LabCorp Cyberattack Impacts Testing ProcessesExpert: Latest Attack on Healthcare Sector - Growing Target
Medical laboratory testing firm LabCorp is investigating a weekend cyberattack on its IT network, which resulted in the company taking certain of its systems offline, temporarily impacting its test processing and client access to lab results.
In a Monday 8-K filing with the U.S. Securities and Exchange Commission, the Burlington, N.C.-based company said it "detected suspicious activity" on its information technology network the weekend of July 14.
"LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity," the company said in its SEC filing. "This temporarily affected test processing and customer access to test results on or over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed [Monday], and we anticipate that additional systems and functions will be restored through the next several days."
Some customers of LabCorp Diagnostics may experience brief delays in receiving results as the company completes that process, LabCorp added.
"The suspicious activity has been detected only on LabCorp Diagnostics systems. There is no indication that it affected systems used by Covance Drug Development," a research unit of LabCorp, the company said.
"At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation."
LabCorp did not immediately respond to an Information Security Media Group request for comment, including an inquiry into the type of cyberattack that occurred.
The hacking incident at LabCorp. a $10.3 billion company, is just the latest cyberattack on a large healthcare sector entity.
Indeed, the healthcare sector is increasingly a target for cyberattacks, ranging from ransomware to business email compromise, as well as other emerging assaults, said John Riggi, senior advisor of cybersecurity at the American Hospital Association, during a panel discussion on Tuesday hosted by the House of Representatives Homeland Security committee.
In some hospital ransomware attacks, cybercriminals "have gone after the back-ups first, and they compromise the vendor's network access to the backups," Riggi noted, making recovery from the attack even more difficult and more disruptive and potentially dangerous to patients.
However, while the healthcare sector was scammed out of about $675 million through business email compromise attacks in 2017, ransomware victims paid less - a total about $2.3 million for extortionists to unlock data, according to FBI data, said Riggi, who worked for 30 years at the FBI before joining AHA earlier this year.
"Ransomware is less of a threat dollar-wise compared to business email compromise ... [but] ransomware is much more disruptive to the delivery of care to patients and safety."
—John Riggi, American Hospital Association
But while "ransomware is less of a threat dollar-wise compared to business email compromise ... ransomware is much more disruptive to the delivery of care to patients and safety," he noted.
"You lock down that medical equipment - intensive care units, and ERs might have to shut down," he noted
In fact, a ransomware attack last week on Harrisonville, Mo.-based Cass Regional Medical Center, which includes 35 inpatient beds and several outpatient clinics, resulted in the hospital for several days diverting ambulances carrying stroke and trauma patients to other area facilities.
Cass Regional is just one of many healthcare entities to have a cyberattack impact patient care delivery. For instance, in 2016, MedStar Health, a 10-hospital system serving Maryland and the Washington area, was forced to shut down many of its systems to avoid the spread of malware. The attack forced the healthcare organization to temporarily resort to paper records, disrupting some patient appointments.
Panelist Greg Wolverton, CTO at CSI Solutions, noted that prior to joining the vendor he was CIO at ARCare, a federally qualified health center in Arkansas.
In December 2016, ARCare suffered a malware attack, which spread to other systems while the investigation into the assault was still underway.
"Everywhere there was fileshare, it kept replicating," he says. While extortionists demanded a $5,000 ransom, ARCare decided not to pay the ransom.
"We had significant intellectual property, research, billing" and other critical data on the affected systems, he says. Instead, the organization spent 96 days and more than $100,000 recovering its data from backups, he says.
The ransom "was only $5,000, but at the time there was no guarantee of anything," he says. "So, much to the chagrin of leadership, I decided we're not paying the ransom" because of the uncertainty in dealing with cybercriminals and the potential loss of critical data.
While ransomware poses a significant threat to healthcare sector entities, among the most worrisome emerging attacks on hospitals and other healthcare entities is crypto hijacking, Riggi said.
"This is a new threat... and a huge issue, especially when bitcoin was worth $20,000 [per bitcoin]. Bad guys have figured out 'we're going to try to deliver malware, penetrate a network ... and harness the vast computing power of some organizations like hospitals'" to mine digital currency, he said. "The bad guys follow the money."
Hospitals and other healthcare sector entities continue to be a growing target for cybercriminals, Riggi says. "The healthcare sector is the only sector that has health information, personally identifiable information and payment information ... intellectual property, research and national security information," he says, such as the data held by hospitals carrying for U.S. military patients.
"You can cancel a credit card, but you can't cancel a diagnosis or a blood type," making stolen medical records more valuable to cybercriminals than payment card data.
Last month, in another incident, a federal court dismissed a lawsuit filed against LabCorp. by a patient alleging the laboratory violated HIPAA by failing to shield from public view her personal health information displayed on a computer intake station at a hospital.
That ruling reaffirmed a longstanding precedent that individuals cannot file a lawsuit, known as a "private cause of action," for alleged HIPAA violations.