EFLM Task Force Preparation of Labs for Emergencies (TF-PLE) recommendations for reinforcing cyber-security and managing cyber-attacks in medical laboratories

Cyber-attacks and the healthcare

Cyber-attacks can be conventionally defined as deliberate and malicious attempts to penetrate the information systems of individuals or organizations to gain unauthorized access, disrupt operations, and steal, manipulate, or destroy information by full-time, well-trained, well-equipped, and even well-funded cyber-terrorists [1]. Healthcare systems are a prime target for cyber-attacks due to the sensitivity of information (personal and medical data) and the need for continuity of care, whose interruption or delay may jeopardize patient health [2].

The number of cyber-attacks on healthcare facilities has seen an almost exponential increase over the past 15 years. According to HIPAA (Health Insurance Portability and Accountability Act), the number of healthcare data breaches involving more than 500 records in the US has increased from 18 in 2009 to 512 in 2019, 663 in 2020, 715 in 2021, 720 in 2022 and 741 in 2023, to already 333 cases in 2024 (as of June 21) [3]. Accordingly, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) reported a 2.8-fold and 2.4-fold increase in ransomware attacks and hacking-related data breaches between the beginning of 2018 and the end of 2023, respectively [3].

There are many different types of cyber-attacks that can affect the healthcare industry, but the most common malware inoculation is based on ransomware, distributed denial of service (DDoS), Trojans, spyware, rootkits, botnets, and medical device hijacking, among others [4, 5]. In brief, ransomware infects systems and files and makes them virtually inaccessible to users (e.g., by locking or encrypting data) unless a ransom is paid, but also slows down various critical processes or renders them completely unusable. DDoS attacks aim to flood the attacked host or network with a huge amount of traffic until the system is completely inoperable, thus blocking access to the network for receiving or sending emails, accessing patient records and other information, issuing prescriptions, delivering therapies, and organizing the function of the entire facility (i.e., operating rooms, bed availability, etc.); this malware is also occasionally used to spread other cyber threats (e.g., ransomware). Trojans, which are often spread via malicious emails or the downloading of programs, apps, or software patches, once they have infiltrated the system, permit the cyber-terrorists to perform any actions that legitimate users would make, such as using files, changing information, or even modifying the contents of the device. Spyware is used to steal login credentials, patient information, and other sensitive data. Rootkits transmit malicious payloads into the healthcare facility, resulting in prolonged exposure and manipulation of vulnerabilities. Botnets infect the system and then affect the functioning of various types of devices such as cameras and routers, but can also be used to make the system more vulnerable to DDoS attacks. Medical device hijacking is another type of cyber-attack that primarily aims to disrupt the function of a vast array of medical devices, and is also an efficient gateway for subsequent cyber-attacks.

Among the various cyber threats, ransomware represent perhaps the most effective and escalating malware used to attack the healthcare sector [6], due to the critical nature of healthcare facilities (a disruption can have immediate and severe consequences for patient care), the valuable data they contain (e.g., personal information, clinical and laboratory data), the high vulnerability due to myriad of gateways (personal access and medical devices are easy entry points for cyber-terrorists), the often outdated systems and infrastructure, and the lack of efficient cyber-security resources [7]. According to a recent report published in the HIPAA journal, more than half of US healthcare organizations spend less than 10 % of their information technology (IT) budget on cyber-security, with 53 % and 46 % of organizations admitting to lack local expertise and IT staff, respectively. Even more concerning is the fact that nearly two-thirds of healthcare IT professionals reported that their organization is vulnerable to business email compromise/spoofing phishing. This is not surprising, as a recent study showed that in a simulated phishing campaign, 14.2 % of spoofed emails were actually clicked on by healthcare workers [8]. These findings are also reflected in the results of a recent survey of emergency managers representing nearly 60 healthcare facilities in the US [9], showing that American hospitals appear to be inadequately prepared for cyber-terrorism.

Cyber-attacks and the laboratory

Medical laboratories can be especially vulnerable to cyber-attacks for several reasons [5, 10]. First, they have a high degree of IT, computerization and digital technologies [11, 12]. For example, the normal functioning of most laboratory processes and activities depends on the availability of computerized physician order-entry (COPD), bidirectional connection of instruments to the laboratory information system (LIS) to streamline specimen processing and data management, autoverification rules, generation of digital files containing test results, etc. The shutdown of hospital servers and networks will almost completely disrupt the flow of information between the hospital information system (HIS) and the LIS or even within the LIS itself (including instrument connectivity), resulting in interruption of normal operations.

