 So hi, I'm Squitty. I'm based in the Midwest of the US and my talk is about security concerns of the medical laboratory. Next slide please. So who am I? I'm a health informatics graduate student at IU, focusing on health information security and medical device security. I'm also a medical laboratory scientist with some phlebotomy experience thrown in as well, but I managed to get off the bench and I'm currently working in laboratory informatics. This talk is going to be about things that I noticed during my first year in the medical laboratory that concerned me just a little bit and things that I would personally like to see changed or see improvements on. I'm going to focus a bit more on getting awareness to the field itself and on some physical security concerns more than anything. It's going to be part of a two part talk. I hope to give the second part one of these days, but I'll focus more on data transmission between lab analyzers and the EHR system. Next slide please. So first, what is a medical laboratory scientist? A medical laboratory scientist in short performs diagnostic testing on patient samples in the medical lab. We ensure specimen quality, interpret test results, log test data controls, perform statistical analysis to verify accuracy and repeatability of testing. We also work with laboratory instrumentation or analyzers to perform calibration, maintenance and validation and the troubleshoot instrumentation. We might help providers select an appropriate test to run. We have some more advanced education and training in areas like chemistry and biology, including microbiology, then some other health care workers like nurses and we possess more of a scope of knowledge than someone who's more specialized in one area like a microbiologist would. So some of us are specialized in areas like micro or blood bank with our core knowledge. So when your sample is collected, let's say you go and get your blood drawn, the nurse or the phlebotomist will send your sample to us and from there we perform testing on your sample. Sometimes this is manual testing by hand and sometimes that testing involves laboratory instrumentation. Often it's a hybrid of both. These days the lab is mostly automated, but there are still some smaller clinical labs that don't utilize a lot of instrumentation depending on their need. We're also responsible for issuing blood products for transfusions. According to the CDC an estimated 70% of medical decisions are based on laboratory test results and 14 billion laboratory tests are ordered annually. Next slide please. So how are we regulated? Centers for Medicare and Medicaid Services regulates all laboratory testing except for research performed on humans in the U.S. through CLIA or the clinical laboratory improvement amendments which regulate laboratory testing and require clinical laboratories to be certified by the CMS before they can accept human samples for diagnostic testing. The objective of CLIA is to ensure quality laboratory testing and three federal agencies are responsible for CLIA. The CMS and the CDC. Each agency has a unique role in assuring laboratory quality testing and I'll provide a link at the end with citations for a bit more information so that you can go and read a little bit more about how we're regulated because it's very important information, but I think it's a little bit too lengthy for a 20 minute talk. Next slide please. So getting into the clinical laboratory and what kind of environment it is, there are multiple departments in a clinical laboratory and these departments vary by the size of the clinical lab and complexity of testing. For example, a laboratory at a major hospital will be made up of the following departments. We have chemistry where we perform thyroid and hormone level tests, things like potassium levels, lipid panels, immunology for the study of immune products like antibodies produced by the body in response to foreign material. Hematology in COAG where your blood count is done and your blood cell morphology is examined. Microbiology where we do some really cool stuff like culture samples for E. coli and salmonella, things like pseudomonas and C. diff. Blood bank where we type your blood and issue blood products for transfusion. There's also going to be processing and receiving department for samples coming into the lab. Next slide please. The lab is occupied by various medical professionals. First and foremost, we have medical or clinical laboratory scientists, also known as medical laboratory technologists who perform complex laboratory testing. We'll perform exacting tests like molecular and genetic testing and we also deal with samples that present unusual diagnostic challenges and select appropriate testing agents and methodologies for them. Becoming an MLS requires a four-year bachelor of science degree, part of which will be a clinical rotation in a hospital laboratory. For laboratory technicians, they're also supposed to perform routine testing in order to assist medical lab scientists and technologists perform their duties. There is typically a less comprehensive two-year programs and there are certain tests they can't perform, but the truth of the matter is that sometimes they end up performing a lot of the same testing as we do, especially since there is a shortage of laboratory scientists. The other players in a lab are lab assistants who can assist us in receiving samples and bringing them to appropriate departments, are phlebotomists who perform blood draws for testing, senior techs and heads of departments, and the laboratory director. Next slide please. So the key point here is that there are a lot of different workers in a lab