Recent intrusions into the hospitals’ IT systems resulted in blocked medical records including medical laboratory data
Healthcare cyberattacks continue to be a threat that bring potentially costly business consequences for clinical laboratories. Just in the past month, two hospital systems had their health information technology (HIT) systems disrupted due to security incidents. In response, the hospitals’ medical laboratories were forced to switch from digital to paper documentation and, in at least one case, the organization reportedly had difficulty accessing electronic laboratory test results.
At Tallahassee Memorial, an “IT security issue” on Feb. 2 resulted in the organization shutting down its IT systems for 13 days, including at its clinical laboratory. The hospital’s computer network went back online on Feb. 15, according to a news release.
At Atlantic General Hospital, according to an AGH news release, IT personnel discovered a ransomware attack on Jan. 29 that affected the hospital’s central computer system. As a result, the walk-in outpatient laboratory was closed until Feb. 14.
These recent cyberattacks underscore the importance for clinical laboratory leaders to have plans and procedures already in place prior to a disruption in access to critical patient data.
Healthcare cyberattacks can be a “complete blindside for a lot of organizations that think they have protections in place because they bought a product or they developed a policy,” said Ben Denkers (above), Chief Innovation Officer at CynergisTek, an Austin, Texas-based cybersecurity company, in an exclusive interview with The Dark Report. Since clinical laboratory test results make up about 80% of a patient’s medical records, disruption of a hospital’s IT network can be life threatening. (Photo copyright: The Dark Report.)
Laboratory Staff Unable to View Digital Diagnostic Results at Tallahassee Memorial
Though the exact nature of the incident at Tallahassee Memorial HealthCare has not been divulged, hospital officials did report the incident to law enforcement, which suggests a cyberattack had occurred.
Electronic laboratory test results were among the casualties of the IT difficulties at TMH. “Staff have been unable to access digital patient records and lab results because of the shutdown,” a source told CNN.
Attempts by Dark Daily to reach a medical laboratory manager for comment at TMH were unsuccessful. However, in a news release posted online shortly after the cyberattack, the health system advised staff members on dealing with the IT outages.
“Patients and families may notice the switch to paper documentation during registration, admission, or during their care, as our providers will be using paper forms, prescription pads, handwritten notes, or other similar paper methods where they may usually use an electronic process,” the news release stated. “We apologize for any delays this may create. We practice for situations like this, and we are prepared to provide safe, high-quality care to our patients during computer system downtimes.”
Atlantic General Hospital Reports Ransomware Incident to the FBI
At Atlantic General Hospital, the outpatient walk-in laboratory and outpatient imaging department both temporarily closed because of the ransomware attack.
Staff members throughout the hospital were “forced to manually check patients in and out of appointments and record all other information by hand instead of online,” Ocean City Today reported.
The hospital immediately informed the FBI of the ransomware incident and continues to work with an incident response team to determine whether criminals accessed any sensitive data. It was not clear whether the organization ultimately paid a ransom to unlock its systems.
The hospital’s medical laboratory director did not respond to an email from Dark Daily seeking further comment.
Healthcare Cyberattacks Attempt to Gain Access to Data
Therefore, it is critical that clinical laboratory and hospital staff work with their IT counterparts to verify that technology and processes are in place to protect access to patient data.
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, who at that time was Chief Innovation Officer at CynergisTek, a cybersecurity firm based in Austin, Texas, told The Dark Report, “Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations.” (If you don’t subscribe to The Dark Report, try our free trial.)
An IT network attack is an attempt by a cybercriminal to gain unauthorized access to devices that contain and exchange data within an organization. Although this information may be on individual devices or on servers, network attacks are often only possible after a hacker enters a system through an endpoint, such as an individual’s email inbox.
“It’s important to understand that while the network server itself might have ultimately been the target, that doesn’t necessarily mean that it was compromised first,” Denkers told The Dark Report. “Phishing is a perfect example of a way an attacker could first gain access to a workstation, and then from there move laterally to a server.”
The final cost of a healthcare cyberattack often exceeds the ransom. Media coverage can lead to an organization’s diminished reputation within the community, and if protected health information (PHI) is accessed by the criminals, a hospital or health system may need to pay for identity theft monitoring for affected patients.
As part of the settlement, Banner Health paid a $1.25 million penalty and will carry out a corrective action plan to protect PHI in the future and resolve any alleged HIPAA violations, according to the HHS Office for Civil Rights.
