Labs Must Audit Their Cybersecurity Measures

During 2022, five labs reported data breaches; two cases involved more than 300,000 patients

CEO SUMMARY: While clinical laboratory managers and pathologists are aware of the risks of a data breach, they often assume that related protection measures are working as needed. That is a mistake. With the cost of healthcare data breaches on the rise, it is vitally important for labs and hospitals to ensure that their defenses are operating properly. 

SINCE THE BEGINNING OF THE YEAR, the Department of Health and Human Services’ Office of Civil Rights has posted five lab data breaches. Each affected more than 500 lab customers, and two of them impacted more than 300,000 patients each. Those numbers alone should capture the attention of laboratory managers and pathologists.

All five of the breaches involved a network intrusion, according to the government. But it is likely they all started with missteps by an employee within the lab, said Ben Denkers, Chief Innovation Officer at CynergisTek, a cybersecurity firm based in Austin, Texas.

“The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker,” Denkers told The Dark Report. 

Denkers advised clinical lab leaders to ask their IT colleagues about how the organization’s security measures are tested because lapses in this regard can lead to a false sense of protection. 

Data breaches can cost labs not only money to fix security holes and pay for credit bureau protection for victims, but also be harmful in terms of lost reputation and business.

A network attack is an attempt by a cybercriminal to gain unauthorized access to computing devices that contain and exchange data within a company. The information may be on individual devices or on servers. However, network attacks are often only possible after a hacker enters a system through an endpoint, such as an employee’s email inbox.

Network Attack Explained

“It’s important to understand that while the network server itself might have ultimately been the target, that doesn’t necessarily mean that it was compromised first,” Denkers explained. “Phishing is a perfect example of a way an attacker could first gain access to a workstation, and then from there move laterally to a server.”

Phishing refers to attempts by a cybercriminal to convince a user to give the intruder access, such as by providing a link that the user clicks. Once opened, the link executes a program that seeks ways into the network.

Ben Denkers, Chief Innovation Officer at CynergisTek
Ben Denkers

It is possible for an attacker to initially target a network without going through email, Denkers added. For example, if a server is on a public network or isn’t configured properly, a cybercriminal may be able to directly enter the server.

While training employees is important for cybersecurity because it aims at changing human behavior, laboratories and other healthcare organizations also need to audit the technological measures they have in place to protect data. Too often, that latter step is not taken, perhaps because labs and other healthcare entities are overconfident, Denkers said.

“What we find is that organizations have security technology or processes in place that are either not effective or not working as designed,” he commented. 

“They’ve installed a firewall or antivirus software at an endpoint. But how do they know it’s effective? Sometimes software isn’t installed correctly. Other problems can be due to lack of monitoring technology,” he added. 

“For example, maybe a short-staffed lab doesn’t have a designated person to monitor whether a software vendor has recommended installing a security patch,” he continued. “At that point, organizations have an even bigger risk, because they think they’ve handled those issues by implementing technologies, but in reality, they haven’t handled the issues.” 

Complete Blindside

“So, it’s a complete blindside for a lot of organizations that think they have protections in place because they bought a product, or they developed a policy,” he added.

Regardless of whether a clinical laboratory or an anatomic pathology practice has suffered a data breach, clinical and operations leaders should work with their IT counterparts to verify that technology and processes are actually protecting patient data.

“Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations,” Denkers said. “I would recommend taking those steps.”

The costs of not doing so are significant. IBM revealed in its “Cost of a Data Breach Report 2022” that an average data breach sets a healthcare organization back by $10.1 million. That’s up $1 million from IBM’s 2021 report—a worrisome number given how financially strapped many labs and hospitals are. Those costs can include forensic work, audits, crisis management activities, lost business, and notification efforts, IBM noted.

Security Problem

Additionally, ransomware attacks can also cost organizations tens of thousands of dollars if they choose to pay off criminals to unlock the files that have been taken hostage. (See TDR, “All Labs Are Threatened by Encryption, Ransomware,” Sept. 7, 2021.)

