Collaborating to reinforce Cybersecurity defenses in the lab

As if the pressures facing healthcare organizations weren’t already enough, the frequency of cyberattacks on healthcare organizations globally is escalating and shows no signs of diminishing

Given that healthcare organizations form part of the critical infrastructure of many countries, there is understandably increasing concern around Cybersecurity issues, particularly because attacks can have a direct impact on patients through delayed or unavailable care. A recent attack on a provider of pathology services in London, meant some hospital departments were unable to connect to the main server which had a “major impact” on the delivery of services. Blood transfusions and test results were affected, operations were canceled, and emergency patients had to be diverted elsewhere.²

Bill O’Connell, Global Head of Product Security and Privacy, Roche Diagnostics, shares his views on what healthcare organizations, and labs, can do to guard against cyberattacks.

Q: In your opinion, why do cyberattacks frequently target the healthcare industry?

Bill O’Connell: Health delivery organizations (HDOs) deal with a massive amount of private patient data such as medical histories, treatment information, and financial information. They also hold a tremendous amount of employee data, including provider, contractor, staff, and vendor data. This level of information, combined with the way many organizations are set up, makes HDOs an attractive target to bad actors for a few reasons:

Firstly, HDOs are typically run with large internal networks that are very complex, and in some cases due to legacy operational requirements, older network configurations must be maintained to support critical systems. Newer technologies, which could help limit or contain malware or incidents, are typically expensive and may be beyond the budget of small and medium-sized organizations. For example, in 2017 the National Health Service in the UK was brought to a standstill for several days, with thousands of appointments and operations canceled due to a ransomware attack. The attack exploited a vulnerability in the version of Microsoft Windows they were using, which was a 15-year-old Windows system, for which Microsoft had stopped providing security updates.^3,4

Secondly, an HDO is a data-rich environment, meaning even a small-scale successful attack can provide the bad actor with a vast amount of private data that can be very lucrative on the dark web. This is because medical records are some of the most valuable assets for a bad actor, estimated to be worth $250 each compared to credit card numbers which sell for around $5, or US Social Security numbers which sell for as little as $1.⁵

Finally, a bad actor knows that patient safety and patient care are the utmost priorities for HDOs, and therefore the potential for ransomware/extortion payouts is greater. To ensure patients are not impacted, many HDO leaders will grudgingly pay the ransom to get their operations back up and running with the least operational patient impact. In February 2024 a massive breach of a large healthcare systems IT environment in the US affected payments and the filling of prescriptions. In order to end the system outage, the organization paid $22 million dollars to the ransomware group responsible for the attack.⁶

Q: Within this context, do you believe labs are taking Cybersecurity seriously enough? 

Bill O’Connell: Labs are very familiar with the concepts of confidentiality and integrity which are cornerstones of Cybersecurity and privacy. They are tasked with providing accurate, reliable, and consistent results for their organization so their staff can provide the best treatment in the shortest amount of time for their patients. Therefore they take any impact on patient safety very seriously. 

The challenge is that they have to balance their Cybersecurity responsibilities with those of their IT department and the wider HDO, which are under increasing external pressure. Many global organizations, regulatory bodies, and country/regional governments are working on increasing the Cybersecurity requirements of HDOs through regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the US, and the General Data Protection Regulation (GDPR) in Europe. 

One of the goals of these regulations is to provide strict development and operational frameworks to ensure that medical device manufacturers provide systems that are more impervious to Cybersecurity issues. Medical devices are seen as a particular area of vulnerability, so much so that the FBI issued an alert in 2022 to highlight that unpatched and outdated medical devices provide cyber-attack opportunities.⁷

As the conversation turns towards lab-based medical devices, the challenge is the security risk impact on clinicians’ ability to provide patient care. Lab leaders must be present in Cybersecurity and privacy conversations to ensure they speak for patient safety and the lab's operational, regulatory, accreditation, and legal requirements.

Q: What are some best practices that labs can adopt to reinforce their Cybersecurity and privacy?

Bill O’Connell: There are a few key areas that labs can look at when it comes to Cybersecurity:

• Collaboration: Ensure the lab has a solid relationship with its in-house Cybersecurity team. Cybersecurity is a shared responsibility, and everyone involved needs to work together and stay informed about the latest standards, trends, risks, and technologies.

• Segmentation: Isolate and segment everything. Lab-based devices absolutely do not need general access to the internet and communication should be limited. They should be locked down to specific, mutually agreed-upon, internal IP addresses, and specifically detailed internet-based IP addresses.

• Zero-trust policies: Operate under a zero-trust methodology to bolster system security. This means assuming that any step in a process could be compromised, allowing only essential communication, and verifying all connectivity usage and operational requirements before trusting. Remember - verify first, then trust!

Q: What about external practices? What considerations need to be made in vendor partnerships?

Bill O’Connell: If healthcare organizations and medical device vendors do not work together on common sense mutual protections, the potential for an issue to impact the availability of a medical device can be greatly increased.

Vendors must therefore transcend the vendor role and become long-term partners, especially when it comes to newer technologies and understanding that new technologies will create new potential Cybersecurity threats. As systems or components migrate outside of the lab's controlled environment, deep conversations with vendors are required so it’s critical that vendors can speak Cybersecurity. The vendor must have experts with objective evidence to detail the breadth of their products' Cybersecurity and privacy protections, and additionally to guide how to implement this. The vendor must also demonstrate competence with vulnerability management, patching, and the other hot topics of the day to ensure they can be trusted partners.

Q: How do you see the future of Cybersecurity and privacy evolving in the lab?

Bill O’Connell: As the lab evolves, many components will be housed external to the HDO. As this evolution progresses, both the lab, the HDO, and the vendor must have educated individuals who can evolve with the technology and the patient safety conversation.

A few years ago, it was unheard of to connect to a resource outside the lab. Middleware was even installed and operated in a side portion of the clinical lab. Today, that same middleware may be housed in the lab, on the hospital network, or in a cloud-based location. Tomorrow's lab will even extend into the patient's home.

As technology moves the clinical devices into a more patient-centric location, labs will need to operate in a decentralized atmosphere utilizing cloud-based and remote technologies. Tomorrow's lab leaders must work with vendors and their internal Cybersecurity staff to ensure that security, privacy, and decentralization are all integral parts of the contract and the conversation so that these new technologies provide greater security and privacy, better value to the HDO, and better care to patients.