This hefty penalty is a reminder to pathologists and clinical laboratory managers that—when it comes to cyberattacks—the classic adage “an ounce of prevention is worth a pound of cure” is appropriate advice.
Clinical labs should proactively investigate how a vendor will respond to a data security incident and how quickly, says expert
Clinical laboratory managers in New York and surrounding areas should be aware that almost one million protected health information (PHI) records from as many as 28 healthcare providers appear to have been stolen from a medical records company that services these providers.
Practice Resources LLC (PRL), a company that provides billing services for dozens of hospitals and medical providers in Central New York, announced in August they were the target of a ransomware attack that occurred on April 12 of this year. The Syracuse-based organization stated that hackers may have captured personally identifiable information (PII) such as names, home addresses, treatment dates, health plan numbers, and internal account numbers of 934,138 patients.
The data breach affected the patient records of dozens of medical providers and the clinical laboratories that service them, as well as physical therapists, pediatricians, gynecologists, orthopedic surgeons, and more.
“When a lab’s vendor has some type of breach, the lab entity that provided the compromised information could have some liability related to the breach,” explained Jim Giszczak, JD (above), McDonald Hopkins, in an interview with The Dark Report over a similar data breach in 2019. “That’s why every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach. Because your lab needs to know how a vendor will respond to a data security incident, and importantly, how quickly it will respond, it’s critical for lab officials to review the contracts they have with vendors that acquire, or have access to, PHI.” (Photo copyright: McDonald Hopkins.)
Not a Scam
“Unfortunately, it’s not a scam,” stated David Barletta, President and CEO of PRL, in an interview with local Syracuse news WSYR. “This really did happen in April—there was a ransomware attack on our system. We brought in forensic accountants and forensic information teams to come and look at what happened.”
PRL sent out more than 940,000 letters to potential victims of the cyberattack in August, noting that some patients may receive more than one letter.
The complete list of “healthcare entities on whose behalf Practice Resources LLC is providing notice of data incident,” according to PRL, includes:
Although their investigation did not uncover any evidence that personal data was misused, PRL has arranged credit monitoring services free of charge for one year from the date of enrollment. The company is also offering proactive fraud assistance to help people with any questions or in case they become a victim of fraud.
“There were no patient social security numbers that were taken. No medical record information was taken,” Barletta told WSYR. “We really, just out of an abundance of caution, felt that it was necessary that we provide them with credit monitoring for a year—just in case.”
Hundreds of Thousands of Patients Affected by Breach
When PRL discovered the data breach, the company took immediate steps to secure its systems and scrutinize the nature and extent of the incident. They then hired a forensic team to investigate what patient data may have been accessed by the hackers, a process that took several months.
“It does take a long time because each client has hundreds of thousands of patients maybe,” Barletta explained. “We have several large clients that really bore the brunt of this.”
According to Barletta, PRL bills about $450 million annually for its clients, which include some major institutions in Central New York. The New York state Attorney General’s office is investigating the hacking incident and delving into whether PRL’s data security was adequate.
As a result of the breach, FamilyCare Medical Group, which serves more than 80 physicians and thousands of patients, lost all of its laboratory data, according to the group’s CEO, Mitchell Brodey, MD. They had to close their lab for several months while their computer system was rebuilt. During this time, all their lab work was sent to another laboratory for analysis, MSN reported.
The PRL ransomware attack was what is commonly known as a third-party data breach. This type of breach occurs when sensitive data is stolen from a third-party vendor, or when their systems are used to access and steal sensitive information stored on other systems.
In the United States, the Federal Trade Commission (FTC) is responsible for enforcing federal privacy and data protection regulations. If a breach affects 500 or more individuals, the company must issue a press release and notify the FTC and all affected consumers within 60 days of the discovery of the breach.
Clinical Labs Should Proactively Review Member Agreements
In 2019, our sister publication The Dark Report covered a major data breach affecting more than 20 million patients. That breach occurred when hackers gained access to the data systems of a third-party bill collector and impacted four of the nation’s largest clinical laboratories:
At that time, The Dark Report asked James Giszczak, JD, Chair of the Litigation Department and Co-Chair of the Data Privacy and Cybersecurity Practice Group at McDonald Hopkins, to provide insight on what steps clinical laboratory leaders should take to avoid and handle data breaches.
“One important lesson from this data breach is how critical it is for clinical labs and pathology groups to be proactive in making sure they review their vendor agreements,” Giszczak stated. “In that review, labs need to know the specific measures each vendor is taking to protect the information the lab is providing to their vendors.”
