Lapses in security measure testing can give healthcare employees a false sense of protection against data breaches, says cybersecurity expert
Cyberattacks on our nation’s hospitals, clinical laboratories, other healthcare organizations, and health plans, continue to plague the healthcare industry. As of July 7, 2023, 324 data breaches have occurred and are currently under investigation, according to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal.
This has affected more than 39 million people, HealthITSecurity reported.
Below is a list of the data breaches this year that affected the most people.
“The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker,” Ben Denkers (above), former Chief Innovation Officer at CynergisTek, told Dark Daily’s sister publication The Dark Report. He added that data breaches at clinical laboratories can start with “missteps” by lab employees who have a false sense of protection caused by lapses in testing a lab’s security measures. CynergisTek merged with Clearwater in 2022. (Photo copyright: CynergisTek.)
Top Data Breaches in First Six Months of 2023
Here are healthcare’s top 10 data breaches for the first half of 2023, listed by organizations with the most people affected, according to HHS:
Enzo Clinical Labs, clinical reference laboratory, Farmingdale, New York, 2.4 million individuals affected.
ZOLL Services, medical equipment, Pittsburgh, Pennsylvania, 997,097 individuals affected.
Community Health Systems, healthcare provider with 15,000 licensed beds at 89 acute care hospitals in 16 states, Brentwood, Tennessee, 962,884 individuals affected.
CentraState Healthcare System, healthcare provider with a 284-bed acute care medical center, an ambulatory campus, and an urgent care clinic, Freehold, New Jersey, 617,901 individuals affected.
Clinical Laboratory Brings in Cybersecurity Experts
Following a ransomware incident in April on its computer network, Enzo Clinical Labs in Farmingdale, New York, “immediately took steps to secure our systems and began an investigation with the assistance of a cybersecurity firm,” the lab’s Notice of Data Security Incident explains.
“The investigation determined an unauthorized party accessed files on our systems,” the notice continues. “The files contained patient names, dates of service, clinical test information, and, in some instances, Social Security numbers.”
Enzo “has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the lab’s Securities and Exchange Commission (SEC) filing.
Multiple Large Health Systems Suffer Data Breaches
At Community Health Systems (CHS) it was a security incident at Fortra, a cybersecurity firm engaged by CHS, that resulted in “unauthorized disclosure of patient information,” according to CHS’s Notice of Third Party Security Incident.
The extent of data theft from the breach of Fortra’s GoAnywhere MFT secure managed file transfer software was not immediately clear, HIPAA Journal reported.
“The personal information may have included full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and Social Security number,” the CHS notice explained.
At CentraState Healthcare System, “an unauthorized person obtained a copy of an archived database that stored certain patient information,” the healthcare provider’s Notice of Security Incident states.
“There was no financial account and/or payment card information involved in this incident,” CentraState noted.
Financial Impact of Data Breaches
One of the effects on healthcare providers is costly settlement of lawsuits following data breaches that allege failure to secure patients’ PHI. For example, according to Becker’s Health IT:
UMass Memorial Medical Center in Worcester, Massachusetts, paid $1.2 million “to settle a March 2022 lawsuit regarding a data breach of its payroll management system Kronos.”
Advent Health in Altamonte Springs, Florida, paid $500,000 “to settle a data breach lawsuit alleging that the health system failed to protect patients’ confidential information after a September 2021 data breach.”
CommonSpirit Health in Chicago spent $150 million recovering from a ransomware attack in October 2022 that also sparked lawsuits over stolen PHI.
Tips for Clinical Laboratories on Securing Patient Data
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, former Chief Innovation Officer at CynergisTek, an Austin-based cybersecurity company which has since merged with healthcare cybersecurity and compliance company Clearwater, told Dark Daily’s sister publication The Dark Report, “The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker.”
Denkers advises that while training employees is important for cybersecurity because it aims at changing human behavior, laboratories and other healthcare organizations also need to audit the technological measures they have in place to protect data.
“What we find is that organizations have security technology or processes in place that are either not effective or not working as designed,” he said, adding that when data breaches do occur “it’s a complete blindside for a lot of organizations that think they have protections in place because they bought a product, or they developed a policy.
“Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations. I would recommend taking those steps,” he added.
