Cybersecurity goals

Feb. 26, 2024

This month, we published the results of our third annual State of the Industry survey on laboratory data analytics. Thank you to all who responded to this survey. As Stacia Sump, Global Product Director at Clinisys told our author, “Labs are generating more data across a variety of use cases (e.g., synoptic reporting, digital pathology, etc.) and technology has made this data more accessible for analysis.” Laboratories are analyzing data for many purposes including staffing needs, supply utilization, quality improvement initiatives, tracking testing costs, and patient care.

Respondents indicated that the top strategic IT priorities for their laboratories include infrastructure and platform development, a new laboratory information system (LIS) system, data analytics optimization to support lab management, and integration with the electronic health record (EHR) system. Other priorities include revenue cycle management optimization, move to a cloud-based LIS system, and cybersecurity. Technology is leading to improvements in patient outcomes, organizational expenditures, staff time and resources, among other things. (This month’s Continuing Education article also describes many wonderful advances technology is bringing to healthcare!) However, the increased use of technology, such as EHRs and cloud-based systems, has a significant (and expensive) downside.

The U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights reported over 134 million individuals were affected by large breaches in 2023, whereas 55 million were affected in 2022. Hospitals and health systems have become the biggest target for cybersecurity attacks in recent years largely due to the quantity of sensitive patient information available such as social security numbers, names, dates of birth, addresses, diagnoses, and payment information. Most of this information is hard to change, unlike a stolen credit card number, so patient medical records command a larger price with identity thieves.   

HHS recently published voluntary healthcare-specific cybersecurity performance goals to help organizations prioritize implementation of effective cybersecurity practices. The goals are separated into two categories: essential goals that outline minimum cybersecurity controls and enhanced goals that outline advanced cybersecurity controls. There are ten goals in each category as follows:

Essential goals:

  1. Mitigate known vulnerabilities
  2. Email security
  3. Multifactor authentication
  4. Basic cybersecurity training
  5. Strong encryption
  6. Revoke credentials for departing employees, contractors, volunteers
  7.  Basic incident planning and preparedness
  8. Unique credentials
  9. Separate user and privileged accounts
  10. Vendor/supplier cybersecurity requirements

Enhanced goals:

  1. Asset inventory
  2. Third party vulnerability disclosure
  3. Third party incident reporting
  4. Cybersecurity testing
  5. Cybersecurity mitigation
  6. Detect and respond to relevant threats and tactics
  7. Network segmentation
  8. Centralized log collection
  9. Centralized incident planning and preparedness
  10. Configuration management

The full information on these cybersecurity performance goals can be accessed at https://hphcyber.hhs.gov/performance-goals.html. I hope this information serves as a helpful reminder that as more investments are made in IT, such as placing more data in a cloud, more investment in security will be needed.

I welcome your comments and questions — please send them to me at [email protected].