Giszczak suggested that clinical laboratory leaders make sure they understand each vendor’s policies, procedures, training, and response in the event of a data breach. He reiterated that labs could have some liability related to the breach.
Across the nation, healthcare attorneys and others report that ransomware attacks are happening weekly, and that once providers’ data systems are encrypted, they have few options to regain control of their information systems
Ransomware is now the single biggest threat to your hospital, clinical laboratory, and anatomic pathology group’s ability to operate a viable business. Few practice administrators and managers are fully aware of this threat. And yet, many still have not taken even basic steps to protect their organizations from ransomware attacks.
Encryption attacks that shut down a hospital or lab’s information services come without warning, rendering the provider unable to access electronic healthcare records (EHRs), to schedule appointments, or conduct most other normal business activities.
Further, negotiating with the ransomware attackers to obtain a de-encryption key can take weeks. During that time, the hospital or lab cannot access its essential information systems and that disrupts or even stops patient care.
Think this cannot happen to your hospital or lab? Think again.
Just this spring, Scripps Health of San Diego was hit with a ransomware attack. Key information systems were encrypted, and it did not take patients long to notice that they could not email their physicians, access their medical records, or see their test results.
The ransomware attack became the headline story on the San Diego nightly news. Scripps would only admit that many essential information systems had been encrypted and that the organization was using paper to conduct business.
The ransomware attack on Colonial Pipeline of Houston, which took place one week after the Scripps Health attack, also became global news. Colonial Pipeline supplies gasoline and similar fuels to 14 states—from Georgia in the South to New York and New Jersey in the North. Dark Daily readers living along the Atlantic Coast personally experienced the shortage of gasoline in their communities because of the ransomware attack on Colonial Pipeline.
No Ransom Payment, No De-encryption Key
Ransomware is probably the single biggest threat to every hospital and every clinical lab in this country. But few healthcare organizations are taking the essential steps needed to make their information systems more resistant to an encryption attack. Even fewer hospitals and labs have policies or procedures in place that outline how management should react when an encryption attack is first discovered. Yet these attacks are hitting medical providers every week across the US.
Dark Daily surveyed several major law firms that have sizeable healthcare practices. Each firm stated it is contacted weekly by one or more hospitals, labs, and medical clinics that have had their digital systems encrypted, followed by a demand for ransom. The healthcare providers were told by the hackers that if they did not pay the ransom, they would not receive the de-encryption key required to bring their software, apps, and digital systems back into service.
“This is the biggest story in healthcare, yet it gets little attention,” stated Robert L. Michel, Editor-in-Chief of Dark Daily’s sister publication The Dark Report. “The reason why you don’t read more news stories about ransomware attacks on hospitals and labs is simple. If it becomes known that a hospital or a lab paid ransom to obtain the de-encryption key needed to restore access to its information systems, that encourages other hackers to attack the organization as well, since the hackers know the organization will pay the ransom. They figure if the provider paid the ransom once, the same provider will likely pay it again.”
Payment of Ransom Does Not Guarantee Restoration of Critical Systems
As bad as a ransomware attack on a hospital, lab, or a medical clinic can be—it can get worse. “Experts involved in helping hospitals and labs respond to a ransomware attack say there is no guarantee the de-encryption key provided by the hackers after payment of ransom will restore access to the encrypted systems,” Michel noted. “We hear reports of hospitals and labs that spent more on their efforts to bring the encrypted systems back online and functioning than they did on the actual ransom.”
This is a must-attend webinar—not only for you—but for everyone in your hospital, health system, or clinical laboratory who will be working to prevent ransomware attacks, or who is involved in restoring digital services following such an attack.
Two experts who are contacted each week by multiple hospitals, labs, and medical clinics that were attacked, had their digital systems encrypted, and received a ransom demand for hundreds of thousands—even millions—of dollars from hackers, will be sharing their knowledge and experience in the legal implications of—and the recovery from—ransomware attacks.
Johnson and Caron will cover best practices designed to provide crucial training and decision-making skills for handling a ransomware attack on hospital and health system clinical laboratories and anatomic pathology practices. These best practices include:
Legal issues triggered by a ransomware attack: What to do when an incident is a breach and when it is not.
Your obligations in response to a ransomware attack: HIPAA privacy and other regulatory rules, contractual arrangements (e.g., reference labs), and crisis communication to patients and other stakeholders.
Responding to and negotiating with ransomware perpetrators—including the expected “etiquette” in dealing with cybercriminals—and collaborating with consultants who are experienced in how to deal with ransomware demands.
