3rd Party Risk Management,Breach Notification,Business Continuity Management / Disaster RecoveryMedical Management Systems Firm Discloses Cyber Incident, Risks to SECMarianne Kolbasuk McGee (HealthInfoSec)•May 11, 2022
A recent ransomware attack on a medication management systems provider is the latest reminder of persistent cybersecurity threats and risks facing healthcare supply chain and related vendors, as well as their customers.
See Also: Live Webinar | Remote Employees & the Great Resignation:How Are You Managing Insider Threats?
In a U.S. Securities and Exchange Commission 8-K filing on Monday, Mountain View, California-based Omnicell disclosed that it determined on May 4 that a ransomware attack had affected certain internal IT systems, and that the incident and its full effect were still being investigated.
"There is an impact on certain of the Company's products and services, as well as certain of its internal systems," says the filing by the medication automation solutions vendor, whose products are used in hospitals, pharmacies and other healthcare sector entities.
Upon detecting the security event, Omnicell says it took immediate steps to contain the incident and implement its business continuity plans to restore and support continued operations.
"The Company is in the early stages of its investigation and assessment of the security event and cannot determine, at this time, the extent of the impact from such event on our business, results of operations or financial condition or whether such impact will have a material adverse effect," the filing says.
Omnicell says it has notified law enforcement authorities and is also working closely with cybersecurity experts and legal counsel on the matter.
Omnicell in its quarterly earnings 10-Q form also filed with the SEC on Monday, acknowledges that "significant disruptions" in its IT systems, data breaches, or cyberattacks on its systems could adversely affect its business.
"We rely on IT systems to keep financial records and corporate records, communicate with staff and external parties, and operate other critical functions, including sales and manufacturing processes," Omnicell says in the filing.
"We also utilize third-party cloud services in connection with our operations … Our IT systems and third-party cloud services are potentially vulnerable to disruption due to breakdown, malicious intrusion and computer viruses, public health crises such as the ongoing COVID-19 pandemic, other catastrophic events or environmental impact, as well as due to system upgrades and/or new system implementations."
Omnicell says that its systems may also experience vulnerabilities from third-party or open-source software code that may be incorporated into its own or its vendors' systems. "Any prolonged system disruption in our IT systems or third-party services could negatively impact the coordination of our sales, planning, and manufacturing activities, which could harm our business," Omnicell says.
"In addition, in order to maximize our IT efficiency, we have physically consolidated our primary corporate data and computer operations. This concentration, however, exposes us to a greater risk of disruption to our internal IT systems."
Although Omnicell says it maintains offsite backups of its data, "a disruption of operations at our facilities could materially disrupt our business if we are not capable of restoring function within an acceptable time frame."
Omnicell also says its IT systems and third-party cloud services "are potentially vulnerable to cyberattacks, including ransomware, or other data security incidents, by employees or others, which may expose sensitive data to unauthorized persons."
"Data security incidents also could lead to the loss of trade secrets or other intellectual property, or to the public exposure of sensitive and confidential information of our employees, customers, suppliers, and others, any of which could have a material adverse effect on our business, financial condition, and results of operations," it says.
In addition, certain Omnicell solutions receive, store and process customers' data and are also at risk. For example, Omnicell's private cloud-based patient engagement system, EnlivenHealth, helps patients adhere to their medication goals through aweb-based platform, the company says.
"An effective attack on our solutions could disrupt the proper functioning of our solutions, allow unauthorized access to sensitive and confidential information of our customers - including protected health information - and disrupt our customers' operations," Omnicell says
No Sure Bets
Omnicell says it has implemented a number of security measures designed to protect its systems and data, including firewalls, antivirus and malware detection tools, patches, log monitors, routine backups, system audits, routine password modifications and disaster recovery procedures.
Also, the company says it has insurance that currently includes coverage for cyberattacks.
