By Christopher Casper | March 23, 2022
Clinical laboratories face new security challenges that could force them to choose between LIS/LIMS system flexibility and data security. The federal budget bill signed by President Biden on March 11 includes aggressive cybersecurity provisions. Healthcare and other critical infrastructure sectors must now report any cyberattacks and ransomware payments to the Department of Homeland Security (DHS).
Until last week, HIPAA and HITECH allowed a 60-day window for reporting breaches impacting at least 500 people and an annual deadline for smaller breaches. With the new law, compromised organizations must report all breaches within 72 hours and ransomware payments within 24 hours.
Unless laboratories are careful, responding to these new requirements and growing cybersecurity threats could have unfortunate side effects. Physicians depend on labs for rapid, accurate diagnoses as they produce positive patient outcomes. Clinical labs need to be agile and responsive to deliver the best service. Anything that disrupts workflows undermines the clinical lab’s mission — and ultimately patients’ care.
Fortunately, labs do not have to choose between security and flexibility. The right laboratory information system (LIMS) gives laboratory managers the control they need while optimizing lab performance.
Threats facing America’s medical infrastructure
While Russia’s invasion of Ukraine — and the resulting threat of cyberattacks — drove legislators’ actions, the United States’ medical infrastructure has been under assault for years. Some recent events highlight the dangers:
Bako Diagnostics is a CLIA and CAP certified laboratory in Georgia that specializes in anatomic pathology and serves 7,500 physicians across the United States. In late December 2021, the company noticed suspicious activity on its network. A hacker had been roaming the laboratory’s systems for a week and exfiltrated the personal information of more than 25,000 people.
A ransomware attack hit Nationwide Laboratory Services in May 2021. Now a unit of Quest Diagnostics, the lab provided clinical diagnostics testing as well as clinical trial coordination and management. Protected health information (PHI) of more than 33,000 patients was affected. After a three-month forensic investigation, the lab reported that the attackers removed data from the laboratory’s systems.
The threat to laboratories’ protected health information may not come from direct attacks. A July 2021 security breach at business services provider Morley Companies led to a ransomware attack and exposed employee and customer records. Because Morley Companies is a Business Associate to Covered Entities under HIPAA, the firm reported the breach in February 2022. Hackers may have had access to PHI from 521,000 people.
Morley Companies’ breach, the largest reported to the Department of Health and Human Services (HHS) in February, was just one of 45 reports of security breaches that month impacting more than 1,500,000 people. According to a HHS review of ransomware attacks through the first half of 2021, cybercriminals struck 48 organizations in the US healthcare sector. In at least 72 percent of those incidents, hackers stole data ranging from screenshots to unsecured PHI.
The threat is real and could strike any lab at any time. Clearly, the need to protect PHI, clients’ proprietary data and employee records require stepped-up security.
Keeping sensitive laboratory data secure
CLIA, ISO/IEC 17025 and other laboratory accreditations focus on the quality of a laboratory’s practice. When it comes to cybersecurity, however, HIPAA and HITECH provide the framework for developing appropriate PHI protections. The HIPAA Security Rule, for example, requires:
Appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
These safeguards include the technologies used to protect networks and IT systems as well as the procedures for implementing those technologies. HIPAA’s Security Rule calls out two areas for particular attention: information access management and information access control.
Information access management
Information access management is an administrative safeguard that defines who may access what systems and data. These policies should limit access strictly to what each employee, contractor or other third party needs to do their job. This approach is called “least privilege access” in the cybersecurity world. Should hackers compromise an employee’s computer or login password, least privilege access policies keep them from getting full access to a lab’s networked systems.
Too often, access is assigned on an individual, ad hoc basis. People get more access as they move from team to team, and their old access is never taken away. Without systematic access management policies, access levels in user accounts grow over time and expose the lab to more risk from stolen logins.
HIPAA-compliant laboratories’ information access management policies replace ad hoc access with policies based on people’s roles. Workers’ access needs change as they get new assignments, transfer within the organization or get promoted. Role-based policies make it easier to add and remove access while limiting laboratories’ exposure during cyberattacks.
Information access control
Information access control is a technical safeguard that covers the systems laboratories use to protect PHI. This standard is technology-neutral and could cover laboratory information systems, instrumentation, network hardware and the network structure itself. HIPAA offers four specifications to guide labs in developing access control systems:
- Unique user identification – Systems and policies should not allow shared or generic accounts. Requiring unique logins makes it easier to detect unusual activity or audit systems after an attack.
- Emergency access procedures – Policies should guide lab employees on who may access which systems when events such as power failures or public health emergencies prevent access to the lab.
- Automatic logoff – System sign-ins should never be open-ended. Rather than relying on employees to log off manually, for example, sessions should end automatically after a period of inactivity.
- Encryption – Keeping all data encrypted keeps hackers from ever reading the data they steal. Since properly encrypted PHI can never be exposed, HIPAA and HITECH consider the data secured and not subject to breach notification rules. The new DHS reporting requirements, however, still apply.
Security concerns beyond HIPAA
Employee and customer records may not fall under HIPAA and HITECH regulations, but their theft could have serious repercussions. Security breaches that steal employee bank account numbers and other personal information undermine employee morale and retention.
Laboratories that support clinical trials cannot afford to lose clients’ data. This highly sensitive proprietary information is subject to non-disclosure agreements and other confidentiality requirements. The legal and business fallout from a serious breach could be quite damaging.