working all at once and handling a large amount of patient data. Laboratory workers can also come and go, leave one lab and work in a different lab, but because there is a shortage at the moment, it's been difficult to keep labs appropriately staffed. Since there is such a shortage, employers are willing to hire techs who may be a little less qualified, still need a little bit more training. And because of the need for lab techs who can handle patient testing, new techs may have their training cut short a bit and may be thrown on the bench to handle testing a little earlier than usual. And so lack the training that some other techs would have received. So if we're looking at the appropriate handling of patient data, then right away, there may be techs who lack that training or who didn't receive a full training schedule or handling patient information, and it can lead to mistakes being made. For example, a lot of the time cell phone use, especially for things like taking pictures is only permitted under very specific circumstances in the lab or not at all. I've worked at places where some use is allowed specific uses allowed or phone usage is not permitted at all. And not every tech coming in is going to know that or know that usage is limited to prevent an accidental breach of patient data. A busy lab and a shortage of staff means that techs have to be able to move between departments in a rapid fashion. We may put a sample down that we're working on and move to another department to complete the test, then come back, pick up that sample and continue where we left off. Even when it's best practice to sit down and finish a test to completion before moving on, sometimes it's just not possible. Sometimes techs working third shift, there may only be two or three techs working all of the departments at once. When we perform testing, we often resolve this testing in our laboratory information systems such as CERNR, SOFLAB, or Metatech. And to do this, we have to log into a computer to access the software, which brings us to the next part of the talk, which is technology that resides in our lab, instrumentation, and our LIS system. Next slide, please. There are a multitude of laboratory analyzers for use today. For example, if you've checked out the medical device lab at the biohacking village, you'll see the ID now, which is this middle picture on the bottom here, and that's used for point of care COVID testing. We have chemistry analyzers like the vitros that run the cyro tests and arm panels. We have urinalysis analyzers like the Clinitech analyzers for blood cultures, analyzers in blood bank like the ortho vision to perform our type and screens. All of these analyzers going to interface a little differently. They'll be running on different operating systems and handle data differently. Each instrument may be from a different vendor. There may be older analyzers mixed in with brand new ones. For example, in my clinical rotation in 2021, we had a Stago coag analyzer running on DOS and across the room, a brand new vitros for chemistry. And this was at a major hospital. Next slide, please. These instruments send data to the laboratory information system like CERNR and sometimes texts may have to enter or verify test data there. Laboratory information system or LIS is used interchangeably with laboratory information management system or LMS, but LIS is more patient based whereas laboratory management system is typically more of a sample based process. Next slide, please. When the information goes out of the LIS, we'll go to a middleware like Cloverleaf to streamline the exchange of patient data between the LIS and the EHR patient record system like EPIC. There may be a middleware used between the instrument itself and the LIS. And middleware is often one step used to establish a web based interface which can support all the standards like ASTM, HL7 and DICOM data transfer from an analyzer. Each analyzer may use a different data transmission standard. A lot of analyzers still communicate using ASTM. Next slide, please. When examining security concerns or vulnerabilities in the medical laboratory, we have to worry about three things or three areas. Physical access to the laboratory computers or instrumentation. The variation in instrumentation and how they each handle patient data, especially in terms of storing and transferring that data. Some older analyzers are built to store patient data on floppy disks or tapes still. Though thankfully this is not typically done even when those analyzers are still used today. Simple human error, people may leave their computer terminal logged in. They may leave EPIC open, which is used to view patient records. They may stay logged into the LIS on one computer and move to the next computer and log in there. They may take pictures and forget to obscure patient data. Next slide, please. In my almost a year and a half of walking around the clinical laboratory at different facilities, I noticed a whole lot. For example, a badge may be required to access a lab, but I've also noticed that if you are at least dressed like a healthcare worker and you knock at that lab door, someone's bound to let you in since sometimes nurses and other workers will come down to the lab, either to grab blood products or deliver samples. Sometimes we've had to move samples from one lab to another, and I'm not going to say where this was at. We've had people call in their relatives or non-healthcare workers to deliver samples that have patient information between the two laboratories. A password may be required to access computers and used to access patient data, but the same password is often used between