CEO SUMMARY: Cybercrime—in the form of encryption attacks followed by ransom demands—is now a threat to every clinical laboratory and anatomic pathology group in the United States. Experts recommend that all labs elevate the attention they pay to their incident response teams tasked with defending their organizations’ information systems and databases. They also advise labs to harden their defenses against encryption attacks that become ever more sophisticated and successful.
EVIDENCE CONTINUES TO ACCUMULATE THAT ENCRYPTION ATTACKS AND RANSOM DEMANDS are major threats to all healthcare providers, including clinical labs and pathology groups. Yet many labs either have not recognized this threat or they’ve not taken steps to harden their defenses against such attacks.
Lack of attention by owners and managers of clinical labs and pathology groups is due to the fact that the majority of encryption attacks never become known to the public. A victim of an encryption attack and/or a ransom demand has a sensible reason to keep this news from becoming known to the public.
That’s because public news that a company or healthcare organization was encrypted and paid a ransom to obtain a de-encryption key encourages other hackers to target that company on the theory that if it paid ransom once, it will pay ransom a second time.
For this reason, a large proportion of the encryption attacks and ransom demands experienced by hospitals, clinical lab organizations, and other healthcare providers are kept secret. It is why the attacks happening weekly throughout the United States often are a surprise to the victimized organization’s management team. (See TDR, “Ransomware Attackers Target Health Providers,” May 24, 2021.)
These and more valuable insights were shared during a recent webinar produced by The Dark Report, titled, “Ransomware Protection & Response for Clinical Labs, Hospitals, and Pathology Groups: Effective Steps for Protecting Your LIS, EHR, and Other IT from an Encryption Attack.” The webinar recording is available for on-demand viewing.
In simple terms, an encryption attack locks some or all of the victim’s information systems and databases and prevents access by the victim. All workflow in the laboratory or pathology group that depends on access to operating software stops. Databases cannot be accessed.
Use of Paper Forms
In cases where the encryption attack and ransomware demand is reported by local news outlets, journalists often describe how physicians and staff attempt to continue operations manually and with the use of paper forms.
The most successful encryption attacks also succeed in locking access to back-up systems and even cloud-based data storage. This risk from an encryption attack should be recognized by clinical laboratory managers and pathology practice administrators.
Once files have been encrypted, systems and files cannot be decrypted without a mathematical key known only by the attacker. Victims receive a message that notifies them that their files are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin or other cryptocurrency payment to the attacker.
Disruption of Patient Services
The disruption to a lab’s regular operations can be substantial following an attack that encrypts some or all information systems, including databases. This is particularly true because labs typically serve hundreds of physicians and thousands of patients every day. A lab’s clients notice almost immediately that something is wrong because they are unable to access patient results or use email, customer service portals, and appointment programs.
Upon discovery of an attack, experts recommend that the clinical lab, pathology group, hospital, or other provider engage three types of consultants. First is a law firm to provide guidance on the provider’s obligations under state and federal laws. This includes addressing a possible breach of protected health information (PHI).
In these instances, the lab’s response becomes more comprehensive and complicated. If the breach involved data on a large number of patients, the lab is obligated to report the breach to the federal government, notify patients affected by the breach and offer them help in securing their data, and alert the news media about the PHI breach with a press release or similar notice.
Second is to engage a consulting firm with expertise in cybersecurity and information systems. These consultants have experience in dealing with encryption attacks, use of the de-encryption keys provided by the attackers after a ransom is paid, and knowledge of how to bring all software, databases, and information systems back to full function. This is particularly important in attacks where the de-encryption key fails to restore access to all systems or where the provider decided to not pay ransom and must restore the operating systems on its own.
The third type of expert is skilled in negotiating with the hackers who launched the encryption attack and are now demanding ransom in exchange for the de-encryption key. In discussions with victims of these ransomware attacks, The Dark Report has learned that there are unspoken rules of negotiation that must be followed.