And much more.
The roundtable discussion will help you understand how a security incident can occur with or without a breach of protected health information (PHI). Johnson and Caron also will discuss how knowing what to do in each scenario is essential to reducing collateral damage to both patients and your organization, and how to educate your hospital, lab and the broader medical community to address—both proactively and in response—the surging risk of ransomware attacks.
And because so many healthcare administrators, physicians, and pathologists are working remotely, Dark Daily has arranged special group rates for hospitals, practices, and physicians that would like their essential leaders to participate in this important webinar and roundtable discussion on protecting against—and recovering from—ransomware attacks.
Inquire at firstname.lastname@example.org or call 512-264-7103.
Therefore, it is crucial clinical laboratories and pathology groups have a cybersecurity strategy in place for dealing with ransomware attacks. Running security drills may need to be part of that strategy. Managers and employees should undergo specific training and vendors must be vetted carefully. Without such a strategy, the question is not if an attack will happen, but rather when an attack will succeed.
“They’re getting better, they’re getting more frequent, particularly during the pandemic where we’ve opened up more connectivity to allow more remote work,” he added.
The Scripps Health attack is notable for several reasons, with one being the length of the outage it caused. The attack was first detected on May 1 of this year. It took four weeks before Scripps could restore most of its network and get its Epic EHR back online, Health IT Security reported.
However, the ransomware attack on Universal Health Services (NYSE:UHS) may be the biggest attack so far. It took place on September 27, 2020, and caused a three-week outage. The company told The San Diego Tribune the incident had a $67 million impact on operations.
According to HIPAA Journal, “The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.”
At Utah Pathology Services, an employee e-mail hack resulted in the potential exposure of patient data. The malicious actors attempted to divert funds intended for a physician but failed to do so. However, the information of 112,000 patients was accessible to the hacker during the attempt.
“The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers,” Health IT Security reported.
Value of Patient Data on the Dark Web is Increasing
In the case of the Utah Pathology Services attack, the hackers were specifically after money. However, according to cybersecurity company SecureLink, patient records are “the new prize” for hackers. Healthcare data carries a value of its own on the digital black market. In fact, healthcare data is more valuable than credit card or banking data.
“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” SecureLink wrote in a blog post.
A 2018 Trustwave Global Security Report estimated that a healthcare record is worth about $250. Trustwave, however, estimated the value of a banking record at less than $5. That strongly suggests health records are increasing in value.
And even after a healthcare entity has regained control of its IT infrastructure, the hacker still has possession of the stolen patient information. It may take weeks or years for the hacker to sell that information, meaning the breach represents a continuing threat to the healthcare organization and its patients.
Clinical Laboratories Must Prepare for an Attack
Simply understanding the threat is not enough. Clinical laboratory and pathology group managers must have robust plans in place for both protecting patient information and for dealing with a security breach should one occur.
According to a Health IT Security report, “The ransomware attack that struck all 400 UHS care sites and caused three weeks of EHR downtime in September, cost the health system $67 million in recovery costs and lost revenue.”
The report added, “Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.”
To deal with the ransomware attacks, we wrote, “CISA, FBI, and HHS advise against paying ransoms. ‘Payment does not guarantee files will be recovered,’ the advisory states. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’ The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
“The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should ‘ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.’
Regular backups of data and software. These should be ‘maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.’ Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain ‘hard copies of digital information that would be required for critical patient healthcare.’”
Given the enormous amounts of money hackers can earn from selling protected health information on the Dark Web, it is a near certainty these attacks will continue. Clinical laboratory and anatomic pathology group managers would be well advised to plan for the inevitability that their health system will be targeted.
Since Alexa is now programed to be compliant with HIPAA privacy rules, it’s likely similar voice assistance technologies will soon become available in US healthcare as well
Shortages of physicians and other types of caregivers—including
laboratory workers—in the United Kingdom (UK) has the UK’s National Health Service (NHS) seeking alternate
ways to get patients needed health and medical information. This has prompted a
partnership with Amazon to use the Alexa virtual assistant to
answer patients healthcare inquiries.
Here in the United States, pathologists and clinical
laboratory executives should take the time to understand this development.
The fact that the NHS is willing to use a device like Alexa to help it maintain
access to services expected by patients in the United Kingdom shows how rapidly
the concept of “virtual clinical care” is moving to become mainstream.
If the NHS can make it work in a health system serving 66-million
people, it can be expected that health insurers, hospitals, and physicians in
the United States will follow that example and deploy similar virtual health
services to their patients.