A report published in August by Comparitech indicated that medical data breaches accounted for 342 million leaked patient records in the U.S. from 2009 through June 2022. Comparitech is a cybersecurity research and product testing company in Kent, U.K. Among the top five patient data breaches noted by Comparitech were incidents at Optum360 and Labcorp.

Optum360’s breach occurred from August 2018 to March 2019, during which hackers accessed personal and financial information from 11.5 million lab records. Also in 2019, Labcorp had 10.2 million records hacked during an attack.

In both cases, the companies contracted certain billing activities to outside vendor American Medical Collection Agency (AMCA) in Elmhurst, N.Y. Labcorp and Optum360 terminated their contracts after the breaches. (See TDR, “BRLI, Labcorp, Quest Disclose Data Breaches of 20 Million Patients,” June 10, 2019.)

AMCA eventually sought bankruptcy protection. In March 2021, AMCA settled with Attorneys General in 42 states over investigations into the data breaches. The states contended AMCA had been warned about flaws in its data security systems but did not take steps to fix them.

Possible $21 Million Penalty 

As part of the settlement, AMCA agreed to create a more comprehensive information security program and hire a chief information security officer. The states held back on penalizing the company $21 million due to its financial woes at the time.

Contact Ben Denkers at benjamin.denkers@cynergistek.com.

HIPAA Governs PHI Breach Reporting

STATES HAVE VARIOUS REQUIREMENTS FOR DATA BREACHES, but when those security lapses involve personal health information the federal Health Insurance Portability and Accountability Act (HIPAA) comes into play. 

Under HIPAA, covered entities—defined as healthcare providers that transmit data electronically—must take certain steps following a breach involving personal health information. Those steps include: 

Notify affected individuals by postal mail or email within 60 days of the breach’s discovery.

In incidents affecting more than 500 people in a state or jurisdiction, notify prominent media outlets in that state or jurisdiction within 60 days of the breach’s discovery. The notification will likely be through a press release.

In incidents affecting more than 500 people, notify the U.S. Secretary of Health and Human Services within 60 days.

Laboratory Data Breaches Reported in 2022

HEALTHCARE DATA BREACHES ARE TRACKED by the Health and Human Services’ Office of Civil Rights. It maintains a list of healthcare data breaches that it is investigating. 

The list is fairly general, offering the names of hospitals, labs, and other healthcare entities that suffered breaches and the type of incidents that occurred. The following lab entries are on the list for 2022: 

  • Bako Diagnostics in Alpharetta, Ga. (25,745 individuals affected.)
  • CSI Laboratories in Alpharetta, Ga. (312,000 individuals affected.)
  • Laboratorio Clínico Toleda, Arecibo, P.R. (500 individuals affected.)
  • Laboratorio Clínico Caparros, Utuado, P.R. (500 individuals affected.)
  • Molecular Pathology Laboratory Network (MPLN), Maryville, Tenn. (339,741 individuals affected.)

Details about the two largest cases, CSI and MPLN, showed that sensitive patient data was accessed in the cyberattacks.

“CSI determined that an unauthorized intruder acquired certain files from CSI’s systems, including documents that may have contained patient information,” the company wrote in a March 25 press release.

“Some of the impacted files contained very limited patient information,” CSI noted. “Some impacted files contained more information, including patient name, date of birth, address, medical record number, and health insurance information. None of the files contained Social Security numbers or financial account information.”

On July 6, MPLN concluded a review into its breach and noted the vast array of information that was accessed in some instances. That information included financial data, Social Security and driver’s license numbers, diagnostic test and treatment records, and prescriptions.

A public relations firm hired by CSI in the wake of the breach did not provide further information when asked by The Dark Report. The CEOs of Bako Diagnostics and Molecular Pathology Laboratory Network did not return requests for comment. Contact information for executives at the two labs in Puerto Rico could not be found.

Comments

;

You are reading premium content from The Dark Report, your primary resource for running an efficient and profitable laboratory.

Get Unlimited Access to The Dark Report absolutely FREE!

You have read 0 of 1 of your complimentary articles this month

Privacy Policy: We will never share your personal information.