computers, network, the LIS, and the patient record system. While a password change is usually required at least once every three months from what I've seen, there isn't always a restriction in place to prevent users from reusing an old password. There is a constant flow of text in and out of the lab rotating between departments, often forgetting to log out of their computer or leaving the patient record system logged in, which means someone else could gain access to their session and grab data. There is physical access to computers with open USB ports and the ability to plug in devices like keyboards and mice that you bring from home without the device being screened first. There is also no camera surveillance in the lab as surveillance can itself result in a HIPAA violation, but this also means should patient data be accessed at a computer under one login, there isn't always a way to check who was sitting in that chair. Some people will clock out for lunch and go to the break room and then go back in the lab periodically to check a sample running on an analyzer, so the clock officially shows them on break, but they may in fact be in the lab handling samples. There may not always be an electronic trail of that. To me right now with the current level of understanding, the biggest concern is of course an always human error. It's people leaving their session logged in, writing down passwords on sticky notes or using simple ones, sharing passwords, it's people forgetting to lock their machine despite being informed to do so. People using each other's badges to gain access to an analyzer and run a sample outside of training sometimes as well. A lot of techs don't understand the severity of these actions and I think one way we can fix this is to hold more informational sessions in the lab and focus not only on the fact that it's important to log out or lock your session, but what could also happen if they don't and what the consequences could be for a patient and for the tech who left their session open. Many don't seem to understand the level of impact this can have on a patient's life. Even if a tech slips up or acts maliciously with patient data and has caught and terminated, that won't prevent that data from circulating once it's leaked. Next slide please. So why should you care? Because it's your data, that's your SSN, that's your date of birth, your address, your test results saying you're positive or negative or something. Sometimes that information could be a test result for HIV, a positive cancer diagnosis. It's sensitive information that can have severe consequences if leaked. That's all your medical history sometimes spanning throughout your entire life and it's all the personal data that can be held about you in your medical record. Next slide please. So you could help us too. We need more security-minded people. We need more lab techs with a security brain. We need more security warriors willing to protect patient data. And most importantly, we need more people who care enough and who possess a background to understand healthcare workflow. How much restriction can we place in the lab without slowing down patient testing? How much security precautions can we put in place without increasing the time that a sample's run and therefore increasing the time for a patient to receive proper care? So if you work in cybersecurity at a facility with a medical laboratory, please get to know your lab department. We really want your data to be safe too. I guess I really whizzed past this talk. When I rehearsed it before, I got up to about 17 minutes. We're currently at about 14. I guess that leaves some time for questions. But next slide please. I have some citations that you can go and check out. And if you'd like a copy of the slide deck, you can DM me or send me a message. Next slide. Thanks for listening. This talk was mostly to bring awareness to the medical laboratory field. And that there are those of us who are concerned about how your data is handled. We really want to make things more secure for you. I hope this will maybe help to get people thinking about patient data on the laboratory and kickstart some serious change. If you're here at DEF CON, come find me to get a little homemade badge of my squid character or DM me on Twitter. I really only use the account listed here during cons. Thanks you guys. If there are any questions, I'll do my best to answer. Do you think that this kind of like lack of control over the data is systemic to the whole industry? Or do you think it's only like problem spots? I think it would be whole industry. I think yes, I think this kind of thing is really prevalent throughout healthcare. Do you think that's stronger policies? I know it's in place, but I mean, what's stronger internal policies you think actually help? Do you think you would still run into the same kind of issues of people just kind of ignoring them or just getting around them? We do have some stronger policies in place on a lot of the hospitals I've been in. But I don't think I don't think they do as much as people want them to. I think we would still run into the same problem of people just not understanding the impact. Like text coming into the lab, people going into healthcare, they need more training. They need to know how this can impact patients and policies aren't exactly going to explain all of that to them. They may put things in place, make things a little bit harder to access. But where there's a will, there's a way and people will always find a way to circumvent protocols that are put in place. So I've heard the horror stories of medical or laboratory equipment running awfully, awfully outdated software that's