Clinical laboratories hold vast amounts of patient data and cannot afford disruptions to testing and results reporting. Vigilance can help labs avoid catastrophic cyberattacks, secure their patients’ protected health information from being stolen, and prevent the subsequent lawsuits that ensue following a data breach.
As scientists gain new insights into the human microbiome and how it influences our health, microbiology labs may gain new diagnostic biomarkers
In a study that took more than five years to complete, researchers from Stanford University have successfully created the first synthetic microbiome model from scratch. The goal of the study was to create a baseline microbiome model so that future studies will have a better understanding of which clinical laboratory tests and medical interventions could be useful for treating specific ailments and improving patient care.
To create their synthetic human microbiome, the Stanford researchers combined 119 species of bacteria, The New York Times reported, adding that “the new synthetic microbiome can even withstand aggressive pathogens and cause mice to develop a healthy immune system, as a full microbiome does.”
According to the National Institute of Health (NIH), the human gut contains trillions of microbes, and no two people share the exact same microbiome composition. This complex community of microbial cells influences human physiology, metabolism, nutrition and immune function, and performs a critical role in overall health.
The Stanford scientists believe researchers now have a common microbiome foundation for future microbial studies.
“We were looking for the Noah’s Ark of bacteria species in the human gut, trying to find the ones that were almost always there in any individual,” said Michael Fischbach, PhD, Associate Professor in the Departments of Bioengineering and Microbiology and Immunology at Stanford University. Future microbial studies that use Stanford’s synthetic human microbiome may develop improved clinical laboratory tests and microbiome therapies. (Photo copyright: Stanford University.)
Creating the ‘Human Community One’ Microbiome
The researchers began their study by examining the gut bacteria makeup of adults involved in the Human Microbiome Project (HMP), an NIH initiative created to sequence the full microbial genomes of more than 300 adults.
The scientists then selected bacterial strains that were present in at least 20% of the HMP individuals. They focused on 104 bacterial species that they grew in individual stocks, and then mixed them into one combined culture to create what they named “Human Community One” (hCom1).
The researchers had to ensure that the final mixture had the stability to maintain a balance where no single species overpowered the rest and could perform all the actions of a natural microbiome.
After being satisfied that the bacterial strains could coexist in a lab situation, the scientists set out to determine if their community would colonize in the gut. To do this, they introduced hCom1 to germ-free mice that are designed to have no natural microbiome.
When transplanted into the mice, the researchers discovered hCom1 was an extremely stable ecosystem, with 98% of the species taking root in the guts of the mice, and the levels of each bacterial species remaining constant over a two-month period.
“We colonized germ-free mice with hCom1 and found that it was stable over time. Its species span six orders of magnitude of relative abundance: from ~10% to less than one in 1,000,000,” Michael Fischbach, PhD, Associate Professor in the Departments of Bioengineering and Microbiology and Immunology at Stanford University and one of the authors of the study, explained on Twitter.
Based on a theory called colonization resistance, the team then introduced a human fecal sample to hCom1 to ensure that all vital microbiome functions would be performed by one or more species. Colonization resistance is the phenomenon where the normal gut microbiome protects itself against invasion by new and often harmful microorganisms. This theory hypothesizes that any bacterium introduced into an existing colony will only survive if it can fill a niche that is not already occupied.
Creating a Second New Microbiome
Some researchers involved in the project were skeptical that introducing human fecal matter to hCom1 would work. They believed it would overtake the synthetic microbiome model.
“The bacterial species in hCom1 had lived together for only a few weeks,” Fischbach explained in a Stanford press release. “Here we were introducing a community that had coexisted for a decade. Some people thought they would decimate our colony.”
However, the scientists found that hCom1 thrived with only about 10% of the cells in the final community originating from the fecal transplant. A few of the original bacterial species died off and approximately 20 new bacterial species were able to successfully colonize hCom1. They ultimately catalogued 119 bacterial strains present in the colony after the transplant and dubbed the new microbiome “Human Community Two” (hCom2).
To further prove the functionality of their synthetic microbiome, the team then introduced an Escherichia coli (E. coli) sample to mice colonized with hCom2 and found that they were able to resist infection.
“Mice colonized by hCom2 look normal immunologically, have similar microbiome-derived metabolites, and exert colonization resistance against E. coli,” said Fischbach on Twitter, “There are improvements to make, but we think hCom2 (in its current form) is a good model system of the microbiome.”