Rigid security makes clinical diagnostics labs less flexible
Cyber threats, PHI protection and the business implications of data breaches make tight security controls essential. Taking security efforts too far, however, can undermine a laboratory’s performance. Labs operate in a constantly-changing healthcare market. They need flexible processes and systems to adapt quickly to those changes. Labs must also be responsive to physicians and patients, delivering consistently accurate results with rapid turnaround times.
Laboratories must share information with people outside the organization. Physicians and patients need status updates on their orders and quick delivery of test results. Depending on the laboratory’s testing services, regular reports may have to be filed with local, state, tribal or federal agencies.
As security systems make data more difficult to access, external communication becomes more difficult and less responsive. Labs may submit late regulatory filings. Patients may be stuck calling during business hours — and waiting on hold while front-end staff tries to get their information.
Testing and operational efficiency
Employees and contractors must have access to the data they need to work effectively. Throughout the day, lab technicians may be accessioning specimens or managing assays. Administrators may update patient records, generate reports or issue invoices.
Making workers wait for a supervisor’s authorization or juggle multiple VPN logins interrupts workflows, increases downtime and reduces productivity.
New ways to work
Work-from-home and bring-your-own-device (BYOD) policies kept many laboratories up and running during the COVID-19 pandemic. These new ways of working won’t go away. Employees like the conveniences of working from home — the commute is more reasonable and it helps with work/life balance. In addition, BYOD policies can reduce a lab’s IT expenses while making employees more mobile.
New ways of working require laboratories to have flexible security policies. Employees need access to data even though they are not in the lab or using laboratory-owned devices. Forbidding off-site access or the use of personal devices chains workers to the lab. Employee retention and recruitment will suffer in the long term.
Optimize Security and Flexibility with a Clinical Diagnostic LIMS
Laboratories do not need to choose between security and flexibility — they are not mutually exclusive. What laboratories do need is an informatics solution that optimizes security and flexibility. When LabLynx, Inc. introduced ELab LIMS more than twenty years ago, we pioneered the browser-based laboratory information management system. For the first time, workers could access data from anywhere in the lab with a LAN or WiFi connection. Today, that access extends beyond the laboratory walls as ELab LIMS has become a cloud-native informatics platform.
While making laboratory data more accessible, ELab LIMS for Healthcare also provides robust, HIPAA-compliant features for protecting and securing PHI. We created this special configuration of our informatics platform to meet the unique needs of medical laboratories like yours. Security features in ELab LIMS for Healthcare protect your lab’s data without compromising flexibility:
Auditing and chain of custody
Enabling the logging features in ELab LIMS lets you audit user activity and track specimen chain-of-custody throughout your lab. Traditionally, these tools let lab managers monitor employee performance and help support compliance with regulations such as 21 CFR Part 11.
These features also play a cybersecurity role. They cannot stop an attack, but they can help with the response. Audit trails and chain-of-custody records can speed your post-attack forensic investigation by showing which accounts were used to move or change data in the LIMS.
Granular access control
ELab LIMS for Healthcare supports the assignment of granular rules to control what employees and contractors can access. Users will see only the data fields, screens and menu structures they are authorized for. Managing these fine-grained access rules is quick and seamless through simple administrative screens.
Some of the ways you can tailor access to your lab’s ELab LIMS include:
Role-based access – Create clearly-defined roles that share common access needs. Then assign each individual to the roles they perform. Role-based access in ELab LIMS dramatically reduces the data your staff can access while letting everyone get the information they need to do their jobs.
Context-based access – You can limit people’s access based on where they work — either physically or organizationally. If your lab has multiple sites or sends employees to customer locations, you can set different access rules for people at each site. In addition, you can limit access by department. These context-sensitive rules can also support your lab’s work-from-home policies.
Qualification-based access – Limit your lab’s technicians, physicians and scientists to the instruments and assays they are properly certified for. Besides improving data integrity, these restrictions narrow the exposure of compromised accounts.
Encrypted data storage and transfer
LabLynx uses state-of-the-art encryption technology to secure your lab’s data in a cloud infrastructure certified to the highest SSAE SOC 2 standards. From the perspective of HIPAA and HITECH compliance, the PHI encrypted in ELab LIMS’s cloud storage may be considered “secured” and not subject to HHS notification rules. DHS rules still apply.
Encryption also applies in transit. ELab LIMS uses the secure HTTPS protocol and Transport Layer Security encryption to display data in a user’s browser. Even if hackers intercept a device’s WiFi transmissions, the data will be unreadable. Encrypted transport makes it easier for your lab to support flexible BYOD and work-from-anywhere policies.
LabLynx security experts monitor this cloud infrastructure continuously for potential security threats. We back up databases hourly and the entire system daily. Our IT team works around the clock to ensure your ELab LIMS remains secure.
ELab LIMS for Healthcare makes Your Lab Flexible and Secure
Cybersecurity requires constant vigilance. The threat of ransomware and state-sanctioned hacking poses a particular threat to clinical laboratories and other healthcare institutions that must protect patients’ protected health information. Security and compliance efforts may push labs to adopt policies that interfere with day-to-day operations. However, security and flexibility are not mutually exclusive.
We designed ELab LIMS for Healthcare to meet the unique challenges of clinical laboratory practice. Our LIMS integrates with and supports your lab’s HIPAA and HITECH compliance efforts thanks to features including:
- State-of-the-art encryption
- Secure PHI cloud storage
- Protected data display
- Granular access control
- Activity logging and auditing
These features, combined with the ELab LIMS platform’s deep configurability, keep sensitive data secure while making your lab more flexible and responsive to physicians and patients.