Across the nation, healthcare attorneys and others report that ransomware attacks are happening weekly, and that once providers’ data systems are encrypted, they have few options to regain control of their information systems
Ransomware is now the single biggest threat to your hospital, clinical laboratory, and anatomic pathology group’s ability to operate a viable business. Few practice administrators and managers are fully aware of this threat. And yet, many still have not taken even basic steps to protect their organizations from ransomware attacks.
Encryption attacks that shut down a hospital or lab’s information services come without warning, rendering the provider unable to access electronic healthcare records (EHRs), to schedule appointments, or conduct most other normal business activities.
Further, negotiating with the ransomware attackers to obtain a de-encryption key can take weeks. During that time, the hospital or lab cannot access its essential information systems and that disrupts or even stops patient care.
Think this cannot happen to your hospital or lab? Think again.
Just this spring, Scripps Health of San Diego was hit with a ransomware attack. Key information systems were encrypted, and it did not take patients long to notice that they could not email their physicians, access their medical records, or see their test results.
The ransomware attack became the headline story on the San Diego nightly news. Scripps would only admit that many essential information systems had been encrypted and that the organization was using paper to conduct business.
The ransomware attack on Colonial Pipeline of Houston, which took place one week after the Scripps Health attack, also became global news. Colonial Pipeline supplies gasoline and similar fuels to 14 states—from Georgia in the South to New York and New Jersey in the North. Dark Daily readers living along the Atlantic Coast personally experienced the shortage of gasoline in their communities because of the ransomware attack on Colonial Pipeline.
No Ransom Payment, No De-encryption Key
Ransomware is probably the single biggest threat to every hospital and every clinical lab in this country. But few healthcare organizations are taking the essential steps needed to make their information systems more resistant to an encryption attack. Even fewer hospitals and labs have policies or procedures in place that outline how management should react when an encryption attack is first discovered. Yet these attacks are hitting medical providers every week across the US.
Dark Daily surveyed several major law firms that have sizeable healthcare practices. Each firm stated it is contacted weekly by one or more hospitals, labs, and medical clinics that have had their digital systems encrypted, followed by a demand for ransom. The healthcare providers were told by the hackers that if they did not pay the ransom, they would not receive the de-encryption key required to bring their software, apps, and digital systems back into service.
“This is the biggest story in healthcare, yet it gets little attention,” stated Robert L. Michel, Editor-in-Chief of Dark Daily’s sister publication The Dark Report. “The reason why you don’t read more news stories about ransomware attacks on hospitals and labs is simple. If it becomes known that a hospital or a lab paid ransom to obtain the de-encryption key needed to restore access to its information systems, that encourages other hackers to attack the organization as well, since the hackers know the organization will pay the ransom. They figure if the provider paid the ransom once, the same provider will likely pay it again.”
Payment of Ransom Does Not Guarantee Restoration of Critical Systems
As bad as a ransomware attack on a hospital, lab, or a medical clinic can be—it can get worse. “Experts involved in helping hospitals and labs respond to a ransomware attack say there is no guarantee the de-encryption key provided by the hackers after payment of ransom will restore access to the encrypted systems,” Michel noted. “We hear reports of hospitals and labs that spent more on their efforts to bring the encrypted systems back online and functioning than they did on the actual ransom.”
This is a must-attend webinar—not only for you—but for everyone in your hospital, health system, or clinical laboratory who will be working to prevent ransomware attacks, or who is involved in restoring digital services following such an attack.
Two experts who are contacted each week by multiple hospitals, labs, and medical clinics that were attacked, had their digital systems encrypted, and received a ransom demand for hundreds of thousands—even millions—of dollars from hackers, will be sharing their knowledge and experience in the legal implications of—and the recovery from—ransomware attacks.
Johnson and Caron will cover best practices designed to provide crucial training and decision-making skills for handling a ransomware attack on hospital and health system clinical laboratories and anatomic pathology practices. These best practices include:
Legal issues triggered by a ransomware attack: What to do when an incident is a breach and when it is not.
Your obligations in response to a ransomware attack: HIPAA privacy and other regulatory rules, contractual arrangements (e.g., reference labs), and crisis communication to patients and other stakeholders.
Responding to and negotiating with ransomware perpetrators—including the expected “etiquette” in dealing with cybercriminals—and collaborating with consultants who are experienced in how to deal with ransomware demands.
And much more.
The roundtable discussion will help you understand how a security incident can occur with or without a breach of protected health information (PHI). Johnson and Caron also will discuss how knowing what to do in each scenario is essential to reducing collateral damage to both patients and your organization, and how to educate your hospital, lab and the broader medical community to address—both proactively and in response—the surging risk of ransomware attacks.
And because so many healthcare administrators, physicians, and pathologists are working remotely, Dark Daily has arranged special group rates for hospitals, practices, and physicians that would like their essential leaders to participate in this important webinar and roundtable discussion on protecting against—and recovering from—ransomware attacks.
Inquire at info@darkreport.com or call 512-264-7103.
Recent attacks illustrate how costly a security breach can be and why clinical laboratories and pathology groups must work to protect their information systems from ransomware attacks
Therefore, it is crucial clinical laboratories and pathology groups have a cybersecurity strategy in place for dealing with ransomware attacks. Running security drills may need to be part of that strategy. Managers and employees should undergo specific training and vendors must be vetted carefully. Without such a strategy, the question is not if an attack will happen, but rather when an attack will succeed.