Future Microbial Studies
The Stanford team hopes its synthetic microbiome model will allow researchers around the world to have a common foundation for future studies and provide them with the ability to create engineered microbiome-based therapies.
“We built this consortium for the broader research community,” said Fischbach in the press release. “We want to get this into as many hands as possible to have an impact on the field.”
While direct links to new clinical laboratory tests and microbiome therapies have not yet been established, research like the Stanford study demonstrates the increasing value of the human microbiome as a source of diagnostic information that can guide decisions on better ways to treat patients.
Both programs seek to achieve early diagnosis by detecting a range of disorders where an existing treatment can be given as early as possible
Two separate genetic sequencing projects—one in the United Kingdom and one in New York City—aim to perform whole-genome sequencing for clinical laboratory diagnostic purposes on 100,000 newborns each to identify up to 200 rare genetic disease that are treatable with early diagnosis and intervention.
Genomics England announced its Newborn Genomes Program in 2022 and plans to start signing up expectant parents for the genetic sequencing project later this year, an article in Science reported. Parents will be invited to participate in the $129 million pilot program through the UK’s National Health Service (NHS) with the goal of enrolling 100,000 newborns over the next two years.
In the US, the Guardian Study (Genomic Uniform-screening Against Rare Diseases In All Newborns) was launched last year in New York City. The program will run for four years and sequence the DNA of 100,000 newborns looking for 160 rare genetic diseases. “Parents can opt to add 100 neurodevelopmental disorders that can’t be cured, but for which speech and physical therapy could help,” Science noted.
More than 200 babies have already been enrolled in the Guardian study, and about 70% of those invited to participate have agreed to do so, according to GenomeWeb.
“I think expanding the number of diseases we look for could make a radical improvement in the way we diagnose and treat children with rare diseases,” said molecular geneticist Wendy Chung, MD, PhD, Director of the Clinical Genetics Program at New York Presbyterian Hospital/Columbia University Medical Center, in a press release. Clinical laboratories that perform newborn screenings may soon have new genomic screening tools for a larger number of rare genetic disorders. (Photo copyright: Columbia University.)
Giving Parents the Ability to Make Informed Decisions
In many countries, newborns are screened for several dozen genetic illnesses via biochemical tests using a drop of blood collected from the baby’s heel. Whole-genome sequencing could potentially detect more disorders and allow for earlier care and treatments to avoid permanent disability or death.
Parents enrolled in the US/UK genomics sequencing programs will receive results for as many as 200 genetic diseases that are known to be caused by genetic variants and which typically display symptoms before the age of five. All the illnesses are treatable with remedies ranging from a simple vitamin supplement to a bone marrow transplant.
“For the parents who may be offered whole genome sequencing for their babies as part of our pilot, they need to know which of these many conditions will be looked for, so that they can make an informed decision about whether or not to take part in the study,” said pediatrician and geneticist David Bick, MD, Principal Clinician for the Newborn Genomes Program, in a Genomics England press release.
Parents will not receive data regarding gene variants with unknown risks or variants that only cause disease in adulthood.
Detecting a Range of Genetic Disorders in Newborns
The UK’s Newborn Genomes Program expects to identify genetic disease in at least 500 newborns. Researchers involved in the project estimate that utilizing genetic sequencing in newborns could detect those diseases in up to 3,000 babies if used across the country.
“The primary goal of the program is to detect a range of disorders where we already have an intervention that could be given at the earliest possible point in life to reduce disability or potentially to avoid harm,” said Sir Mark Caulfield, MD, Director of the William Harvey Research Institute at Queen Mary University of London and Chief Scientist for Genomics England, in a Queen Mary University press release.
“It turns out that approximately one in 190 births (circa 10 babies born every day in the UK) has one of these problems, and if the intervention is employed, this could be life changing. The majority of these interventions are dietary shifts or vitamin supplements, and only 8% are expensive treatments, for example, gene therapies or transplantation,” Caulfield noted. “The children may not be cured, but the interventions may reduce disability or even allow a normal life, so getting these life-changing opportunities to children at the earliest point is so important.”