vulnerable in a hundred different ways. Do you say that internal sort of lack of awareness or internal threats pose a bigger risk than external threats? And that's a difficult one to answer, but I'm going to say, yeah, I think so. I think we're more likely to see something due to somebody slipping up. We are to an external attack. If that answers your question. What happens when something like, um, what happened? Like, you know, like internal to a hospital, like a medical record numbers is, is released or something like that. What would happen is first there'd be a next, um, all on sorry, an investigation by compliance, we would try and find out the source, the leak. We would alert the patient immediately that this information has been leaked. But from there, I don't have that compliance background to let you know fully what the hospital would do. Okay. Also, also, like, also, also, why do you think that? What do you think that is limiting the, the big groups that run the hospitals and clinics and all that stuff? What do you think is keeping them from like upgrading upgrading the systems and stuff? Because I've heard that someone is still running like Windows XP, I think, Windows Vista. Some of it, some just has to do with funding. Some of it has to do with funding that the medical laboratory needs to bring in these analyzers. And I'm not sure if you're asking the people who run these organizations, if they really understand the need that we have for updated instrumentation. So I think that's part of it. And I think part of it is also that the lab gets very used to using one analyzer. And some people are very hesitant to change. I think that's another one. Okay, thank you. What kind of is go ahead. Sorry, sorry. What kind of positions would it be for like someone that wants to get into like a security of hospitals? We have a security team and we have an IT apps team that you could join. You wouldn't exactly need a healthcare background. But I would say we would need more techs, more people in health informatics for one that could join the laboratory and create change from within the laboratory. Because we have security teams, but a lot of the problems that they don't understand the healthcare workflow enough. Okay. So what you're saying is that you're looking for like the people that are more feeling like, you know, the health informatics, right? Yeah, sure. Health informatics, laboratory information systems, people that kind of have a mix of both IT and healthcare. Okay, thank you. No problem. One of the issues might be that the people working there don't actually understand the impact of violating some of the security policies that to them it seems inconsequential, not realizing the risk it's putting them in and the system. Absolutely. I think that's absolutely true. A lot of people, they don't really think about it on a day to day basis either. And it's very much, you know, we need to do what we need to do to be able to get the sample out the door and to get the sample completed and if that means overriding something that's telling you hey stop don't press a button or hey do you do you want to stay logged in for this extended amount of time and they just breeze past it. A lot of people don't really think about those things or think about how it could impact them. It would seem that training would be a solution to that but that's the very thing you said they're not getting. Some of them. Yeah, there is going to be, especially right now as a shortage of text training might be limited but even for those that have had years and years of training, people who have been in the lab for 40 odd years. They still might not understand exactly how that breach can impact a patient, especially now with newer systems and newer technologies in place. They might not understand all of the layers that come into play in terms of patient data these days because when they started out in the lab, they didn't have all of this instrumentation that they were working with. You know, mouth pipetting was still a thing it was still very much a manual process. I think I think definitely more training consistent education on it would be good. What are your thoughts on like the whole like when the whole one one a crypt and some where tech happened that affected hospitals and couldn't expose your up on that never happened in your place. It didn't happen anywhere that I worked. I guess my thoughts on it was that it was terrible and a lot of them know how to handle it at all. The rules weren't sure how to deal with that threat. And that's just from what I've heard because that was from before I entered the workforce. Okay. Thank you. No problem. If there are any more questions you can definitely shoot me a DM or you can come find me send me an email. I'd be happy to talk with you more and especially about this topic. I didn't realize I was muted. Thank you squinty for an excellent talk. You're talking. Last Def Con which is 2020 was excellent as well. And if you're going to be around and hear people can talk to you in here too. I know you're at Def Con so you may not actually be in all space for you are for much longer. Is that correct. Yeah, that's, that's correct. But I'll try and hang out for a little while longer. People want to come for me and space. And also just a reminder that we don't have any presentations scheduled for tomorrow, but the spaces will be open for people to hang out and talk and network. So our next presenter will be here for roughly another 30 minutes. So that was a good time to take a bio break wander around look for some of the Easter eggs, talk to some of the speakers, and we'll see you back here in about 30 minutes.