North Carolina-based LabCorp Diagnostics, one of the largest clinical laboratories in the U.S., was forced to shut down its network on Sunday after officials detected suspicious activity, according to a recent U.S. Securities and Exchange Commission filing.
Over the weekend of July 14, hackers got into LabCorp’s network. Officials immediately took certain systems offline as part of its breach response policy to contain the hack. As a result, test processing and customer access to test results was temporarily impacted.
According to its site, LabCorp services more than 115 million patient encounters annually, which potentially put all of those patient records at risk if they were located on the impacted network. LabCorp did not respond to a request for comment.
Officials have continued to restore full system functionality, with test result services “substantially resuming” on Monday. Additional systems and functions will be restored over the next few days.
“Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process,” officials said.
The suspicious activity was only detected on LabCorp systems not Covance Drug Development, which the company bought for $6.1 billion in 2014. The company has also notified relevant authorities of the cyberattack.
In June, LabCorp successfully won its court battle over an alleged HIPAA violation. The company was accused of not providing enough privacy protection at its Providence Hospital computer intake system. LabCorp argued an individual can’t bring a lawsuit under HIPAA and filed a motion to dismiss. The judge agreed.
Healthcare providers and industry groups are warning Congress of an urgent need to improve standards and practices to protect medical devices and EHRs from cyberattacks.
Suggestions ranging from better coordination between organizations to federal help in covering the costs of protecting patient data are spelled out in nearly 300 pages of comments submitted to the House Energy and Commerce Committee. The panel in April issued a request for information on how to improve cybersecurity in the medical device sector. Congress is concerned that older “legacy” technologies may be more vulnerable to security threats than their modern counterparts.
The effort is part of a response to the 2017 global ransomware attack dubbed WannaCry that underscored the cybersecurity risks facing device makers, hospitals and healthcare facilities. The massive cyberattack froze computers at hospitals across the United Kingdom and disrupted businesses in more than 100 countries. Hundreds of thousands of devices were infected, according to the House committee.
Cybersecurity issues continue to hound healthcare organizations. The American Medical Association said 83% of physician practices report they have experienced some form of a cybersecurity attack, and the majority of doctors are concerned about future cyber attacks on their practices.
“The healthcare sector exchanges health information electronically more than ever before, putting the entire healthcare ecosystem at risk,” the AMA said in comments to the committee.
The AMA urged adoption of public policy that emphasizes greater transparency, physician educational resources, more equal distribution of liability risk and government enforcement between physicians, technology vendors and manufacturers, and positive incentives to encourage adoption of best practices.
A compromised EHR could prevent a physician from seeing a patient’s medical history, including drug allergies, historical blood pressure readings and previous medical treatments — which could lead to adverse outcomes, the American Alliance of Orthopaedic Executives said in its comments.
Devices including X-ray, MRI and ultrasound machines also need to interface with the EHR to store patient information for later reference or transfer to another provider.
“Healthcare is one of the few sectors of the economy in which a failure of our networks may mean the difference between life and death,” the group said.
Median technology costs for its members were $60,789 per practice in 2016. The executives suggested federal assistance such as tax breaks or an expense component to Medicare reimbursements to encourage adoption of new security protocols.
A cybersecurity risk could affect not only the security of sensitive patient information, but also the performance of medical devices that are life-sustaining, such as anesthesia machines, ventilators and therapy-delivery devices like infusion pumps, according to the American Hospital Association.
Many legacy devices were not built with cybersecurity in mind but are still clinically useful, the AHA said. For most hospitals and health systems, replacing these technologies is not financially feasible, and many can replace only about 10 percent of devices each year, the hospital group said.
Manufacturers must support end-users by wrapping security precautions around legacy devices, adding security tools and auditing capabilities, conducting regular updates, patching all software and communicating security vulnerabilities quickly through consistent channels, the AHA said.
Medical device lobby AdvaMed said any policies that would require its members to support legacy technologies indefinitely would slow development of new innovations and could influence the financial viability of smaller manufacturers.