For example, the organization’s negotiators know how frequently the hackers will email or telephone. They understand the consequences should the organization not communicate with the hackers. If the victimized laboratory doesn’t respond to the satisfaction of the hackers, they may decide to go silent. That leaves the victimized lab or pathology group with encrypted systems that it must resolve on its own.
But there is another side to the negotiations. In conversations with TDR, ransomware victims described how, over a few days or several weeks, they were able to negotiate a ransom payment that was 50% or 25% less than the original amount demanded. Following payment of the ransom in the form of Bitcoins or other cryptocurrency, they received a de-encryption key and were successful in regaining functionality to most of their information systems and databases.
Labs Attacked, Encrypted
During The Dark Report’s webinar on encryption and ransomware, attorney Emily Johnson, JD, of McDonald Hopkins, a law firm based in Cleveland, provided examples of labs that were attacked by hackers.
In July 2019, one specialty testing division recently acquired by Labcorp was attacked. Labcorp’s team acted swiftly and it is believed that no Labcorp data was removed from its systems. Johnson presented a slide showing that the hackers demanded a ransom of $6,000 in Bitcoin for each machine that was hacked, for a total demand of $52,000 to unlock all encrypted devices.
Johnson also showed a slide with details of a ransomware attack in July 2020 on Apex Laboratory of Farmingdale, N.Y. That attack led to patient data being stolen and posted on a leak website. The impacted data included patient names, dates of birth, test results, social security numbers for some individuals, and phone numbers. Executives at Apex Laboratory learned of the attack when certain systems in its environment were encrypted and inaccessible.
Cybersecurity Expert Access
At the upcoming Executive War College, which takes place on Nov. 2-3, 2021, in San Antonio, there will be a session led by a cybersecurity expert with experience both in hardening data systems from attack and in negotiating ransom with attackers. This will give lab administrators and pathologists details about the newest tactics hackers are using to attack labs, hospitals, and healthcare organizations.
All labs face the threat of an encryption attack and disruption to clinical and business services that can last weeks and months. Beefing up the lab’s defenses today is a sound strategy. An ounce of prevention is worth the pound of cure.
34% of Healthcare Organizations Report Ransomware Attacks during Past Year
RANSOMWARE ATTACKS THAT TARGET HEALTHCARE ORGANIZATIONS are increasing in frequency. In a report it released in May, Sophos Group plc, a British security software and hardware company, published the results of a survey that included 328 respondents from healthcare. The three circles below highlight key findings from the Sophos survey, most notably that 34% of these respondents experienced a ransomware attack during the prior year.
Sophos’ survey determined that, following encryption, 93% of healthcare organizations got their data back. However, 34% of these organizations paid ransom to obtain a de-encryption key.
Sophos’ ransomware survey showed that, following an encryption attack, healthcare organizations reported an average loss of $1.3 million when all costs, including ransom paid, are considered. Below are highlights from the survey:
• 34% of healthcare organizations were hit by ransomware in the past year.
• 65% of those that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
• 44% of those whose data was encrypted used backups to restore data.
• 34% of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
• However, on average, only 69% of the encrypted data was restored after the ransom was paid.
• 89% of healthcare organizations have a malware incident recovery plan.
• The average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc., was US$1.27 million. While this is a huge sum, it is also the lowest among all industry sectors surveyed.
Source: Sophos Group plc; State of Ransomware in Healthcare 2021, May, 2021
Fed Agency Recommends Two-Factor Authentication
RECOGNIZING THAT ENCRYPTION ATTACKS AGAINST HEALTHCARE ORGANIZATIONS are increasing, one federal agency recently declared one-factor authorization as an informatics “bad practice.”
On Aug. 30, the federal Cybersecurity and Infrastructure Security Agency (CISA) issued an update to its “bad practices” list, which reads:
Today, CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices. Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system.
Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions.
CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices. For guidance on setting up strong authentication, see the CISA Capacity Enhancement Guide: Implementing Strong Authentication.
CISA’s full list of bad practices is at: https://www.cisa.gov/BadPractices.