Cybersecurity experts recommend clinical laboratories have in place a plan for performing tests and distributing results prior to a cyberattack
Hospitals of all sizes continue to be prime targets for sophisticated cyberattacks, where hackers remotely disable a healthcare network’s computer systems—including its laboratory information system—and extort ransomware payments. Similar attacks are happening to clinical laboratories and other providers, although not with the same frequency.
Recently, hospitals in Illinois, Idaho, Vermont, Indiana, and other states had their ability to treat patients severely reduced and, in some cases, completely shut down by cybercriminals, endangering lives and costing millions of dollars in damages.
Today’s hospitals rely on information technology (IT) for patient care workflow, internal/external communication, billing, and medical laboratory testing. It’s this reliance on computer/internet technology combined with the vast quantities of protected health information (PHI), that makes hospitals such ripe targets for attack.
In June, a US cancer center had to take its digital services offline which “significantly reduced patient treatment capability” following a ransomware attack by a group of hackers known as the TimisoaraHackerTeam (THT), MedCity News reported.
“Patients don’t stop getting sick just because a hospital is hit by a ransomware attack,” Christian Dameff, MD, emergency physician at UC San Diego Health and lead author of a study that looked into how cyberattacks affect other hospitals in the area, told ABC News. “They have to go somewhere. So, what this research shows is that those patients go to neighboring hospitals that can be overwhelmed.” Clinical laboratories can also become overwhelmed with test orders when nearby hospitals lose their ability to distribute the results of critical lab tests. (Photo copyright: UC San Diego Health.)
In its “Healthcare and Public Health Sector Cybersecurity Notification” on the event, the federal Division of Critical Infrastructure Protection (CIP) wrote, “Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector.”
The CIP operates within the US Department of Health and Human Services’ (HHS) Office of the Administration for Strategic Preparedness and Response (ASPR) and Health Sector Cybersecurity Coordination Center (HC3).
Here is a list of other cyberattacks on healthcare providers and the consequences of these crimes.
Recent Cyberattacks Close Hospitals, Disrupt Clinical Laboratory Testing
“The attack halted the hospital’s ability to submit claims to insurers, Medicare or Medicaid for months, sending it into a financial spiral,” Linda Burt, RN, Vice President of Quality and Community Services at St. Margaret’s, told NBC News. “We were down a minimum of 14 weeks. And then you’re trying to recover. Nothing went out. No claims. Nothing got entered. So, it took months and months and months.”
Meabwhile, 88-bed Idaho Falls Community Hospital experienced a cyberattack in May that required it to divert ambulances to other hospitals for 24 hours, CNN reported. The provider’s sister healthcare facility, MountainView Hospital in Las Vegas, which shares the same computer system, was also affected.
The Idaho Falls attack “forced nurses and doctors … to use pen and paper rather than computers for patient charts,” a hospital spokesperson told CNN.
At the University of Vermont Medical Center (UVM), Burlington, Vermont, a ransomware attack affected healthcare services for 28 days, costing the provider $50 million to recover, and preventing healthcare workers from accessing critical treatment plans for cancer patients, ABC News reported.
UVM’s President and Chief Operating Officer, Stephen Leffler, MD, an emergency medicine physician, told ABC News that the 2020 cyberattack significantly disrupted clinical laboratory operations at UVM.
“When the laboratory had a critical lab result on someone, they couldn’t put it in the electronic medical record,” he explained. “They couldn’t call the floor. And so, we literally had our administrators start going in the lab, standing there and running a paper result to the floors.
“Everything that we do and rely on was down,” he added. “We actually sent some staff to Best Buy to buy Walkie Talkies!
“It can happen to you—even when you think it’s impossible,” Leffler warned.
And at Johnson Memorial Health, Franklin, Indiana, clinical laboratory tests took two hours to perform instead of 30 minutes, NPR said in its report on cyberattacks affecting Indiana providers. The lab had to use “runners” to share handwritten test results with caregivers and patients, NPR explained.
“You ask many CEOs across the country, ‘What keeps you up at night?’ Of course, they talk about workforce, financial pressures, and they say, ‘the possibility of a cyberattack,” John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA), told NPR.
Cyberattacks Affect Surrounding Hospitals
To make matters worse, cyberattacks have a “blast radius” that impacts the healthcare community around an attacked provider, Christian Dameff, MD, Assistant Professor, Emergency Medical Services, University of California, San Diego, told ABC News. Dameff was lead author in a study that looked at how healthcare providers nearby to an attacked provider are affected.
“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” Dameff and co-authors wrote in a JAMA Open Network article titled, “Ransomware Attack Associated with Disruptions at Adjacent Emergency Departments in the US.”
“Healthcare cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters,” they wrote.
Vigilance Is Required as Cyberattacks Increase
Ransomware attacks on hospitals climbed from 43 to 91 annually during the years 2016 to 2021, a separate study in JAMA Health Forum reported, adding that large organizations with multiple facilities were increasingly targeted.
The US experienced a 57% increase in cyberattacks in 2022 compared to 2021, according to a Check Point Research (CPR) report. Healthcare ranked second on the list of attacked industries due, according to Check Point, to the quantity and availability of personal and sensitive information, such as social security numbers and medical data.
“We expect the increase in cyber activity to only increase. With AI [artificial intelligence] technologies such as ChatGPT readily available, it is possible for hackers to generate malicious code and emails at a faster, more automated pace,” the CPR report noted.
For its part, the AHA said in a statement it plans to:
- Make available cybersecurity services to members.
- Work with federal agencies to mitigate cyber threats.
- Advocate for increased government cybersecurity assistance.
Hospital clinical laboratory leaders need to be vigilant and work with colleagues to prevent cyberattacks. Check Point’s report advises, for example, avoiding malicious links and unexpected electronic attachments as well as verifying software is legitimate before downloading it. These are standard warnings, but they only work if staff members actually heed these actions.
Also important for diagnostics professionals is having a plan for performing clinical laboratory and anatomic pathology tests and distributing the results in the event of an attack.
—Donna Marie Pocius