Clinical laboratories are particularly tasty targets for cybercriminals seeking the abundance of protect health information contained in patient electronic health records
Recent data from cybersecurity company Netwrix of Frisco, Texas, shows that 84% of healthcare organizations—including clinical laboratories and pathology groups—caught at least one cyberattack in the past year and “69% of them faced financial damage as a result.” That’s according to the company’s latest Hybrid Security Trends Report which notes that 24% of healthcare organizations are “fully cloud-based,” as opposed to just 11% of non-healthcare industries.
“Phishing was the most common type of incident experienced on premises, similar to other industries. Account compromise topped the list for cloud attacks: 74% of healthcare organizations that spotted a cyberattack reported user or admin account compromise,” the Netwrix report notes.
Phishing, where cybercriminals send fake emails and texts to unsuspecting employees that trick them into providing private information, continues to be one of the most prevalent cyberthreats experienced by healthcare organizations and often serves as the catalyst for much larger and more dangerous cyberattacks.
This is particularly dangerous in clinical laboratories where as much as 80% of protected health information (PHI) in patients’ electronic health records (EHRs) is laboratory test results and other personal medical data.
“Protected health information (PHI) is one of the most expensive types of data sold on darknet forums, which makes healthcare organizations a top target for cybercriminals, said Ilia Sotnikov (above), security strategist and VP of user experience at Netwrix, in the report. Clinical laboratory patient electronic health records are particularly weighted toward PHI. (Photo copyright: Netwrix.)
Don’t Open That Email!
Typical phishing scams begin with innocent-looking emails from companies that appear to be legitimate and often contain language that implies urgent action is needed on the part of the user. These emails can be very convincing, appear to originate from reputable companies, and usually instruct users to open an attachment contained in the email or click on a link that goes to a known company website. However, the site is a fake.
Once the harmful file attachment is opened, users will be directed to download fake software or ransomware that attempts to capture the user’s personal information. When visiting a malicious website, consumers will often receive pop-ups with instructions for updating information, but the true purpose is to harvest personal data.
Never provide any personal information to an unsolicited request.
If you believe the contact is legitimate, initiate a contact with the organization using verified data, usually via telephone.
Never provide any passwords over the phone or in response to an unsolicited Internet request.
Review any accounts, such as bank statements, often to search for any suspicious activity.
“Healthcare workers regularly communicate with many people they do not know—patients, laboratory assistants, external auditors and more—so properly vetting every message is a huge burden,” said IT security expert Dirk Schrader, VP of security research at Netwrix, in the report. “Plus, they do not realize how critical it is to be cautious, since security awareness training often takes a back seat to the urgent work of taking care of patients. Combined, these factors can lead to a higher rate of security incidents.”
Top 10 Brands Faked in Phishing Scams
Phishing emails often appear to be from legitimate companies to lull the recipient into a false sense of security. In a January 22 report, Check Point Research (CPR) announced its latest Brand Phishing Ranking for the fourth quarter of 2024. The report reveals the brands that were most frequently impersonated in phishing attacks by cybercriminals for the purpose of stealing personal information from consumers.
According to the CPR report, 80% of disclosed brand phishing incidents occurred within just 10 brands (listed below with each brand’s percentage of phishing attacks). They are:
According to the report, fraudulent domains “replicated official websites to mislead shoppers with fake discounts, ultimately stealing login credentials and personal information. These fraudulent sites replicate the brand’s logo and offer unrealistically low prices to lure victims. Their goal is to trick users into sharing sensitive information, such as login credentials and personal details, enabling hackers to steal their data effectively.”
Steps Clinical Labs Can Take to Protect Patients’ PHI
Clinical laboratories and pathology groups can take precautions that minimize the risk of allowing cybercriminals access to their patients’ PHI.
“A core defense strategy is to minimize standing privileges by using a privileged access management (PAM) solution. Another is to implement identity threat detection and response (IDTR) tools to quickly block malicious actors using compromised credentials,” said Ilia Sotnikov, security strategist and VP of user experience at Netwrix, in the report.
The threat of phishing scams is a lingering issue that everyone in healthcare should be aware of and take necessary precautions to recognize and prevent having one’s PHI stolen. Clinical laboratory management should constantly remind lab personnel and contractors to be vigilant regarding fake emails and texts from well-known brands that ask for private information.
Inability to access clinical laboratory test results forced hospitals to suspend critical procedures and surgeries causing major disruptions to healthcare
Cyberattacks continue to shut down the ability of hospitals to process orders for clinical laboratory tests, medical imaging, and prescriptions. One such cyberattack recently took place against Ascension, the largest nonprofit Catholic health system in the United States. It took more than a month for the health network’s electronic health record (EHR) system to be fully restored, according to a cybersecurity event press release.
Immediately following the event, Ascension announced it had hired a third party company to resolve the fallout from the cyberattack.
