Stories about healthcare institutions having their computer systems hacked and patient data compromised seem to be on the rise, but research laboratories are not immune. As cyberattacks increase, there are a few simple steps to make sure your research stays secure.
Since the start of the pandemic, cyberattacks have become a bigger threat to hospitals and health systems as attacks on these institutions are on the rise. The time to be aware of what you and your institution should do to protect your assets is yesterday.
Cybercrime is an increasing problem for both businesses and individuals. In a release issued in March, the FBI reported that, overall, internet crime is up 7% since early 2020. Phishing email attacks resulted in the biggest impact to businesses in 2021 with financial losses of more than $2.3 billion, according to the report.
A few notorious examples of such attacks on health institutions include:
- In February, Georgia-based Cytometry Specialists, Inc., also known as CSI Laboratories, discovered a cyberattack had partially disrupted the cancer testing lab’s information systems. Cybercriminals acquired files containing patient information, including names, birth dates, medical record numbers, health insurance information, and case numbers.
- Spokane Regional Health District discovered in April that it had fallen victim to the second phishing email attack in three months after an employee once again responded to a phishing email. In the first attack, Spokane Regional Health disclosed that the breach allowed the release of 1260 patients’ data.
- In October 2020, staff at the University of Vermont Medical Center lost access to their computers, leading the IT staff to locate a file with instructions to contact the alleged perpetrators of the cyberattack. The center instead chose to lock down email, internet, and major parts of the organization’s computer network to stop further damage — causing UVM employees to lose use of electronic health records, payroll programs, and other digital tools for almost one month. The interruptions cost an estimated $50 million in lost revenue, even though the medical center never paid a ransom fee.
In its “2020 HIMSS Healthcare Cybersecurity Survey,” HIMSS (Healthcare Information and Management Systems Society) reported that 70% of survey respondents said their organization experienced “significant incidents in the past 12 months.” Phishing attacks were the highest security incident with 57% of respondents reporting an incident.
Lee Kim, senior principal of cybersecurity and privacy at HIMSS, says cyberattacks should be a significant concern for scientists and researchers in medical labs in the U.S.
“A significant risk is the theft of intellectual property, which may include trade secrets and patentable inventions, and other kinds of research data and sensitive data,” Kim says. “Traditionally, research institutions have a culture of sharing and helping others, so ensuring confidentiality and all-around good security have not always been top of mind.”
According to the HIMSS survey, financial information is what’s most sought after in cyberattacks but “threat actors,” what cybercriminals are referred to, typically go after three types of information: financial, employee information, and patient. This information has high value on the dark web.
“Traditionally, research institutions have a culture of sharing and helping others, so ensuring confidentiality and all-around good security have not always been top of mind.”Lee Kim, senior principal of cybersecurity and privacy, Healthcare Information and Management Systems Society
With phishing being the highest security incident, email was the initial point of compromise in 89% of the incidents, reported HIMSS. Those numbers should alarm any lab researcher and manager who uses email on computers in the lab.
Kim says the good news is that recently there is greater awareness of institutions about cybercrimes and both leaders and IT professionals are making the investments to protect their institution’s systems.
“More institutions are implementing data loss prevention, encryption, multi-factor authentication and other measures to ensure greater confidentiality and integrity of data,” Kim adds.
Cybersecurity experts offer the following advice to universities or healthcare institutions about handling their computer systems and email usage to avoid falling victim:
Be suspicious of emails. “Do not assume that you can click on any link or attachment that arrives in your inbox,” says Kim. “Ransomware and other types of malware are frequently distributed by phishing emails. If something looks suspicious or fishy (no pun intended), don’t open the email, click on any links, or open any attachments. Follow your organization’s protocol to report the suspected phishing email to the appropriate point of contact, such as your helpdesk team.”
Be aware of insiders. “Insider threat, whether negligent or malicious, is always a risk at any organization,” Kim says. Accordingly, theft of intellectual property and other data may occur due to a negligent or malicious insider, not just a cyberattack. That insider need only have trusted access, so the person may be an employee, contractor, or other third party with trusted access.
Conduct regular security awareness training. Anyone with access to your system needs to be aware of cyber threats and your IT staff should implement a robust email security solution. “Ideally, the email security solution should accurately detect, contain, and/or mitigate these threats and should be paired with the most up-to-date and accurate threat intelligence,” Kim says.
Keeping phishing statistics. Which staffers fail the phishing tests and who are repeat offenders? “You may want to spend extra time with these individuals in terms of awareness training and ensuring that appropriate controls are in place, such as email isolation,” Kim advises.
- Shaw is a freelance writer based in Carmel, Ind. She is a regular contributor to Endocrine News.