CEO SUMMARY: Both malware and ransomware have been around for a number of years. But the attacks launched today against healthcare providers are more sophisticated and better at achieving the total shutdown of targeted hospitals, doctor groups, and clinical laboratories. For this reason, clinical labs and pathology groups should put ransomware high on their list of threats. They should also regularly assess and upgrade their defenses against both malware and ransomware.
IF YOU ARE NOT FAMILIAR WITH THE TERM “RANSOMWARE,” you soon will be. Ransomware is poised to become the single biggest threat to your clinical laboratory, parent hospital, or anatomic pathology group.
Ransomware is defined by Oxford Languages as “a type of malicious software designed to block access to a computer system until a sum of money is paid.”
Ransomware and Malware
As a concept, ransomware is simple: hackers find a way into your organization’s digital systems. They insert malware (another term you will want to understand better) which encrypts your lab’s data files and computer systems. From that moment forward, there is a shutdown of all or most digital systems and it becomes impossible to access the company’s data files.
This happens suddenly and without warning. Once the malware is implanted, the files cannot be decrypted without a mathematical key known only by the attacker. The hackers will send a message to your lab’s IT team announcing the attack and that your lab’s data systems and files are locked and inaccessible. The only way your lab can decrypt the files and gain access to the systems is for you to transmit an untraceable Bitcoin payment to the attacker.
The latest major health system to be attacked by malware is Scripps Health in San Diego. On May 1, the attackers successfully encrypted the files and locked Scripps out of certain essential information systems. The situation became news in the following days, primarily because patients complained that they could not access their digital health records, make appointments, or send emails to their physicians.
Administrators at Scripps said little about the situation. On May 10—days later—it issued a public statement. That document acknowledged the attack, stating, in part, “As you know, on May 1st Scripps was hit with a cybersecurity incident with malware placed on our information system. Our team prepares for this type of situation and immediately took steps to contain the malware by taking a significant portion of our network offline.”
Scripps scrambled to establish procedures to keep emergency departments and other clinical services operating. In some cases, this included use of paper forms.
Within the San Diego medical community, this malware attack has disrupted normal care. Scripps Health operates five hospitals and 19 outpatient facilities. It has 2,600 affiliated physicians and treats about 500,000 patients annually.
Restoring Digital Systems
As of May 20, Scripps Health announced that its scripps.org website was again up and running. However, local news sources said the system’s “My Scripps” digital portal, which patients use to make appointments and communicate with their doctors, “was still returning an error message as of the early afternoon.”
On May 21, reporter Lisa Morgan of Cyber Security Hub wrote, “high-risk patients such as heart attack, stroke, and trauma patients have been funneled from Scripps Memorial Hospital La Jolla to other hospitals nearby. Some patients are complaining that they are having trouble making appointments with other doctors and that Scripps is not referring patients to other doctors.”
Similar to the Scripps Health attack, another ransomware attack with national ramifications happened on May 7.
Colonial Pipeline Hacked
As reported by the national news media, the 5,500-mile petroleum pipeline operated by Colonial Pipeline was shut down after hackers encrypted the company’s data systems and sent a ransom demand to the company.
This pipeline delivers 45% of all the gasoline, aviation fuel, and other products—about 100 million gallons per day—from refineries in Houston to states on the East Coast. As of last Wednesday, 9,500 gas stations were out of fuel in the 13 states and Washington, D.C., served by the pipeline.
After days of refusing comment on whether it was paying a ransom to obtain the decryption keys needed to access its data systems, Colonial Pipeline CEO Joseph Blount confirmed that his company did pay ransom.
The Guardian wrote, “Blount said Colonial paid the ransom in consultation with experts who previously dealt with the group behind the attacks, DarkSide, which rents out its ransomware to partners to carry out the actual attacks.
“Multiple sources had confirmed to the Associated Press that Colonial Pipeline had paid the criminals who committed the cyberattack a ransom of nearly $5M in cryptocurrency for the software decryption key required to unscramble their data network,” The Guardian continued.
“A ransom payment of 75 Bitcoin was paid the day after the criminals locked up Colonial’s corporate network, according to Tom Robinson, co-founder of the cryptocurrency-tracking firm Elliptic,” The Guardian said.
The Dark Report is providing details on the Scripps Health and Colonial Pipeline ransomware attacks because each contains elements common to most ransomware attacks. Understanding how these ransomware attacks are conducted is essential if clinical laboratory administrators and pathologists are to work with their chief information officers, attorneys, and outside experts to harden their labs’ defenses against attackers using ransomware or malware.
During interviews, executives at companies who were victims of ransomware attacks, and several lab industry attorneys who have worked with client labs similarly attacked with ransomware, described the common processes used by the hackers.
Once the target company’s files and software systems have been encrypted, the hackers send an email describing their attack and demanding some amount of ransom. The email also states that if the target company refuses to pay the ransom, the hackers will use the stolen data—particularly data involving patients and customers—in ways that will harm the company and its reputation.