“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. … Access to some systems have been interrupted … We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities,” a press release states.
Based in Reston, Va., Mandiant is an American cybersecurity firm and a subsidiary of Google.
Cyberattacks are happening more frequently and medical professionals need to be aware that patient care can be severely disrupted by such attacks. The Ascension attack locked its employees out of the healthcare provider’s computer databases, rendering medical personnel unable to track and coordinate patient care. The health network’s EHR, phones, and databases used to order certain clinical laboratory tests, imaging services, procedures, and medications were all affected.
Hospital employees, including two doctors and a registered nurse, spoke anonymously to the Detroit Free Press regarding the issues at their facilities resulting from the cyberattack.
“It’s so, so dangerous,” said the nurse, describing the immediate aftermath of the cyberattack. “We are waiting four hours for head CT [computed tomography scan] results on somebody having a stroke or a brain bleed. We are just waiting. I don’t know why they haven’t at least paused the ambulances and accepting transfers because we physically … don’t have the capacity to care for them right now.”
“In some cases, what are supposed to be unique medical record numbers assigned to patients when they register in the emergency department at Ascension St. John [Detroit, Mich.] have been given to more than one patient at a time,” Detroit Free Press reported. “Because of that, the nurse told the Free Press she couldn’t be confident that a patient’s blood test results actually were his own.”
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” Jeff Tully, MD (above), Associate Clinical Professor, Anesthesiology, and co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego, told NPR. “These types of cybersecurity incidents should be thought of as a matter of when and not if,” he added. Inability to verify clinical laboratory test results or access patients’ electronic medical records endangers patients and undermines the confidence of critical healthcare workers. (Photo copyright: UC San Diego.)
Losing Track of Patients and Their Records
According to the HIPAA Journal’sH1, 2024 Healthcare Data Breach Report, “In H1 [first half of the fiscal year], 2024, 387 data breaches of 500 or more [healthcare] records were reported to OCR, which represents an 8.4% increase from H1, 2023, and a 9.3% increase from H1, 2022.”
After the Ascension cyberattack, the healthcare organization’s computer systems were inoperable, and its pharmacy services were temporarily closed. Medical orders for clinical laboratory testing, imaging tests, and prescriptions had to be handwritten on paper and faxed to appropriate departments, which led to long wait times for patients.
There were cases where singular medical record numbers were assigned to multiple patients. Staff resorted to Google documents, paper charting, and text messaging to communicate with one another. But they still lost track of some patients.
“For a lot of our nurses, they’ve never paper charted at all,” said Connie Smith, a charge capture coordinator and head of the Wisconsin Federation of Nurses and Health Professionals, in a ThinkStack blog post. “We were using forms that we pulled out of drawers that hadn’t seen the light of day in a long, long time.”
“They are texting me to find out where the patient went,” a St. John Hospital Emergency Room physician anonymously told the Free Press immediately following the Ascension cyberattack. “They don’t even know where the patient is going or if they’ve been admitted. People are getting lost.
“The pharmacy is getting requests for patient medications, and they have no idea where the patient is in the hospital,” the doctor continued. “Some of the attending physicians are putting in orders for medications, somewhat dangerous medications, and we have no idea if the medications are actually being administered. It’s a scary thing when your medical license is tied to this. If medication mistakes become lawsuits, they will follow us throughout our entire careers and that is not fair to us. It’s not fair to patients.”
According to online updates provided by Ascension, the cyberattack began when an employee downloaded a malicious file thinking it was a legitimate document. That allowed hackers to access seven of Ascension’s 25,000 servers. The resulting cyberattack stifled operations across the organization’s facilities and among its healthcare providers for weeks.
A June 12 update read, “we are pleased to announce that electronic health record (EHR) access has been restored across our ministries. This means that clinical workflow in our hospitals and clinics will function similarly to the way it did prior to the ransomware attack.” The updates did not mention how the attack was resolved or if a ransom was paid to restore the hospitals’ systems.
Preparing for System Disruptions
According to its website, St. Louis-based Ascension has 134,000 associates, 35,000 affiliated providers, and 140 hospitals serving communities in 18 states and the District of Columbia.
“Despite the challenges posed by the recent ransomware incident, patient safety continues to be our utmost priority. Our dedicated doctors, nurses, and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper based systems during the ongoing disruption to normal systems,” Ascension noted in a Michigan Cybersecurity Event Update.
Clinical laboratory managers and anatomic pathology practice administrators may want to learn from Ascension’s experience and make advanced preparations that will secure patient information and enable their lab to continue functioning during a cyberattack. The Ascension cyberattack illustrates how easily computer systems containing critical information can be hacked and affect patient care.
Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
Amid cost pressures, healthcare providers also plan to cut staff though some jobs are plentiful; adequate staffing at medical laboratories continues to be a challenge
Thanks to the COVID-19 pandemic and subsequent “Great Resignation,” masses of people have left the workforce and companies large and small in all industries are struggling to retain employees. Clinical laboratories have been particularly hard hit with no relief in sight.
Now comes the results of a PricewaterhouseCoopers (PwC) survey which shows 50% of US companies in various industries—including major healthcare providers—plan to lay off employees. And 83% of organizations intend to move forward with a “streamlined workforce,” according to the latest PwC Pulse: Managing Business Risks in 2022 report.
How this will affect the workload on remaining hospital and medical laboratory staff is clear. And healthcare consumers may not take well to healthcare provides running leaner and with fewer staff than they currently do.
Nevertheless, the PwC survey results “illustrate the contradictory nature of today’s labor market, where skilled workers can still largely name their terms amid talent shortages even as companies look to let people go elsewhere,” Bloomberg wrote on the CPA Practice Advisor website.
“Organizations are still walking a tightrope when it comes to talent as we begin to see the longer-term impacts of the ‘Great Resignation.’ Finding the proper balance between investing in specialized talent, managing headcount costs, and driving productivity and morale will remain a top focus,” said Bhushan Sethi (above), People and Organization Joint Global Leader at PwC and an adjunct professor at NYU Stern School of Business in a PwC news release. Clinical laboratories are finding it particularly challenging to fill staff positions across all areas of lab operations. (Photo copyright: PwC.)
Healthcare Has Biggest Challenges, says PwC
Clinical laboratory leaders and pathologist groups are well aware of the unique financial pressures on healthcare systems and medical labs, as well as shortages of pathologists, medical technologists, clinical laboratory scientists, information technology (IT) professionals, and other healthcare workers.
“Healthcare is seeing bigger talent challenges than other industries and is more focused on rehiring employees who have recently left,” the PwC report acknowledged. This is the second Pulse survey PwC conducted in 2022. The 722 respondents included leaders working in human capital and finance.
Finding Right Talent, Focusing on Growth, Automation
Finding the right employees is so important to companies that PwC ranks “talent acquisition” as the second highest risk (38%) behind cyber-attacks (40%).
“Finding the right talent continues to be a challenge for business leaders,” PwC said. “After a frenzy of hiring and a tight labor market over the past few years, executives see the distinction between having people and having people with the right skills.”
Unlike the high-touch and personal nature of healthcare, industries such as consumer technology, media, and telecommunications can turn to automation to alleviate staffing struggles. And that is what nearly two-thirds, or 63%, of companies in those sectors, aim to do, PwC said.
Other survey talent findings:
50% of companies plan layoffs.
46% are dropping or eliminating sign-on bonuses.
44% are rescinding job offers.
Conversely, the surveyed executives also told PwC they are “cautiously optimistic” and plan on growing and investing even as the economy gives mixed signals:
83% of companies are focused on growth.
70% plan an acquisition.
53% aim to invest in digital transformation, 52% in IT, 49% in cybersecurity and privacy, and 48% in customer experience.
“After more than two years dealing with uncertainty related to the pandemic, business leaders recognize the urgent need to focus on growth in order to compete, and they’re zeroing in on what they can control,” PwC said.
New Remote Work Programs, Reduction in Real Estate Investing, Big Tech
Although companies report having more than enough physical office space, many (42%) have launched remote work programs:
70% have expanded or plan to increase “permanent” remote work options as jobs permit.
22% are reducing real estate investment (financial services and healthcare industries lead the way with 30% and 29%, respectively, saying real estate buys are cooling off).
“While companies continue to invest in many areas of the business, they’re scaling back the most in real estate and capex ex [capital expenditure]. After two years of remote work, many companies simply need less space, and they’re allocating capital accordingly,” the PwC report noted.
In a somewhat parallel release to PwC’s findings, news sources are reporting reductions in real estate and staff at high-profile Big Tech companies.
Meta Platforms, Inc. in Menlo Park, Calif. (formerly Facebook Inc.), is closing one of its New York offices and cutting back on plans to expand two other locations in the city, the Observer reported.
Business Insider reported, “More than 32,000 tech workers have been laid off in the US till July, including at Big Tech companies like Microsoft and Meta (formerly Facebook), and the worst has not been over yet for the tech sector that has seen massive stock sell-off.”
According to Forbes, “San Francisco-based electronic signature company DocuSign will lay off 9% of its more than 7,400 employees (roughly 670 employees), the company announced in a Securities and Exchange filing Wednesday, saying the cuts are ‘necessary to ensure we are capitalizing on our long-term opportunity and setting up the company for future success.’”
And Bloomberg recently reported that Intel is planning to layoff thousands of people “around the same time as its third-quarter earnings report on Oct. 27.”
