Ransomware Attacks Target Vulnerable Healthcare Providers

Currently, Scripps Health is in the news as it battles a ransomware attack that struck on May 1

This is an excerpt of a 1,923-word article in the May 24, 2021 issue of  THE DARK REPORT (TDR). The full article is available to members of The Dark Intelligence Group.

CEO SUMMARY: Both malware and ransomware have been around for a number of years. But the attacks launched today against healthcare providers are more sophisticated and better at achieving the total shutdown of targeted hospitals, doctor groups, and clinical laboratories. For this reason, clinical labs and pathology groups should put ransomware attacks high on their list of threats. They should also regularly assess and upgrade their defenses against both malware and ransomware.

IF YOU ARE NOT FAMILIAR WITH THE TERM “RANSOMWARE,” you soon will be. Ransomware is poised to become the single biggest threat to your clinical laboratory, parent hospital, or anatomic pathology group. 

Ransomware is defined by Oxford Languages as “a type of malicious software designed to block access to a computer system until a sum of money is paid.” 

Ransomware and Malware

As a concept, ransomware is simple: hackers find a way into your organization’s digital systems. They insert malware (another term you will want to understand better) which encrypts your lab’s data files and computer systems. From that moment forward, there is a shutdown of all or most digital systems and it becomes impossible to access the company’s data files. 

This happens suddenly and without warning. Once the malware is implanted, the files cannot be decrypted without a mathematical key known only by the ransomware attacker. The hackers will send a message to your lab’s IT team announcing the attack and that your lab’s data systems and files are locked and inaccessible. The only way your lab can decrypt the files and gain access to the systems is for you to transmit an untraceable Bitcoin payment to the ransomware attacker.

The latest major health system to be attacked by malware is Scripps Health in San Diego. On May 1, the ransomware attackers successfully encrypted the files and locked Scripps out of certain essential information systems. The situation became news in the following days, primarily because patients complained that they could not access their digital health records, make appointments, or send emails to their physicians. 

Administrators at Scripps said little about the situation. On May 10—days later—it issued a public statement. That document acknowledged the attack, stating, in part, “As you know, on May 1st Scripps was hit with a cybersecurity incident with malware placed on our information system. Our team prepares for this type of situation and immediately took steps to contain the malware by taking a significant portion of our network offline.” 

Scripps scrambled to establish procedures to keep emergency departments and other clinical services operating. In some cases, this included use of paper forms. 

Within the San Diego medical community, this ransomware attack has disrupted normal care. Scripps Health operates five hospitals and 19 outpatient facilities. It has 2,600 affiliated physicians and treats about 500,000 patients annually.

Restoring Digital Systems

As of May 20, Scripps Health announced that its scripps.org website was again up and running. However, local news sources said the system’s “My Scripps” digital portal, which patients use to make appointments and communicate with their doctors, “was still returning an error message as of the early afternoon.”

On May 21, reporter Lisa Morgan of Cyber Security Hub wrote, “high-risk patients such as heart attack, stroke, and trauma patients have been funneled from Scripps Memorial Hospital La Jolla to other hospitals nearby. Some patients are complaining that they are having trouble making appointments with other doctors and that Scripps is not referring patients to other doctors.” 

Similar to the Scripps Health attack, another ransomware attack with national ramifications happened on May 7. 

Colonial Pipeline Hacked

As reported by the national news media, the 5,500-mile petroleum pipeline operated by Colonial Pipeline was shut down after hackers encrypted the company’s data systems and sent a ransom demand to the company. 

This pipeline delivers 45% of all the gasoline, aviation fuel, and other products—about 100 million gallons per day—from refineries in Houston to states on the East Coast. As of last Wednesday, 9,500 gas stations were out of fuel in the 13 states and Washington, D.C., served by the pipeline. 

After days of refusing comment on whether it was paying a ransom to obtain the decryption keys needed to access its data systems, Colonial Pipeline CEO Joseph Blount confirmed that his company did pay ransom. 

The Guardian wrote, “Blount said Colonial paid the ransom in consultation with experts who previously dealt with the group behind the attacks, DarkSide, which rents out its ransomware to partners to carry out the actual attacks.

“Multiple sources had confirmed to the Associated Press that Colonial Pipeline had paid the criminals who committed the cyberattack a ransom of nearly $5M in cryptocurrency for the software decryption key required to unscramble their data network,” The Guardian continued.

Cryptocurrency Payment 

“A ransom payment of 75 Bitcoin was paid the day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic,” The Guardian said. 

The Dark Report is providing details on the Scripps Health and Colonial Pipeline ransomware attacks because each contains elements common to most ransomware attacks. Understanding how these ransomware attacks are conducted is essential if clinical laboratory administrators and pathologists are to work with their chief information officers, attorneys, and outside experts to harden their labs’ defenses against attackers using ransomware or malware. 

During interviews, executives at companies who were victims of ransomware attacks, and several lab industry attorneys who have worked with client labs similarly attacked with ransomware, described the common processes used by the hackers. 

Once the target company’s files and software systems have been encrypted, the hackers send an email describing their attack and demanding some amount of ransom. The email also states that if the target company refuses to pay the ransom, the hackers will use the stolen data—particularly data involving patients and customers—in ways that will harm the company and its reputation. 

Third-Party Negotiators

Upon discovery of the shutdown of their data systems, most organizations will bring in their attorneys and retain consultants in cybersecurity and negotiations. The third-party negotiators handle communications with the hackers and understand the unspoken rules of negotiation. 

For example, the organization’s negotiators know how frequently the hackers will email or telephone. They understand the consequences should the organization not communicate with the hackers at expected points in time. 

It is important for lab executives and pathologists to understand that negotiations do happen and are part of the ransomware attack. One example was shared with The Dark Report by a business owner who was dealing with such an attack. 

He explained that—not only did the attack encrypt every data function and software app used by his company—but the malware attack successfully encrypted all the company’s back-up systems as well, including off-site and cloud-based backups. He said every data system in this $30 million company was encrypted, manufacturing stopped, and staff had no access to information when customers called seeking information. 

Routine of Daily Calls

The company retained a negotiating consultancy firm. Each morning, the hackers called at a specific time. The owners were told that if they did not respond in a timely way, the hackers would simply walk away, leaving the company to solve the problem on its own. 

The original ransom demand was for $500,000. Over 10 days, the third-party negotiators were able to reduce that down to about $240,000. The owners agreed to pay that amount in Bitcoin. 

After the payment was made, a de-encryption key was received. However, according to this source, that key only unlocked certain software systems and databases. A substantial amount of the company’s software products and databases remained encrypted.

Further negotiations to obtain a more complete de-encryption key were not successful. According to our source, the company will spend several million dollars over many months to restore the full performance of the company’s information technologies back to how they functioned prior to the attack. 

Protected Health Information

Clinical laboratory administrators and pathologists should recognize that a ransomware attack directed at their laboratory creates another problem. Yes, the encryption of software and databases denies the lab access to those functions. But the ransomware attack may also cause a breach of patients’ protected health information. 

This means that the victimized laboratory must also comply with federal HIPAA requirements as it responds to the ransomware attack. Along with notifying those patients whose protected health information (PHI) was breached, the provider must notify the federal government and may need to issue a press release to the news media, depending on the number of patients affected by the breach. 

The value of PHI on the Dark Web is a major reason why hackers increasingly target hospitals, physician groups, clinical laboratories, anatomic pathology groups, and other healthcare providers. Not only can the hackers get paid a ransom from the victim, but they also can make money by selling the patient medical records they access.

Has your organization been hit with a ransomware attack? Please share your experiences with us in the comments below.