Upon discovery of the shutdown of their data systems, most organizations will bring in their attorneys and retain consultants in cybersecurity and negotiations. The third-party negotiators handle communications with the hackers and understand the unspoken rules of negotiation.
For example, the organization’s negotiators know how frequently the hackers will email or telephone. They understand the consequences should the organization not communicate with the hackers at expected points in time.
It is important for lab executives and pathologists to understand that negotiations do happen and are part of the ransomware attack. One example was shared with The Dark Report by a business owner who was dealing with such an attack.
He explained that—not only did the attack encrypt every data function and software app used by his company—but the malware attack successfully encrypted all the company’s back-up systems as well, including off-site and cloud-based backups. He said every data system in this $30 million company was encrypted, manufacturing stopped, and staff had no access to information when customers called seeking information.
Routine of Daily Calls
The company retained a negotiating consultancy firm. Each morning, the hackers called at a specific time. The owners were told that if they did not respond in a timely way, the hackers would simply walk away, leaving the company to solve the problem on its own.
The original ransom demand was for $500,000. Over 10 days, the third-party negotiators were able to reduce that down to about $240,000. The owners agreed to pay that amount in Bitcoin.
After the payment was made, a de-encryption key was received. However, according to this source, that key only unlocked certain software systems and databases. A substantial amount of the company’s software products and databases remained encrypted.
Further negotiations to obtain a more complete de-encryption key were not successful. According to our source, the company will spend several million dollars over many months to restore the full performance of the company’s information technologies back to how they functioned prior to the attack.
kProtected Health Information
Clinical laboratory administrators and pathologists should recognize that a ransomware attack directed at their laboratory creates another problem. Yes, the encryption of software and databases denies the lab access to those functions. But the ransomware attack may also cause a breach of patients’ protected health information.
This means that the victimized laboratory must also comply with federal HIPAA requirements as it responds to the ransomware attack. Along with notifying those patients whose protected health information (PHI) was breached, the provider must notify the federal government and may need to issue a press release to the news media, depending on the number of patients affected by the breach.
The value of PHI on the Dark Web is a major reason why hackers increasingly target hospitals, physician groups, clinical laboratories, anatomic pathology groups, and other healthcare providers. Not only can the hackers get paid a ransom from the victim, but they also can make money by selling the patient medical records they access.
Experian, the credit reporting agency, says patient health records can be sold for up to $1,000 each. This depends on how complete the data file is and whether it is a single record or an entire database.
Thus, after Farmingdale, N.Y.-based Apex Laboratory was hit by DoppelPaymer ransomware in mid-2020, the hackers posted the medical records of 10,000 patients it stole from Apex.
Assuming a value of $500 per record (half of Experian’s estimate of $1,000), potentially these hackers could have harvested a $5 million payday from that part of the ransomware attack.
Unfortunately, ransomware attacks are now a fact of life in the healthcare and clinical lab industry. For that reason, lab administrators would be well-advised to regularly assess and strengthen their labs’ defenses against this threat.
Ransomware Attacks Generally Go Unreported and Healthcare Providers Are Ripe Targets
IT IS IMPOSSIBLE TO KNOW THE TRUE TOTAL OF RANSOMWARE ATTACKS against healthcare organizations in the United States for a simple reason: hospitals, physicians’ offices, clinical labs, pathology groups, and other providers don’t want the news to become public. One obvious reason is because of harm to the provider’s reputation. But the other equally-significant reason is that when other hackers learn a healthcare organization paid a ransom, they want to attack that same provider because they know this provider will pay a ransom to regain access to its data and software systems.
One source of public information about malware attacks is the federal database of reported HIPAA breaches of protected health information (PHI). Comparitech writer Paul Bischoff studied the federal database for 2020 breaches. (To be reported to the public, a PHI breach must involve the data of 500 or more patients.) Bischoff published his findings on March 21, 2021, under the headline “Ransomware Attacks on US Healthcare Organizations Cost $20.8 Billion in 2020.”
Included in the Comparitech report were these key findings:
• There were 92 individual ransomware attacks on healthcare organizations in 2020—a 60% increase from 2019.
• Over 600 separate hospitals, clinics, and other healthcare organizations were potentially affected (plus a further 100 providers in the Blackbaud attack).
• 18,069,012 individual patients/records were affected—470% increase from 2019.
• Almost 50% of Maine’s population was impacted by ransomware attacks in 2020.
• Ransomware amounts varied from $300,000 to $1.14 million.
• Downtime varied from minimal impact due to frequent data backups, to weeks or months of paper-only systems. One healthcare organization even lost all of its patient records in an attack.
• Based on the average ransom demand in 2020 ($169,446 according to the average across all of the quarterly reports from Coveware data), hackers demanded an estimated $15.6M in ransoms.
• In 2020, hackers received at least $2,112,744 in ransom payments (plus the undisclosed amount paid by Blackbaud and several other attacks).
• The overall cost of these attacks is estimated at around $20.8 billion (which includes downtime, cost of providing security services to patients whose PHI was breached, cost of bringing systems back into operation, and other related expenses).