The US initiative is using genomic sequencing to screen for 250 medical conditions that are not currently detectable in newborn screenings in New York. Like the UK program, these disorders are treatable and symptomatic before the age of five. The goal is to diagnose these illnesses earlier to allow for early treatment and better health outcomes.
“I think expanding the number of diseases we look for could make a radical improvement in the way we diagnose and treat children with rare diseases”, said Chung in a Columbia University press release. “Families and pediatricians don’t need to go through those diagnostic odysseys anymore with the genomic technology we now have. We can make the diagnosis at birth.
“I think genomic screening will also make sure we leave no baby behind. It will provide equitable access to a diagnosis,” Chung added. “We want to address health disparities, which we’ve seen happen after screening for SCID (severe combined immunodeficiency disorders) was added to state newborn screening panels. When every newborn is screened, the family’s socioeconomic status is irrelevant.”
Saving Children from Lifelong Disease
The US and UK genomics sequencing programs may have considerable influence on encouraging more newborn screening all over the world. Technological advancements in recent years have dramatically reduced genomic sequencing costs.
Additionally, sequences can be done faster and more accurately, and the technology is enabling complex analysis of data in ways that expands the information contained in the genome. This could lead to life-saving breakthroughs in treatment for many rare genetic disorders.
These developments may also encourage more clinical laboratories within the United States to consider offering a genome sequencing service for newborn screening. With hundreds of diseases now detectable through genetic technology, screening a newborn’s genome for mutations could provide more accurate and faster diagnosis of illnesses and potentially help more children avoid serious diseases.
Incident serves as a reminder that all clinical laboratories can be just one mistake away from reporting erroneous results to a number of doctors and patients
In May, more than 400 patients who agreed to take the Galleri multi-cancer early detection (MCED) blood test from GRAIL—a California-based biotechnology company that is owned by genetic technology developer Illumina—received letters falsely suggesting they had cancer, according to the Financial Times which broke the news.
The Times reported that a software error had caused GRAIL’s telemedicine provider PWNHealth, which is owned by Everly Health Solutions, to send an erroneous letter to 408 patients misinforming them that “they had a signal in their blood suggesting they could have cancer.”
In a statement, GRAIL said the letters were “in no way related to or caused by an incorrect Galleri laboratory test result” and that “the letters were inadvertently triggered by a PWNHealth software configuration issue, which had now been disabled,” Financial Times reported.
GRAIL, which stated that more than half of the people who received the letters hadn’t even had blood drawn for the test, also added that “no patient health information has been disclosed or breached due to this issue, and no patient harm or adverse events have been reported,” the Financial Times noted.
Nevertheless, it’s not hard to imagine the effect the letters had on those people. No clinical laboratory wants national headlines as a consequence of an error that causes incorrect test results to be reported to doctors and patients. How to prevent such occurrences is a challenge to all clinical laboratory managers.
According to GRAIL, its Galleri multicancer early detection test “can detect a signal shared by more than 50 cancer types and predict the tissue type or organ associated with the signal. At least 45 of these cancers lack recommended screening tests in the US today.” Clinical laboratories that draw the blood sample for the genetic test ship the collection kit directly to GRAIL’s laboratory for processing. (Photo copyright: GRAIL.)
What Went Wrong
PWNHealth said in a statement that the letters were sent due to “a misconfiguration of our patient engagement platform used to send templated communications to individuals,” CBS News reported.
Financial Times reported that the letters were issued from May 10-18, and on May 19 PWNHealth informed GRAIL of the problem. “We addressed the underlying problem within an hour of becoming aware of it and have implemented additional processes to ensure it does not happen again,” PWNHealth said. “In partnership with GRAIL, we started contacting impacted individuals within 36 hours.”
The software configuration fault was deactivated by PWNHealth, and GRAIL notified affected individuals via phone, email, and regular mail until all had been informed of the error, GRAIL said.
Though GRAIL reacted quickly, there has been fallout caused by the letters. Insurer confidence may have been damaged.
According to Financial Times, customers of life insurance company MassMutual and another unnamed insurer had “been affected” by the erroneous letters. As a result, MassMutual had suspended a pilot program and the unnamed insurer was “reviewing its relationship” with GRAIL.
