While a recent report found that healthcare ransomware attacks declined in the first half of 2018, a spate of recent high-profile healthcare cybersecurity incidents the past few months serves as a stark reminder that the healthcare industry continues to be a ripe target for cyber attacks.
A cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister, Singapore Ministry of Health officials announced on July 20. The breach impacted about a quarter of Singapore’s population of 5.6 million people. In a statement, officials said that it was a “deliberate, targeted and well-planned cyber attack,” and “not the work of casual hackers or criminal gangs.”
The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines, Ministry of Health officials said. Around 1.5 million people who visited outpatient clinics from May 1, 2015, to July 4, 2018 this year had their personal data accessed and copied, including names, identification card numbers, addresses, race, gender and dates of birth, officials said.
Kurt Long, CEO of healthcare data privacy company FairWarning, said the SingHealth data breach represents a “big picture” pattern. “Attackers and insider threats are increasingly more sophisticated in their tactics and can conduct widescale attacks associated with espionage, drug diversion, blackmail, fraud, identity theft, and cybersecurity attacks. Care providers need to implement robust behavioral monitoring tools to prevent incidents before they start,” Long said.
LabCorp, one of the largest clinical labs in the U.S., says it was hit with a new variant of ransomware during the weekend of July 14 and the company immediately took certain IT systems offline, according to a company statement. The public became aware of the security incident when LabCorp disclosed the incident via an 8-K filing with the Securities Exchange Commission. In that disclosure, the Burlington, N.C.-based laboratory diagnostics company said it had “detected suspicious activity on its information technology network.”
LabCorp said it immediately took certain systems offline as part of its comprehensive response to contain the activity and noted that this “temporarily affected test processing and customer access to test results on or over the weekend.” In a statement posted on its website, LabCorp said the “suspicious activity” was subsequently determined to be a new variant of ransomware. Operations have returned to normal, the company said.
The ransomware was detected only on LabCorp Diagnostics systems; Covance Drug Development systems were not affected by the ransomware. “As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement. The investigation has found no evidence of theft or misuse of customer or patient data,” the company stated. “We are confident that this ransomware did not and cannot spread to customer networks. LabCorp blocked the ransomware and enhanced our security measures, and thus we are confident that this particular ransomware cannot re-emerge on the LabCorp network.”
“This incident sheds light on how vulnerable the healthcare industry still is, and the value of the information within healthcare organizations,” Bill Dixon, a cybersecurity advisor with Kroll, a New York City-based risk solutions provider, says. Dixon is the associate managing director of Kroll’s cyber risk practice in the Los Angeles office.
More importantly, Dixon says, the LabCorp incident highlights the importance of having a solid, effective incident response plan. “In this particular case, it looks like they made a business decision to shut certain down parts of the business until they mitigated it correctly.”
Dixon also notes that while advanced cybersecurity technology solutions can help strengthen an organization’s defenses, smaller organizations that do not have those resources can still protect their systems and data. “Independent of the technology, the plan itself is really going to be what drives incident response. Having something in place where they can coordinate and understand who is doing what, and really build up a solid foundation of communication and roles and responsibilities, is going to be extremely important in that situation,” he says.
Fred Kneip, CEO of Denver-based risk management platform provider CyberGRX, said the LabCorp security incident highlights the need for healthcare organizations to be vigilant about managing third-party security. “Healthcare providers need to understand the level of risk introduced by each member of their dynamic portfolio of third-party providers, because it only takes one vulnerability for attackers to get in. It’s critical that healthcare organizations have the ability to assess third-party risk in real time, track emerging exposures and remediate issues like this LabCorp attack as they occur.”
Effective strategies to address ongoing and evolving cyber threats
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.