The American College of Radiology, representing more than 35,000 radiologists, nuclear medicine physicians, radiation oncologists and medical physicists, urged Congress to “exercise restraint” in enacting any legislation that would put an undue burden on end-users such as radiologists.
“The ACR does not support government policies that would inappropriately shift more responsibility/liability associated with medical device cybersecurity away from manufacturers and onto physicians,” the group stated.
ECRI Institute, a research organization focused on cybersecurity for medical technologies, said manufacturers should be encouraged to proactively share device-specific security information such as patches and known vulnerabilities because healthcare organizations lack the knowledge to assess and manage the risk of legacy devices in their inventory.
Kaiser Permanente said policies to improve legacy system cybersecurity should strengthen the ability of healthcare delivery systems to counter current market dynamics, which it said strongly favors manufacturers.
“There are few incentives to encourage manufacturers to invest in supporting older versions of software when they can profit from the continuous need of the healthcare industry to upgrade hardware, software and (operating systems) due to obsolescence. A more level playing field will enhance cybersecurity across healthcare, help ensure greater patient safety, and improve the business value of clinical technology in healthcare delivery,” the healthcare organization said.
Device maker Becton Dickinson recommended manufacturers and healthcare organizations take a coordinated approach to improving transparency and making decisions on security patches and upgrades in response to new risks introduced during a product’s lifetime.
Allscripts has asked an Illinois district judge to dismiss a class-action lawsuit filed after a ransomware attack took down the EHR vendor’s servers for a week, adding that the dispute belongs in arbitration.
The lawsuit revolves around a January cyberattack involving a new variant of the SamSam virus. The attack brought down the company’s servers in North Carolina and knocked out access for nearly 1,500 physician practices. Several of those providers reverted to paper records and reported lost revenue and canceled procedures due to the disruption.
In a court filing (PDF) last week, Allscripts argued that Surfside Non-Surgical Orthopedics, the specialty practice that filed the lawsuit, intentionally sued the parent company of Allscripts Healthcare, LLC known as Allscripts Healthcare Solutions Inc. to avoid the arbitration clause outlined in its contract with the vendor.
Allscripts Healthcare Solutions Inc. is a “non-operating holding company with only eight officers, no employees, and no products or customers,” according to the filing.
“Plaintiff apparently hopes that, by suing a party with which it has no contractual or other business relationship, it can avoid the contract that governs the provision of the services it received from LLC,” Allscripts attorneys wrote in a court filing last week.
The company added that even if Surfside sued the right company, the injury was caused by a criminal act rather than Allscripts’ negligence. The company added that it explicitly warns about the inability to prevent all cyberattacks in its annual financial filings.
“A criminal attack executed using a brand-new malware variant is precisely the kind of unforeseeable intervening act that breaks the chain of proximate causation,” the court filing stated.
In a subsequent filing, Surfside’s attorneys maintained the parent company was to blame, adding that the company’s “acts and/or admissions affected the circumstances that gave rise to the attack and its fall-out.”
Surfside originally argued that SamSam has been a known vulnerability since March 2016, and the company’s “wanton, willful, and reckless disregard” led to service disruption.
In response, Allscripts apparently couldn’t resist a dig at Surfside, and any other providers that encountered disruptions from the attack.
“Customers who had appropriate contingency plans in place—the existence of which practices may certify annually to the federal government in exchange for certain financial incentives—were minimally impacted by the attack,” the company wrote in a footnote in its motion to dismiss.
A year after hackers unleashed the WannaCry and NotPetya ransomware, taking down healthcare organizations and other companies around the world, the healthcare industry still struggles to keep its systems secure.
In the first six months of 2018, there were 154 breaches reported to the Office for Civil Rights, up 13% compared to the same period in 2017. There were 50 “hacking/IT” incidents specifically during that period in 2018, just two more than there were during the first six months of 2017.
“There’s definitely more healthcare-related breaches,” said Bob Olsen, Navigant’s director of cybersecurity. “The challenge is there are new vulnerabilities being discovered every day. It’s a bit of a moving target.”
But there could be multiple factors behind those increases, cautioned John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association and an FBI veteran. Organizations may simply be reporting breaches they wouldn’t have reported in the past, or reporting breaches that happened years ago. That’s what happened with LifeBridge Health, which in 2018 reported a breach of half a million patients that happened in 2016.
Nevertheless, healthcare organizations are engaged in a constant battle against cybercriminals, Riggi and others said.
The struggle peaked in May 2017, when hackers let loose the WannaCry ransomware, which encrypted data and demanded ransom in bitcoin in exchange for the decrypted files. The attack affected about 200,000 computers in 150 countries, including the UK, where the National Health Service’s systems went down.
A little over a month later, hackers sent out another piece of ransomware, NotPetya, which took down Nuance and other companies. Nuance lost $92 million in revenue due to the attack.
But ransomware attacks don’t come from hacker organizations alone. “Nation-states are aggressively targeting healthcare and hospitals in particular,” Riggi said.
Health systems have more to fear than their IT infrastructure going down. Breached data can end up on the dark web, where they’re bought and sold. As more health data becomes available on those networks, prices have fallen. But the data is still useful to buyers, Finn said. People can aggregate health data and non-healthcare data from multiple sources, connecting people’s health data with their financial information.
“They’re using data in ways we don’t even think of,” he said.
Those risks have spurred hospitals and healthcare organizations to be more aggressive in their defenses, Riggi said. But their plight never ends. “With every counter-measure put in place by a hospital, the adversaries come forward with a counter-measure for that,” Riggi said.
Part of the trouble is the speed—or lack thereof—with which healthcare organizations can react, Olsen said. “It’s sort of like moving a big ocean liner—it just takes time.”
Healthcare executives and security teams should prioritize protecting the most sensitive and critical data, including protected health information, Olsen said. That work includes an initial risk assessment and putting in place appropriate training policies, and patches.
Those assessments now need to be in line with HIPAA and the EU’s GDPR. “It is a much broader and deeper regulation,” said David MacLeod, Welltok’s senior vice president, chief information officer, and enterprise CISO.
Healthcare organizations could also benefit by taking the hackers’ perspective and conducting white-hat hacking to expose vulnerabilities. Even when health systems think they’re well-prepared, they may still be hacked.
“The key is knowing when the breach has occurred, obtaining that knowledge in real time, and then having predefined plans for responding to the incident,” MacLeod said.
For healthcare systems to succeed in protecting their data, they need to put someone in charge of information security, Olsen said. Too often, that role falls onto the chief compliance officer or chief privacy officer, who might not have cybersecurity backgrounds or not have time to dedicate to security, he said.
“If you don’t have somebody in that role looking across the entire enterprise, it’s easy to have a lot of blind spots,” Olsen said.
There might be gaps between linked information systems, for instance. “When you connect, security IT really is like the old chain adage: Your security can be only as good as the weakest link in the chain,” said David Finn, executive vice president of strategic innovation for IT consulting firm CynergisTek. One straightforward tactic is making sure all software is up to date and sufficiently patched, he said.
“In healthcare, we have a legacy problem with old hardware and software,” he said. “That represents a huge risk.”
At the core, cybersecurity is about actual people, security consultants said. “The best defense against cyber-adversaries is a culture of cybersecurity within an organization,” Riggi said. “Ultimately, the entire staff and leadership of an organization should be considered part of the information security department.”
Everyone in an organization should also take into account the business implications of an attack, Finn said. “They have to understand that every time there’s a breach or disruption, it costs them money.”
While the idea of cloud computing has been around for decades, it’s only in recent years that independent healthcare practices have been able to make use of it. Many providers are wary of switching to the cloud, especially when used to physical on-site servers, and questions linger about the security of cloud hosted patient records.
The Advantages of Storing Health Records on the Cloud
Despite the uncertainty, the largest advantage of using the cloud to store patient health records is the security. Major security breaches and instances of non-HIPAA compliance tend to splash across the headlines, but are often associated with on-site servers instead of cloud based ones. In fact, cloud hosted servers fight off millions of instances of cyberattacks every single day.
Think of it like this – every time a doctor, nurse, or healthcare professional logs onto a remotely-accessed cloud server, they’re proving the security of the platforms. Only authorized personnel can access the data they seek, and built-in security measures prevent unauthorized access daily.
Other advantages of cloud-based health record storage include:
- Faster loading times for all applications
- The option for automatic backups and disaster recovery
- A reduction in cost – you pay less for cloud software storage than you do for on-site servers, security software, and maintenance
- Removing the headache of common physical server HIPAA breaches
Many cloud hosting organizations like DAS Health even store servers in a biometrically secured, restricted data center. This prevents not just cyberattacks, but physical interactions with data as well.
Eliminating Human Error with Cloud Hosting
While cyberattacks and ransomware are real threats to data, the human element is a key part of protection. Often, it is carelessness or poor physical safeguards that lead to data breaches. Cloud hosting eliminates these concerns by taking away the physical interaction common with on-site servers, and adds security software protections you don’t find in the office. These human errors include:
- Mishandled PHI through unsafe passwords or storing data in unsecure locations
- Keeping data on unsecured devices instead of in the cloud
- Incorrectly set up servers that are not protected as they should be
- The theft of mobile or tablet devices that have saved EHR passwords on them
Cloud hosting eliminates some of these risks, such as hosting data in an unsecure location, and by using a trusted partner you can rest easier knowing your practice is protected from untrustworthy vendors. Making sure your practice staff follow HIPAA best practices will protect from the human element in security, as well as meet HIPAA risk assessment requirements.
The Bottom Line: Are My Patients’ Records Safe?
The answer to whether cloud-based health records are secure is a resounding yes. Cloud software is used by 83% of healthcare organizations, and companies the world over. It’s used in everything from financial markets to sport’s management. It’s also an incredibly powerful tool that independent practices can use to gain leverage on their competitors.
Learn more about our industry-leading cloud hosting services, used by independent practices across the country.
HIMSS’ latest cybersecurity report highlights the continued Meltdown and Spectre threats that first appeared in early 2018, while outlining how hackers can easily exploit healthcare’s legacy systems.
Healthcare is one of the biggest hacking targets for two major reasons: legacy technology and the need to access data to ensure operations. This is evident in this month’s HIMSS Healthcare and Cross-Sector Cybersecurity report that contains a long list of issued patches for vulnerable devices.
The U.S. Department of Homeland Security ICS-CERT issued an alert to help organizations manage Meltdown and Spectre vulnerabilities found within all Intel CPU hardware. Discovered in early 2018, the flaw makes all devices operating with the CPU vulnerable to side-channel attacks.
While some manufacturers have found ways to work around the vulnerability, some of those methods can impact device performance. For those systems, ICS-CERT offered both workarounds and mitigations, while reminding organizations to perform risk assessments and impact analyses before deploying those methods.
DHS also alerted organizations to other Meltdown and Spectre flaws, along with an increase in attacks on routers and networked devices by nation-state actors. Similar to the attacks noted in April, these attacks are easy for hackers to deploy, and serve as a reminder that healthcare’s legacy devices are at risk.
Destructive malware – which first began to proliferate one year ago – has reared its head again with VPN filter, according to the report. The malware can be used on individual devices or multiple sources at once, which can cut off internet access for hundreds of thousands of users.
The report also highlighted a similarly destructive malware that impacts Bluetooth technology. If exploited, a hacker can gain control of devices and access personal data, and the malware can proliferate to other devices on the network.
“Adversaries stockpile exploits,” said Lee Kim, director of privacy and security for HIMSS North America. “The dangers of not having a solid patch management program are that you are low-hanging fruit.”
And for healthcare, if exploited, that low-hanging fruit can cause a long list of issues.
“Dependence on technology means that technology that does not work or that has been compromised will affect day-to-day care and operations,” said Kim. “Making assumptions about what will work as a backup measure can be dangerous. Head off the risk by regularly testing your assumptions.”