About GRAIL and the Galleri Liquid Biopsy Test
GRAIL was founded in 2015 in San Francisco, California, with the goal of detecting early-stage cancer. They developed the Galleri liquid biopsy test which requires only one blood sample and can “detect a signal shared by over 50 types of cancer with 99.5% specificity and predict the cancer signal origin with high accuracy to help guide next steps,” according to the company’s website.
The $949 test can only be obtained by a doctor’s prescription. At this time it is not covered by insurance, Healthnews reported.
According to a GRAIL Galleri fact sheet, “All cells—cancer and healthy ones—shed DNA, which is called cell-free DNA (cfDNA), into the bloodstream. … After a blood sample is taken at a healthcare provider’s office or at a GRAIL partner laboratory, the Galleri test uses the power of next-generation sequencing and machine-learning algorithms to analyze cfDNA methylation patterns.
“The test uses these methylation patterns to determine if a cancer signal is present and, if so, predict the tissue type or organ where the cancer signal originated.
“If a cancer signal is detected, a healthcare provider will determine next steps for diagnostic evaluation, which may include personal and family health history, physical examination, and guideline directed evaluation(s) including lab work and imaging.”
Flashback to Another Notable Lab Error
This is not the first time inaccurate genetic test results have been sent out to patients.
In 2017, Dark Daily’s sister publication, The Dark Report, covered how genetic test developer Invitae Corporation had reported inaccurate genetic test results for up to 50,000 patients over a period of 11 months from September 2016 to July 2017.
In a statement, Invitae said the error occurred “because of the unique characteristics of how we we’re testing for the MSH2 Boland inversion, our quality control checks did not catch omission of the components of the assay. … As soon as the omission was recognized and relevant components returned to the assay, it once again performed properly. We have added two separate quality controls to ensure this issue will not reoccur.”
Negative Online Reviews Hurt Businesses including Clinical Laboratories
In its article, Status Labs references a 2021 PEW Research survey which found that “More than eight-in-10 US adults (86%) say they get news from a smartphone, computer, or tablet ‘often’ or ‘sometimes,’ including 60% who say they do so often. This is higher than the portion who get news from television, though 68% get news from TV at least sometimes and 40% do so often. Americans turn to radio and print publications for news far less frequently, with half saying they turn to radio at least sometimes (16% do so often) and about a third (32%) saying the same of print (10% get news from print publications often).”
Status Labs also cited studies showing the impact of negative press online. One study by Trustpilot showed that 90% of consumers said they will not frequent a business that has a bad reputation.
Another study by the University of Pennsylvania found that “negative reviews, messages, or rumors hurt product evaluations and reduce purchase likelihood and sales.”
Vigilance Is the Key
Clinical laboratory leaders are keenly aware that a lab’s reputation can make or break its business. This incident involving GRAIL and its telemedicine provider PWNHealth is a reminder that vendors providing services to medical laboratories can be a source of problems ranging from breaches of protected health information (PHI) to misstatements or misreporting of clinical laboratory test results.
Thus, it behooves lab managers to constantly monitor information leaving the lab, and to ensure all test results sent to patients and doctors are valid and accurate.
US Department of Justice sends a strong message that it will continue to root out fraud involving clinical laboratory owners and operators
Arkansas clinical laboratory owner/operator Billy Joe Taylor has been sentenced to 15 years in federal prison and ordered to pay nearly $30 million in restitution, according to a June 8 press release from the US Attorney’s Office for the Western District of Arkansas.
Taylor pleaded guilty in October of 2022 to conspiracy to commit fraud and money laundering. He and his accomplices submitted $134 million in false or fraudulent claims to Medicare before and during the COVID-19 pandemic.
The claims came from five laboratory companies owned and operated by Taylor and his co-conspirators. All claims centered around respiratory illness tests or urine drug tests that were either not medically necessary or not ordered by medical providers, the DOJ’s press release states.
Taylor’s 15-year sentence in federal prison and huge restitution reinforces the fact that the federal Department of Justice (DOJ) will indict—and convict—owners and managers of clinical laboratory companies accused of healthcare fraud.
Billy Joe Taylor, owner/operator of five clinical laboratories in four states, was sentenced in June to 15 years in prison and ordered to repay nearly $30 million in fraudulent test claims made to Medicare prior to and during the COVID-19 pandemic. This conviction is part of an ongoing campaign against healthcare fraud being conducted by the US Department of Justice. (Photo copyright: Arkansas Democrat-Gazette.)