Healthcare Providers Plan Layoffs, Seek IT Pros
Meanwhile, major healthcare provider networks also are planning staff cuts amid service closures, rising costs, and other issues, according to Becker’s Hospital Review:
Ascension in St. Louis, Mo., plans to close an Indiana hospital and nine medical practices and lay off 133 employees.
“Our health system, like others around the nation, is facing significant financial pressures from historic inflation, rising pharmaceutical and labor costs, COVID-19, expiration of CARES Act funding, and reimbursement not proportional with expenses,” BHSH said in a statement shared with Becker’s.
Amidst these layoffs, however, IT jobs in healthcare seem to be growing. According to Becker’s Health IT, some healthcare providers have posted information technology openings:
Mayo Clinic in Rochester, Minn., has 43 IT job openings.
So, though it appears IT positions continue to expand, clinical laboratory leaders and pathology practice managers may want to prepare now for dealing with customers’ response to leaner healthcare systems overall.
Recent attacks illustrate how costly a security breach can be and why clinical laboratories and pathology groups must work to protect their information systems from ransomware attacks
Therefore, it is crucial clinical laboratories and pathology groups have a cybersecurity strategy in place for dealing with ransomware attacks. Running security drills may need to be part of that strategy. Managers and employees should undergo specific training and vendors must be vetted carefully. Without such a strategy, the question is not if an attack will happen, but rather when an attack will succeed.
Ransomware Attackers are Getting Better
“Ransomware is increasing in sophistication; it’s increasing in prevalence. The purveyors of ransomware are generally reinvesting the fees that they collect from the entities they extort to acquire more capabilities,” Beau Woods, Senior Advisor at the federal Cybersecurity and Infrastructure Security Agency (CISA), told The San Diego Tribune.
“They’re getting better, they’re getting more frequent, particularly during the pandemic where we’ve opened up more connectivity to allow more remote work,” he added.
The Scripps Health attack is notable for several reasons, with one being the length of the outage it caused. The attack was first detected on May 1 of this year. It took four weeks before Scripps could restore most of its network and get its Epic EHR back online, Health IT Security reported.
However, the ransomware attack on Universal Health Services (NYSE:UHS) may be the biggest attack so far. It took place on September 27, 2020, and caused a three-week outage. The company told The San Diego Tribune the incident had a $67 million impact on operations.
According to HIPAA Journal, “The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.”
At Utah Pathology Services, an employee e-mail hack resulted in the potential exposure of patient data. The malicious actors attempted to divert funds intended for a physician but failed to do so. However, the information of 112,000 patients was accessible to the hacker during the attempt.
“The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers,” Health IT Security reported.
“We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratory companies, testing and really even out into the future manufacturing of the vaccine systems,” Bryan S. Ware (above left) Assistant Director for Cybersecurity for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) told CyberScoop. CISA Director Christopher Krebs (above right) added, “At the onset of the COVID-19 pandemic, we recognized just how vital the healthcare sector was to the response and we established Project Taken to bring to bear the government’s particular set of skills to protect those organizations.” (Photo copyrights: CyberScoop/Business Insider.)
Value of Patient Data on the Dark Web is Increasing
In the case of the Utah Pathology Services attack, the hackers were specifically after money. However, according to cybersecurity company SecureLink, patient records are “the new prize” for hackers. Healthcare data carries a value of its own on the digital black market. In fact, healthcare data is more valuable than credit card or banking data.
“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” SecureLink wrote in a blog post.
A 2018 Trustwave Global Security Report estimated that a healthcare record is worth about $250. Trustwave, however, estimated the value of a banking record at less than $5. That strongly suggests health records are increasing in value.
And even after a healthcare entity has regained control of its IT infrastructure, the hacker still has possession of the stolen patient information. It may take weeks or years for the hacker to sell that information, meaning the breach represents a continuing threat to the healthcare organization and its patients.
Clinical Laboratories Must Prepare for an Attack
Simply understanding the threat is not enough. Clinical laboratory and pathology group managers must have robust plans in place for both protecting patient information and for dealing with a security breach should one occur.
According to a Health IT Security report, “The ransomware attack that struck all 400 UHS care sites and caused three weeks of EHR downtime in September, cost the health system $67 million in recovery costs and lost revenue.”
The report added, “Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.”
To deal with the ransomware attacks, we wrote, “CISA, FBI, and HHS advise against paying ransoms. ‘Payment does not guarantee files will be recovered,’ the advisory states. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’ The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
“The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should ‘ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.’
Regular backups of data and software. These should be ‘maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.’ Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain ‘hard copies of digital information that would be required for critical patient healthcare.’”
Given the enormous amounts of money hackers can earn from selling protected health information on the Dark Web, it is a near certainty these attacks will continue. Clinical laboratory and anatomic pathology group managers would be well advised to plan for the inevitability that their health system will be targeted.
