All Labs Are Threatened by Ransomware Attacks

Attorneys, consultants warn labs that attacks are happening weekly and increasing in number

This is an excerpt of a 1,652-word article in the September 7, 2021 issue of  THE DARK REPORT (TDR). The full article is available to members of The Dark Intelligence Group.

CEO SUMMARY: Cybercrime—in the form of encryption attacks followed by ransom demands—is now a threat to every clinical laboratory and anatomic pathology group in the United States. Experts recommend that all labs elevate the attention they pay to their incident response teams tasked with defending their organizations’ information systems and databases. They also advise labs to harden their defenses against ransomware attacks that become ever more sophisticated and successful.

EVIDENCE CONTINUES TO ACCUMULATE THAT ENCRYPTION ATTACKS AND RANSOM DEMANDS are major threats to all healthcare providers, including clinical labs and pathology groups. Yet many labs either have not recognized this threat or they’ve not taken steps to harden their defenses against such attacks. 

Lack of attention by owners and managers of clinical labs and pathology groups is due to the fact that the majority of ransomware attacks never become known to the public. A victim of an encryption attack and/or a ransom demand has a sensible reason to keep this news from becoming known to the public.

That’s because public news that a company or healthcare organization was encrypted and paid a ransom to obtain a de-encryption key encourages other hackers to target that company on the theory that if it paid ransom once, it will pay ransom a second time. 

For this reason, a large proportion of the ransomware attacks experienced by hospitals, clinical lab organizations, and other healthcare providers are kept secret. It is why the attacks happening weekly throughout the United States often are a surprise to the victimized organization’s management team. (See TDR, “Ransomware Attackers Target Health Providers,” May 24, 2021.)

These and more valuable insights were shared during a recent webinar produced by The Dark Report, titled, “Ransomware Protection & Response for Clinical Labs, Hospitals, and Pathology Groups: Effective Steps for Protecting Your LIS, EHR, and Other IT from an Encryption Attack.” The webinar recording is available for on-demand viewing. 

In simple terms, a ransomware attack locks some or all of the victim’s information systems and databases and prevents access by the victim. All workflow in the laboratory or pathology group that depends on access to operating software stops. Databases cannot be accessed. 

Use of Paper Forms

In cases where the ransomware attack is reported by local news outlets, journalists often describe how physicians and staff attempt to continue operations manually and with the use of paper forms. 

The most successful ransomware attacks also succeed in locking access to back-up systems and even cloud-based data storage. This risk from a ransomware attack should be recognized by clinical laboratory managers and pathology practice administrators. 

Once files have been encrypted, systems and files cannot be decrypted without a mathematical key known only by the attacker. Victims receive a message that notifies them that their files are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin or other cryptocurrency payment to the attacker.

Disruption of Patient Services

The disruption to a lab’s regular operations can be substantial following a ransomware attack that encrypts some or all information systems, including databases. This is particularly true because labs typically serve hundreds of physicians and thousands of patients every day. A lab’s clients notice almost immediately that something is wrong because they are unable to access patient results or use email, customer service portals, and appointment programs. 

Upon discovery of an attack, experts recommend that the clinical lab, pathology group, hospital, or other provider engage three types of consultants. First is a law firm to provide guidance on the provider’s obligations under state and federal laws. This includes addressing a possible breach of protected health information (PHI). 

In these instances, the lab’s response becomes more comprehensive and complicated. If the breach involved data on a large number of patients, the lab is obligated to report the breach to the federal government, notify patients affected by the breach and offer them help in securing their data, and alert the news media about the PHI breach with a press release or similar notice. 

Cybersecurity Consultants

Second is to engage a consulting firm with expertise in cybersecurity and information systems. These consultants have experience in dealing with encryption attacks, use of the de-encryption keys provided by the attackers after a ransom is paid, and knowledge of how to bring all software, databases, and information systems back to full function. This is particularly important in attacks where the de-encryption key fails to restore access to all systems or where the provider decided to not pay ransom and must restore the operating systems on its own. 

The third type of expert is skilled in negotiating with the hackers who launched the encryption attack and are now demanding ransom in exchange for the de-encryption key. In discussions with victims of these ransomware attacks, The Dark Report has learned that there are unspoken rules of negotiation that must be followed. 

For example, the organization’s negotiators know how frequently the hackers will email or telephone. They understand the consequences should the organization not communicate with the hackers. If the victimized laboratory doesn’t respond to the satisfaction of the hackers, they may decide to go silent. That leaves the victimized lab or pathology group with encrypted systems that it must resolve on its own. 

But there is another side to the negotiations. In conversations with TDR, ransomware victims described how, over a few days or several weeks, they were able to negotiate a ransom payment that was 50% or 25% less than the original amount demanded. Following payment of the ransom in the form of Bitcoins or other cryptocurrency, they received a de-encryption key and were successful in regaining functionality to most of their information systems and databases. 

Is your lab preparing to defend itself against a ransomware attack? Please share your experiences with us in the comments below.