Details of Taylor Fraud Case
Taylor allegedly obtained private personal and medical data from Medicare beneficiaries and then used that information to submit and resubmit claims to Medicare for diagnostic tests. More than $38 million was received from Medicare on those fraudulent claims, the DOJ noted.
In 2021, Taylor claimed innocence and told Arkansas Business that the accusations were “sensationalism-type claims from the government that were completely erroneous and false.”
As a young man, Taylor planned to go into the clinical laboratory field when he was still in high school. He got started by volunteering at his hometown hospital in Stigler, Oklahoma, the Free Library reported. Eventually hired by the hospital to draw blood, run tests, and keep quality control and inspection data, Taylor later moved to other hospitals before partnering in 2009 to start Advanced Laboratory Services (ALS) of Oklahoma City, Oklahoma.
A pulmonary embolism and stroke forced Taylor to sell his share in ALS, and not long after returning as a consultant, his business partner sold the lab company. Taylor joined two people from a Tulsa laboratory to start a new company, acquiring Medtest Laboratories LLC of Hurricane, West Virginia, and Vitas laboratory LLC in 2017. He hoped to compete with national laboratories, earning up to $2 million per month, the Free Library reported.
Other Clinical Laboratory Testing Fraud Schemes
The DOJ’s aggressive efforts to crack down on healthcare fraud over the past years have produced multiple court cases against clinical laboratory owners, managers, and the doctors who conspire with them. Dark Daily has covered such fraud cases in numerous ebriefings over the years.
In 2021, the DOJ’s Healthcare Fraud Unit brought “criminal charges against 14 defendants, including 11 newly-charged defendants and three who were charged in superseding indictments, in seven federal districts across the United States for their alleged participation in various healthcare fraud schemes that exploited the COVID-19 pandemic and resulted in over $143 million in false billings,” a DOJ press release announced.
In a statement to the press, Deputy Attorney General Lisa O. Monaco said, “The multiple healthcare fraud schemes charged today describe theft from American taxpayers through the exploitation of the national emergency … These medical professionals, corporate executives, and others allegedly took advantage of the COVID-19 pandemic to line their own pockets instead of providing needed healthcare services during this unprecedented time in our country.
“We are committed to protecting the American people and the critical healthcare benefits programs created to assist them during this national emergency, and we are determined to hold those who exploit such programs accountable to the fullest extent of the law,” she added.
Monaco’s statement emphasizes the DOJ’s expanding focus on healthcare fraud. The DOJ formed the Health Care Fraud Strike Force in 2007 to handle cases like Taylor’s. The program is composed of 15 teams operating out of 25 federal districts. During the 15 plus years the Strike Force has been active, the DOJ has charged more than 5,000 defendants who collectively billed over $24 billion to both private insurers and federal healthcare programs.
Therefore, it behooves clinical laboratory managers to ensure all lab operations are well-within the bounds of legality. The DOJ is taking its hunt for healthcare fraudsters quite seriously.
Cybersecurity experts recommend clinical laboratories have in place a plan for performing tests and distributing results prior to a cyberattack
Hospitals of all sizes continue to be prime targets for sophisticated cyberattacks, where hackers remotely disable a healthcare network’s computer systems—including its laboratory information system—and extort ransomware payments. Similar attacks are happening to clinical laboratories and other providers, although not with the same frequency.
Recently, hospitals in Illinois, Idaho, Vermont, Indiana, and other states had their ability to treat patients severely reduced and, in some cases, completely shut down by cybercriminals, endangering lives and costing millions of dollars in damages.
Today’s hospitals rely on information technology (IT) for patient care workflow, internal/external communication, billing, and medical laboratory testing. It’s this reliance on computer/internet technology combined with the vast quantities of protected health information (PHI), that makes hospitals such ripe targets for attack.
In June, a US cancer center had to take its digital services offline which “significantly reduced patient treatment capability” following a ransomware attack by a group of hackers known as the TimisoaraHackerTeam (THT), MedCity News reported.
“Patients don’t stop getting sick just because a hospital is hit by a ransomware attack,” Christian Dameff, MD, emergency physician at UC San Diego Health and lead author of a study that looked into how cyberattacks affect other hospitals in the area, told ABC News. “They have to go somewhere. So, what this research shows is that those patients go to neighboring hospitals that can be overwhelmed.” Clinical laboratories can also become overwhelmed with test orders when nearby hospitals lose their ability to distribute the results of critical lab tests. (Photo copyright: UC San Diego Health.)
“The attack halted the hospital’s ability to submit claims to insurers, Medicare or Medicaid for months, sending it into a financial spiral,” Linda Burt, RN, Vice President of Quality and Community Services at St. Margaret’s, told NBC News. “We were down a minimum of 14 weeks. And then you’re trying to recover. Nothing went out. No claims. Nothing got entered. So, it took months and months and months.”
Meabwhile, 88-bed Idaho Falls Community Hospital experienced a cyberattack in May that required it to divert ambulances to other hospitals for 24 hours, CNN reported. The provider’s sister healthcare facility, MountainView Hospital in Las Vegas, which shares the same computer system, was also affected.
The Idaho Falls attack “forced nurses and doctors … to use pen and paper rather than computers for patient charts,” a hospital spokesperson told CNN.
At the University of Vermont Medical Center (UVM), Burlington, Vermont, a ransomware attack affected healthcare services for 28 days, costing the provider $50 million to recover, and preventing healthcare workers from accessing critical treatment plans for cancer patients, ABC News reported.
UVM’s President and Chief Operating Officer, Stephen Leffler, MD, an emergency medicine physician, told ABC News that the 2020 cyberattack significantly disrupted clinical laboratory operations at UVM.
“When the laboratory had a critical lab result on someone, they couldn’t put it in the electronic medical record,” he explained. “They couldn’t call the floor. And so, we literally had our administrators start going in the lab, standing there and running a paper result to the floors.
“Everything that we do and rely on was down,” he added. “We actually sent some staff to Best Buy to buy Walkie Talkies!
“It can happen to you—even when you think it’s impossible,” Leffler warned.
And at Johnson Memorial Health, Franklin, Indiana, clinical laboratory tests took two hours to perform instead of 30 minutes, NPR said in its report on cyberattacks affecting Indiana providers. The lab had to use “runners” to share handwritten test results with caregivers and patients, NPR explained.
“You ask many CEOs across the country, ‘What keeps you up at night?’ Of course, they talk about workforce, financial pressures, and they say, ‘the possibility of a cyberattack,” John Riggi, National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA), told NPR.
Cyberattacks Affect Surrounding Hospitals
To make matters worse, cyberattacks have a “blast radius” that impacts the healthcare community around an attacked provider, Christian Dameff, MD, Assistant Professor, Emergency Medical Services, University of California, San Diego, told ABC News. Dameff was lead author in a study that looked at how healthcare providers nearby to an attacked provider are affected.
“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” Dameff and co-authors wrote in a JAMA Open Network article titled, “Ransomware Attack Associated with Disruptions at Adjacent Emergency Departments in the US.”
“Healthcare cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters,” they wrote.
Vigilance Is Required as Cyberattacks Increase
Ransomware attacks on hospitals climbed from 43 to 91 annually during the years 2016 to 2021, a separate study in JAMA Health Forum reported, adding that large organizations with multiple facilities were increasingly targeted.
The US experienced a 57% increase in cyberattacks in 2022 compared to 2021, according to a Check Point Research (CPR) report. Healthcare ranked second on the list of attacked industries due, according to Check Point, to the quantity and availability of personal and sensitive information, such as social security numbers and medical data.
“We expect the increase in cyber activity to only increase. With AI [artificial intelligence] technologies such as ChatGPT readily available, it is possible for hackers to generate malicious code and emails at a faster, more automated pace,” the CPR report noted.
For its part, the AHA said in a statement it plans to:
Work with federal agencies to mitigate cyber threats.
Advocate for increased government cybersecurity assistance.
Hospital clinical laboratory leaders need to be vigilant and work with colleagues to prevent cyberattacks. Check Point’s report advises, for example, avoiding malicious links and unexpected electronic attachments as well as verifying software is legitimate before downloading it. These are standard warnings, but they only work if staff members actually heed these actions.
Also important for diagnostics professionals is having a plan for performing clinical laboratory and anatomic pathology tests and distributing the results in the event of an attack.