats and to help with their preparations (see Supplemental Tables 1–5 in the online Data Supplement).
Finally, we must stress that communication and managing expectations for staff and clinical partners is key when discussing cybersecurity preparations ( 5). Coordination with hospital departments, administration, support services, outreach/reference lab clients, vendors, and central/lab IT groups regarding what will be possible vs impossible during extended downtimes should make up a large part of your preparations. Critical functions, laboratory instrumentation, workflows, and information systems must be prioritized in the hierarchy of operations for re-establishment following a crisis so less-critical or deferrable functions may be triaged accordingly and granted longer allowances for recovery time. Successful continuity planning should then be tested and practiced on a regular basis, with groups working through their plans to ensure both relative completeness and staff familiarity with these new procedures.
Technological improvements have pushed the boundaries of what healthcare can achieve, with advancements in interoperability and artificial intelligence paving the way for even higher quality patient care. To ensure this success continues, hospitals and clinical laboratories must learn the new language of cybersecurity and information assurance to better protect their clinical and business operations, their data, and, most importantly, their patients.
Supplementary material is available at The Journal of Applied Laboratory Medicine online.
Nonstandard Abbreviations: VPN, virtual private network; HISs, health information systems; PHI, protected health information; EHR, electronic health record; LIS, laboratory information system; IoT, internet of things; HCO, healthcare organization; FIDO, fast identity online; PACS, Picture Archiving and Communications System.
Author Contributions:All authors confirmed they have contributed to the intellectual content of this paper and have met the following 4 requirements: (a) significant contributions to the conception and design, acquisition of data, or analysis and interpretation of data; (b) drafting or revising the article for intellectual content; (c) final approval of the published article; and (d) agreement to be accountable for all aspects of the article thus ensuring that questions related to the accuracy or integrity of any part of the article are appropriately investigated and resolved.
Authors’ Disclosures or Potential Conflicts of Interest:No authors declared any potential conflicts of interest.