But, it says, "we have seen a trend where the amount of coverage being offered by insurance providers for such cyberattacks is decreasing while the cost of obtaining such coverage is increasing. If this trend continues, the insurance coverage we possess may not be adequate or the cost to obtain such coverage may become prohibitive.
"Any failure to prevent such security breaches or privacy violations, or implement satisfactory remedial measures, could require us to expend significant resources to remediate any damage, disrupt our operations or the operations of our customers, damage our reputation, damage our relationships with our customers, or expose us to a risk of financial loss, litigation, regulatory penalties, contractual indemnification obligations, or other liability."
Omnicell declined Information Security Media Group's request for additional details and comment on its recent ransomware incident.
Privacy attorney David Holtzman of consulting firm HITprivacy says Omnicell's reporting to the SEC of a ransomware attack points out "the glaring need" for federal regulations to better protect individuals whose data is disclosed through a cybersecurity or ransomware incident.
"Currently, publicly traded companies are required to report cybersecurity and ransomware in order to ensure the interests of their shareholders are protected," he says.
Holtzman say that except for those companies that are HIPAA-covered entities or subject to the Federal Trade Commission's regulations for personal health records, "there are no federal requirements to notify consumers when their personally identifiable information is compromised as a result of a cybersecurity or ransomware incident."
In the meantime, entities that have shared personally identifiable information with Omnicell should review their vendor contracts to ensure there are terms that specify the obligation of Omnicell to provide timely notification and detailed reports of their investigations into security incidents posing a risk of data compromise, he says.
Holtzman says the reports should detail the precise incident that occurred, the steps the vendor took during their investigation, a forensic analysis of the systems affected by the security event, an inventory of the data that belongs to the provider, and the exact data at risk of compromise.
The ransomware attack on Omnicell - and the company's stated risks involving cyberthreats and data breaches - are also reminders to other healthcare sector entities about the potential impact that supply chain and vendor security incidents can have on their own organizations.
Because the products and systems that healthcare suppliers provide can be essential to delivering lifesaving care, these products should be designed such that a cybersecurity attack can never cause direct or indirect harm, says Todd Ebert, president and CEO of the Healthcare Supply Chain Association.
In addition, no device should be able to act as a gateway to compromise a system, network, or another connected device, and all devices should be able to provide basic clinical functions on a stand-alone basis disconnected from all systems or networks, he tells ISMG.
Suppliers and healthcare providers alike need to be vigilant and make every effort to thwart attacks before they occur, and they must also be prepared for when an attack succeeds, so they can intervene quickly and limit the impact of the attack, Ebert says.
"Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services as well as the healthcare delivery organizations that use them. Providing this security is a continual effort that requires vigilance, adaptation, and ongoing communication and collaboration between the parties."
One of the key components of preparedness is having a continuity plan for continuing operations if a device, devices or system must be isolated or shut down, he says. "Providers should also have plans in place to scrutinize any networks or systems to which the affected vendor's products are connected," he says.
"Providers should be wary of those products being a gateway for an attack on their own systems. It is very important that providers have an open and ongoing line of communication with the supplier's security team when dealing with an attack" (see: SBOMs in Healthcare Supply Chain Are Essential).
Patient Safety Concerns
Some experts say that security incidents involving third-party IT systems and software also highlight the risk to patient safety.
"Cyberattacks on healthcare entities can certainly put lives at risk," says Deidre Tompkins, senior manager of consulting at security firm Pondurance.
Such incidents can disrupt access to patient electronic health records, exploit vulnerabilities in medical devices and diagnostic equipment, and expose - or illegally disclose - PHI, she says. "Disruptions can also include delays and complications in procedures or tests and cause diversion of patients to other facilities."
In the bigger picture, last week, the National Institute of Standards and Technology - following President Joe Biden's recent executive orders regarding cybersecurity - revised its guidance for countering supply chain risks (see: NIST Updates Guidance for Supply Chain Risk Management).
The revised publication "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations" provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization.