As laboratories become increasingly reliant on digital technologies, they also become more vulnerable to cyberattacks that use ransomware, which encrypts crucial data and holds it hostage for ransom. Critical Values spoke to an expert in this field, Toby C. Cornish, MD, PhD, Associate Professor and Vice-Chair for Informatics in the Department of Pathology at the University of Colorado School of Medicine and Medical Director of the Laboratory Information Systems for UC Health. Dr. Cornish recently wrote an editorial for the American Journal of Clinical Pathology titled “Are You Prepared? Laboratory Downtime in the Ransomware Era.”
Dr. Cornish points out that ransomware attacks are becoming more frequent on health systems because they hold valued personal and financial information that cyber criminals seek. In fact, Dr. Cornish argues, health systems and laboratories should expect to be the victims of such crime given its increasing instances. Healthcare data breaches total around $6.2 billion per year, or an average of $3.62 million per cyberattack. While laboratories are not typically the key target, they are often collateral damage in these kinds of attacks on larger healthcare systems, and laboratories should be prepared to practice downtime procedures and have plans in place for extended downtime.
Critical Values spoke with Dr. Cornish about what laboratories can do to be better prepared for future attacks.
Critical Values (CV): Let’s start by defining a ransomware attack.
Toby Cornish (TC): That might be evolving, but in general, cyberattacks that involve ransomware are generally perpetrated by individual cyber criminals. Usually, they trick someone in an organization through social engineering into running malicious software. That malicious software will then attempt to propagate through the network.
CV: What does this malicious software do?
TC: Classically, ransomware was about trying to extort someone to give you money to get the decryption key so that you could decrypt your files. More recently, people are also stealing data as well. This adds to the concern for hospitals, which are giant, soft targets full of lots of very sensitive financial and personal information.
CV: Do they actually decrypt the files if they are given money?
TC: When ransomware had its most recent resurgence, maybe a decade ago, they were very good about getting your data back to you, because they had a vested business interest in making sure that there was trust.
Part of this transaction is that you can either try to get your data back without paying them, in which case you're going to have business continuity issues, which is going to cost you money as you bring in consultants, and you're going to have a giant cleanup problem. Or you could take the business proposition offered by these criminals: it's going to be much cheaper to pay us this amount of money that we're asking for than it is for you to potentially recover your files. Frequently, the amount of ransom that the criminals are asking for is a fraction of the money it costs businesses to recover from the attack.
CV: Are organizations that pay ransoms getting all their data back?
TC: It’s not a 100% guarantee that you're going to get absolutely every scrap of data back.
[Cyber criminals have] also switched over their M.O. to exfiltrate the data. So, it used to be the data just stayed in place and was decrypted and they were not trying to get the data out. And now, it's much more common for them to try to take the data.
CV: How have cyberattacks impacted laboratories in recent years? Are laboratories particularly vulnerable to ransomware?
TC: There have been a few well popularized attacks—University of Vermont Medical Center (UVMMC), LabCorp.
Usually, a laboratory is hit as collateral damage as part of an attack against a larger health system. Cybercriminals didn’t use to target organizations; they’d just broadly email to addresses they bought from someone. Now they target these large organizations, because there are so many more holes, they've got so many employees, someone's going to make a mistake.
CV: Does that suggest that smaller laboratories or those unaffiliated with larger systems might be safer from these attacks?
TC: There’s a certain amount of security in obscurity, right? You're sort of too small to have anyone even know you exist. The other thing is that the smaller you are, as an organization, just statistically, the less likely you are to get affected by malware, because you have fewer people to make a mistake.
CV: Laboratories are becoming more digitally connected and more reliant on technologies. Does that make them more vulnerable, ultimately, to cyberattacks?
TC: Absolutely. I don't want to say we're hostage to our information systems, but you know, they are exceedingly important to the modern laboratory. There is still a little bit of bench work that goes on here and there. But even if you’re resulting things by hand, even if a couple of instruments maybe aren’t interfaced, you still have to put those results into an electronic system. No one is handwriting results and faxing it out. And as they discovered at UVMMC, even faxing things out or printing can become difficult when your networks are totally down.
CV: What else is affected when a ransomware attack takes down laboratory information systems?
TC: You might also lose the EHR. You might lose all your printers. You're going to lose your middleware between your instruments and your LIS and all those rules that you've built. Basically, you’ll lose every result that comes off an instrument. You lose electronic ordering, reporting, and billing. Basically, the lab breaks.
CV: So can a laboratory still operate if systems are down?
You can still receive specimens and you can still manually enter the information directly into the instruments about the testing that has to be done. You can then get results directly off the instrument by literally hooking a printer up to it and printing out the results. And then you can take that piece of paper and fax that to a clinician. You can take care of a patient with that—that's how medicine was traditionally practiced. But when you're done, what you have is not an electronic health record, you have a stack of paper.
CV: What problems does it cause if you don’t get all the information into the EHR?
TC: For high value laboratory results, where there are persistent implications, like the anatomic pathology laboratory results, those need to eventually be entered into the EHR. UVMMC’s lab was working for months just to reconcile all the results, and a lot of testing didn't get billed when it was performed. So, in addition to all the other costs, there was a lot of lab work that was done for free because, essentially, the effort involved in billing for it was too great.
CV: So what should laboratories do or not do if they find themselves under cyberattack? And then of course, what can labs do to protect themselves in advance?
TC: The first thing that a smart and astute security group will do is to completely disconnect the network from the outside world. Because even though the malware may be active inside your network and may be encrypting all your data and you haven't been able to stop it yet, at the very least if you've cut off from the outside world, that data isn't going anywhere. So, you may still have the ransomware issue, but at least you haven't lost a million patient records. This will also keep cybercriminals from connecting to the infected computers.
Also, it's very unlikely that the laboratory is going to be the party identifying that they're under cyberattack. One would hope that your IT group would figure that out. If you do suspect an active or attempted cyberattack, call your IT helpline or security line immediately and tell them the details. Because the sooner you identify something as a cyberattack, the more likely you are to actually survive that cyberattack without data loss.
CV: Are there other ways to prepare the average laboratory?
TC: A lot of laboratories are not the ones in the driver's seat when it comes to preventing cyberattack and increasing cybersecurity. Most of those functions are going to be centralized in your healthcare system IT. However, the lab should be active participants in thwarting attempted cyberattacks. It requires a combination of training and making sure people are aware of threats. Our Office of Information Security does lots of phishing drills. They’re sending out fake phishing attempts a couple of times a year unannounced and looking to see who opens them. And if you open them, you've just bought yourself a training module on how to avoid phishing.
CV: Any other stop gaps in the form of training and prevention?
TC: The cybersecurity czar at your institution should be hardening your networks, putting in devices that will automatically detect ransomware attacks, both attempts and attacks in progress. Have firewalls at the edge of your network that can do what's called deep packet inspection, which is looking at all incoming traffic for signatures of known ransomware. IT groups really need to have [cyber security] at the top of their list, when they're looking at upgrading networks and developing policy.
Also, assume that everything you do is still not enough. And assume that you're going to continue to be attacked. Probably most healthcare systems last year had some form of attempted cyberattack against them. There will be incidents. You need prepare very good business continuity and disaster recovery plans, and you have to have exercise them regularly.
CV: Can you speak to the importance of downtime procedures in the laboratory, to help prepare for their eventuality?
Downtime procedures in the laboratory are something that laboratories can control, and laboratories are required to have downtime procedures. I think it's hard to anticipate how long every downtime is or what it's going to affect. Think about having tiered downtime plans to address this.
That means having a two-hour plan, a 12-hour plan, a 48-hour plan, etc. At the very least you will have a bit of a matrix, looking at length of downtime and then the number of systems that are affected. And while no one likes to consider this, you need to go through the exercise of thinking about what you would do if the network was totally down for two weeks.
Yet don't be wed to those plans. Because it's very difficult to test extended downtime. No one has the luxury of telling their health system, “we're going to test our two-week downtime, please have patience with the laboratory.”
CV: What else do laboratories need to know about cyberattacks?
TC: I think a lot of people don't realize they're putting their eggs in one basket. Perhaps you need to segment your networks, maybe you need to be running your phones on one network that’s isolated from the network that your electronic health record is on. Maybe you need to have some firewalls between different parts of the hospital or different functionality. When people design networks and implement information systems, they're often not thinking seriously about what happens if they are forced to shut literally everything down.