A recent survey conducted by the Task Force Preparation of Labs for Emergencies (TF-PLE) of the European Federation of Clinical Chemistry and Laboratory Medicine (EFLM) highlighted several critical problems and potential failures in European laboratories [13], such as insufficient familiarity with the strategies used by cyber-criminals to penetrate the systems, lack of adequate information on cyber-security from hospital administrations or IT services, suboptimal use of multi-factor identification for remote connections, sporadic transfer of HIS or LIS servers to the cloud (where they would be less vulnerable to cyber-attacks), and the widespread lack of incident response plans, both for the laboratory and for the entire healthcare facility.

Given that cyber-attacks can have a significant impact on the normal operation of laboratory services, and at the express request of the majority (over 80 %) of respondents to the recent EFLM TF-PLE survey [13], the TF-PLE has recognized the need to provide some general guidance that can help medical laboratories be less vulnerable and better prepared for the dramatic circumstance of a disruptive cyber-attack.

Strategies for providing indications

The indications were developed with a “consensus approach”. In brief, a questionnaire covering the most important aspects of cyber-security and disaster recovery was administered by Google Forms (Google, Mountain View, CA, USA) to all official and corresponding members of the EFLM TF-PLE, with a specific deadline for receipt of responses (i.e., 10 days). All members were asked to indicate the strength of the recommendation with a numerical value, as shown in Table 1, or to indicate the preferred choice among various options (if applicable). The numerical data of all responses were pooled and the mean and standard deviation (SD) of all replies were calculated. The final rating of the recommendations was classified as follows (Table 1): mean value between 4.50 and 5.00, “strongly recommended”; mean value between 3.50 and 4.49, “recommended”; mean value between 2.50 and 3.49, “neutral”; mean value between 1.50 and 2.49, “discouraged”; mean value between 1.00 and 1.49, “strongly discouraged”.

Operative recommendations

Responses to the survey were received from 10/10 (100 %) full members and 8/11 (73 %) corresponding members of the EFLM TF-PLE (total: 18/21; 86 %). The summary of the recommendations issued by the panel for preventing and ultimately mitigating the harm caused by cyber-attacks in clinical laboratories is summarized in Table 2. The mean score (±SD) is presented along with the corresponding strength of the recommendation, to provide a more comprehensive representation of the individual propensities for each of the items. Each recommendation that could be categorized as “strongly recommended” or “recommended” was officially endorsed by the panel.

General recommendations for instrument programming and test results reporting

The panel believes that manual programming of instruments with dual control (i.e., one operator enters the data, a second operator checks the accuracy) is advisable and that an “Emergency Lab Report”, stored in the “Emergency Folder” on the computers in the laboratory (which can thus be accessed and printed even if the network fails), must be prepared in advance and should include the patient’s first and last name, date of birth, sex, medical number, requesting ward, the telephone of the ward (and eventually the fax number), name of the test (with its standard abbreviation), the blank field for entering test results, units of measurement for each test, general reference range (but preferably also age- and sex-specific reference ranges) for each test. An example of “Emergency Lab Report” developed using Microsoft Excel (and therefore can be edited and saved multiple times with patient’s name, times and dates) is shown in Figure 1. This format would also allow the development of several queries in Excel to update the reference ranges according to the date of birth and sex of the patient (when available). The entry of test results should be double-checked (i.e. one staff member enters the data, and a second operator checks the accuracy). The advantage of this form is that it can also be used in the event of other system failures that are not directly related to cyber-attacks.

Figure 1:

Example of “Emergency Lab Report” developed using Microsoft Excel.

Conclusions

Cyber-crime continues to evolve and cyber-terrorism against healthcare organizations is increasing dramatically due to the growing IT dependency of modern healthcare, of which laboratory medicine is a paradigmatic example. We sincerely hope that the list of recommendations issued by an expert panel of the EFLM TF-PLE could be useful for all medical laboratories to prevent and ultimately mitigate the possible harm caused by the increasing wave of cyber-attacks in the healthcare sector [14].