Ransomware Attackers are Getting Better
“Ransomware is increasing in sophistication; it’s increasing in prevalence. The purveyors of ransomware are generally reinvesting the fees that they collect from the entities they extort to acquire more capabilities,” Beau Woods, Senior Advisor at the federal Cybersecurity and Infrastructure Security Agency (CISA), told The San Diego Tribune.
“They’re getting better, they’re getting more frequent, particularly during the pandemic where we’ve opened up more connectivity to allow more remote work,” he added.
The Scripps Health attack is notable for several reasons, with one being the length of the outage it caused. The attack was first detected on May 1 of this year. It took four weeks before Scripps could restore most of its network and get its Epic EHR back online, Health IT Security reported.
However, the ransomware attack on Universal Health Services (NYSE:UHS) may be the biggest attack so far. It took place on September 27, 2020, and caused a three-week outage. The company told The San Diego Tribune the incident had a $67 million impact on operations.
According to HIPAA Journal, “The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.”
At Utah Pathology Services, an employee e-mail hack resulted in the potential exposure of patient data. The malicious actors attempted to divert funds intended for a physician but failed to do so. However, the information of 112,000 patients was accessible to the hacker during the attempt.
“The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers,” Health IT Security reported.
“We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratory companies, testing and really even out into the future manufacturing of the vaccine systems,” Bryan S. Ware (above left) Assistant Director for Cybersecurity for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) told CyberScoop. CISA Director Christopher Krebs (above right) added, “At the onset of the COVID-19 pandemic, we recognized just how vital the healthcare sector was to the response and we established Project Taken to bring to bear the government’s particular set of skills to protect those organizations.” (Photo copyrights: CyberScoop/Business Insider.)
Value of Patient Data on the Dark Web is Increasing
In the case of the Utah Pathology Services attack, the hackers were specifically after money. However, according to cybersecurity company SecureLink, patient records are “the new prize” for hackers. Healthcare data carries a value of its own on the digital black market. In fact, healthcare data is more valuable than credit card or banking data.
“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” SecureLink wrote in a blog post.
A 2018 Trustwave Global Security Report estimated that a healthcare record is worth about $250. Trustwave, however, estimated the value of a banking record at less than $5. That strongly suggests health records are increasing in value.
And even after a healthcare entity has regained control of its IT infrastructure, the hacker still has possession of the stolen patient information. It may take weeks or years for the hacker to sell that information, meaning the breach represents a continuing threat to the healthcare organization and its patients.
Clinical Laboratories Must Prepare for an Attack
Simply understanding the threat is not enough. Clinical laboratory and pathology group managers must have robust plans in place for both protecting patient information and for dealing with a security breach should one occur.
According to a Health IT Security report, “The ransomware attack that struck all 400 UHS care sites and caused three weeks of EHR downtime in September, cost the health system $67 million in recovery costs and lost revenue.”
The report added, “Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.”
To deal with the ransomware attacks, we wrote, “CISA, FBI, and HHS advise against paying ransoms. ‘Payment does not guarantee files will be recovered,’ the advisory states. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’ The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
“The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should ‘ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.’
Regular backups of data and software. These should be ‘maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.’ Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain ‘hard copies of digital information that would be required for critical patient healthcare.’”
Given the enormous amounts of money hackers can earn from selling protected health information on the Dark Web, it is a near certainty these attacks will continue. Clinical laboratory and anatomic pathology group managers would be well advised to plan for the inevitability that their health system will be targeted.
This price includes all costs except overhead, but without a high volume of customers, Illumina’s $10-million price for the HiSeq X Ten machine may not be a wise investment
Competition continues to be fierce in the race to the $1,000 whole human genome. Most recently, Illumina announced the availability of its latest gene sequencing system, along with the claim that it can deliver a whole human genome at a cost of just $1,000. But, as most pathologists know, the devil is in the details, since not every Illumina customer is likely to achieve that price point.
When Illumina, a San Diego-based technology company, announced its new HiSeq X Ten genetic-sequencing machine in December, 2013, Illumina CEO Jay T. Flatley claimed the company’s system can deliver “full-coverage human genome sequences for less than $1,000,” down from $500 million 10 years ago. The new system is expected to ship in the first quarter of 2014.
Experts are excited about the swift development of wireless remote monitoring of patients; companies expected to develop sensors that incorporate a wide range of biomarkers
Some experts predict that the era of wireless, remote monitoring of patients is almost upon us. It will require pathologists and medical laboratory professionals to learn a new acronym: MBAN, which stands for medical body area network.
There is keen interest in remote wireless monitoring systems. The concept is to free patients from the hospital bed and allow continuous remote monitoring, regardless of where the patient is located. For this reason, in just a few years and in many local markets, opportunities are likely to be ripe for pathologists and clinical laboratory teams to have a role in managing wireless medical devices that use MBANs. (more…)
Market indicators support predictions of tougher financial times ahead for hospital-based clinical laboratories and pathology groups
New statistics for 2013 on employment in the healthcare and hospital sectors show the lowest rates of growth since 1990. This is a signal to pathologists and clinical laboratory executives that much belt-tightening is taking place by all types of providers.
For 2013, the healthcare sector added just 271,000 jobs. This was 2% less than the annual average since 1990, noted a recent report in Modern Healthcare. (more…)