For these reasons, all clinical laboratories and anatomic
pathology groups will want to develop a strategy as to how their
organizations will interact with virtual health services and how their labs
will want to deploy similar virtual patient information services.
Critical Shortages in Healthcare Services
While virtual assistants have
been answering commonly-asked health questions by mining popular responses on
the Internet for some time, this new agreement allows Alexa to provide
government-endorsed medical advice drawn from the NHS website.
By doing this, the NHS hopes to reduce the burden on
healthcare workers by making it easier for UK patients to access health
information and receive answers to commonly-asked health questions directly from
their homes, GeekWire
“The public needs to be able to get reliable information
about their health easily and in ways they actually use. By working closely
with Amazon and other tech companies, big and small, we can ensure that the
millions of users looking for health information every day can get simple,
validated advice at the touch of a button or voice command,” Matthew Gould, CEO of NHSX, a division of the NHS that focuses
on digital initiatives, told GeekWire.
Verge reported that when the British government officially announced
the partnership in a July press
release, the sample questions that Alexa could answer included:
Alexa, how do I treat a migraine?
Alexa, what are the symptoms of the flu?
Alexa, what are the symptoms of chickenpox?
“We want to empower every patient to take better control of
their healthcare and technology like this is a great example of how people can
access reliable, world-leading NHS advice from the comfort of their home,
reducing the pressure on our hardworking GPs (General Practitioners) and
pharmacists,” said Matt
Hancock, Secretary of State for Health and Social Care, in the press release.
Connect notes that the NHS provides healthcare services free of charge to
more than 66-million individuals residing in the UK. With 1.2 million
employees, the NHS is the largest employer in Europe, according to The
Economist. That article also stated that the biggest problem facing the
NHS is a staff shortage, citing research conducted by three independent
Their findings indicate “that NHS hospitals, mental-health
providers, and community services have 100,000 vacancies, and that there are
another 110,000 gaps in adult social care. If things stay on their current
trajectory, the think-tanks predict that there will be 250,000 NHS vacancies in
a decade,” The Economist reported.
“However,” she continued, “it is vital that independent
research is done to ensure that the advice given is safe, otherwise it could
prevent people seeking proper medical help and create even more pressure on our
overstretched GP service.”
Amazon has assured consumers that all data obtained by Alexa
through the NHS partnership will be encrypted to ensure privacy and security,
MD Connect notes. Amazon also promised that the personal information will not
be shared or sold to third parties.
Alexa Now HIPAA Compliant in the US
This new agreement with the UK follows the announcement in April
of a new Alexa
Skills Kit that “enables select Covered Entities and their Business
Associates, subject to the US Health
Insurance Portability and Accountability Act of 1996 (HIPAA), to build
Alexa skills that transmit and receive protected
health information (PHI) as part of an invite-only program. Six new Alexa
healthcare skills from industry-leading healthcare providers, payors, pharmacy
benefit managers, and digital health coaching companies are now operating in
our HIPAA-eligible environment.”
Developers of voice assistance technologies can freely use
these Alexa skills, which are “designed to help customers manage a variety of
healthcare needs at home simply using voice—whether it’s booking a medical
appointment, accessing hospital post-discharge instructions, checking on the
status of a prescription delivery, and more,” an Amazon
Developer Alexa blog states.
The blog lists the HIPAA-compliant Alexa skills as:
Scripts: Members can check the status of a home delivery prescription and can
request Alexa notifications when their prescription orders are shipped.
Health Today by Cigna (NYSE:CI): Eligible employees with one of Cigna’s
large national accounts can now manage their health improvement goals and
increase opportunities for earning personalized wellness incentives.
Health, a healthcare system with more than 40 hospitals and 900 care
locations throughout North and South Carolina and Georgia: Customers in North
and South Carolina can find an urgent care location near them and schedule a
a digital health company that creates new and different experiences for people
with chronic conditions: Members can query their last blood sugar reading,
blood sugar measurement trends, and receive insights and Health Nudges that are
personalized to them.
HIPAA Journal notes: “This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of HIPAA Privacy Rules, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.”
Steady increases associated with the costs of medical care
combined with a shortage of healthcare professionals on both continents are
driving trends that motivate government health programs and providers to
experiment with non-traditional ways to interact with patients.
New digital and Artificial
Intelligence (AI) tools like Alexa may continue to emerge as methods for
providing care—including clinical laboratory and pathology advice—to healthcare