News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

American Society for Clinical Pathology Website Was Hacked Last Year, Possibly Exposing Credit Card Information of Members and Online Shoppers

Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened

For a “limited time period” in 2020, the American Society for Clinical Pathology (ASCP) was the target of a cyberattack that “potentially exposed payment card data as it was

being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.

In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.

Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”

In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”

The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.

“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.

What Type of Cyberattack?

Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.

ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.

“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.

Peter-Blum-Group-Product-Manager-Google
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)

Federal Rules and Regulations Concerning HIPAA and PHI

The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.

With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.

Although no reported violations under the Health Insurance Portability and Accountability Act (HIPAA) occurred in this ASCP data breach, it should be noted that there are rules under HIPAA for data breaches where Protected Health Information (PHI) may have been compromised.

Under the HIPAA Breach Notification Rule, entities that were hacked must perform the following steps:

  • Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
  • For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.

This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.

—JP Schlingman

Related Information:

World’s Largest Pathologists Association Discloses Card Incident

American Society for Clinical Pathology—Incident Notification

ASCP Disclosed Payment Card Web Skimming Incident

Magecart Attack: What It is, How it Works, and How to Prevent It

What is Magecart? How This Hacker Group Steals Payment Card Data

A Deep Dive into Magecart: What Is Magecart?

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

University of California San Diego Researchers Demonstrates How Easily Medical Laboratory Systems and Devices Can Be Compromised, Putting Patient Lives at Risk

WannaCry Ransomware Holds Critical Data Hostage Worldwide, Including UK’s National Health Service and Russia’s Interior Ministry

Sorting through EHR Interoperability: A Modern Day Tower of Babel That Corrects Problems for Clinical Laboratories, Other Providers

Despite the widespread adoption of electronic health record (EHR) systems and billions in government incentives, lack of interoperability still blocks potential benefits of digital health records, causing frustration among physicians, medical labs, and patients

Clinical laboratories and anatomic pathology groups understand the complexity of today’s electronic health record (EHR) systems. The ability to easily and securely transmit pathology test results and other diagnostic information among multiple providers was the entire point of shifting the nation’s healthcare industry from paper-based to digital health records. However, despite recent advances, true interoperability between disparate health networks remains elusive.

One major reason for the current situation is that multi-hospital health systems and health networks still use EHR systems from different vendors. This fact is well-known to the nation’s medical laboratories because they must spend money and resources to maintain electronic lab test ordering and resulting interfaces with all of these different EHRs.

Healthcare IT News highlighted the scale of this problem in recent coverage. Citing data from the Healthcare Information and Management Systems Society (HIMSS) Logic database, they note that—when taking into account affiliated providers—the typical health network engages with as many as 18 different electronic medical record (EMR) vendors. Similarly, hospitals may be engaging with as many as 16 different EMR vendors.

The graphics above illustrates why interoperability is the most important hurdle facing healthcare today. Although the shift to digital is well underway, medical laboratories, physicians, and patients still struggle to communicate data between providers and access it in a universal or centralized manner. (Images copyright: Healthcare IT News.)

The lack of interoperability forces healthcare and diagnostics facilities to develop workarounds for locating, transmitting, receiving, and analyzing data. This simply compounds the problem.

According to a 2018 Physician’s Foundation survey, nearly 40% of respondents identified EHR design and interoperability as the primary source of physician dissatisfaction. It has also been found to be the cause of physician burnout, as Dark Daily reported last year in, “EHR Systems Continue to Cause Burnout, Physician Dissatisfaction, and Decreased Face-to-Face Patient Care.”

Pressure from Technology Giants Fuels Push for Interoperability

According to HITECH Answers, the Centers for Medicare and Medicaid Services (CMS) has paid out more than $38-billion in EHR Incentive Program payments since April 2018.

Experts, however, point out that government incentives are only one part of the pressure vendors are seeing to improve interoperability.

“There needs to be a regulatory push here to play referee and determine what standards will be necessary,” Blain Newton, Executive Vice President, HIMSS Analytics, told Healthcare IT News. “But the [EHR] vendors are going to have to do it because of consumer demand, as things like Apple Health Records gain traction.”

Dark Daily covered Apple’s progress into organizing protected health information (PHI) and personal health records (PHRs) earlier this year in, “Apple’s Update of Its Mobile Health App Consolidates Data from Multiple EHRs and Makes It Easier to Push Clinical Laboratory Data to Patients.” It is one of the latest examples of Silicon Valley tech companies attempting to jump into the health sector and providing patients and consumers access to the troves of medical data created in their lifetime.

Another solution, according to TechTarget, involves developing application programming interfaces (APIs) that allow tech companies and EHR vendors to achieve better interoperability by linking information in a structured manner, facilitating secure data transmission, and powering the next generation of apps that will bring interoperability ever closer to a reality.

TechTarget reported on how University of Utah Hospital’s five hospital/12 community clinic health network, and Intermountain Healthcare, also in Utah, successfully used APIs to develop customized interfaces and apps to improve accessibility and interoperability with their Epic and Cerner EHR systems.

Diagnostic Opportunities for Clinical Laboratories

As consumers gain increased access to their data and healthcare providers harness the current generation of third-party tools to streamline EHR use, vendors will continue to feel pressure to make interoperability a native feature of their EHR systems and reduce the need to rely on HIT teams for customization.

For pathology groups, medical laboratories, and other diagnosticians who interact with EHR systems daily, the impact of interoperability is clear. With the help of tech companies, and a shift in focus from government incentives programs, improved interoperability might soon offer innovative new uses for PHI in diagnosing and treating disease, while further improving the efficiency of clinical laboratories that face tightening budgets, reduced reimbursements, and greater competition.

—Jon Stone

Related Information:

Why EHR Data Interoperability Is Such a Mess in 3 Charts

EHR Incentive Program Status Report April 2018

New FDA App Streamlines EHR Patient Data Collection for Researchers

AAFP Nudges ONC toward EHR Interoperability

A New Breed of Interoperable EHR Apps Is Coming, but Slowly

Top Interoperability Questions to Consider during EHR Selection

EHR Design, Interoperability Top List of Physician Pain Points

2018 Survey of America’s Physicians: Practice Patterns & Perspectives

ONC: 93% of Hospitals Have Adopted Most Recent EHR Criteria, but Most Lag in Interoperability

Open Standards and Health Care Transformation: It’s Finally Delivering on the Value It Promised

Apple’s Update of Its Mobile Health App Consolidates Data from Multiple EHRs and Makes It Easier to Push Clinical Laboratory Data to Patients

EHR Systems Continue to Cause Burnout, Physician Dissatisfaction, and Decreased Face-to-Face Patient Care

 

Future EHR Systems Could Impact Clinical Laboratories by Offering Cloud Services and Full Access to Patients on Mobile Devices

Future EHRs will focus on efficiency, machine learning, and cloud services—improving how physicians and medical laboratories interact with the systems to support precision medicine and streamlined workflows

When the next generation of electronic health record (EHR) systems reaches the market, they will have advanced features that include cloud-based services and the ability to collect data from and communicate with patients using mobile devices. These new developments will provide clinical laboratories and anatomic pathology groups with new opportunities to create value with their lab testing services.

Proposed Improvements and Key Trends

Experts with EHR developers Epic Systems, Allscripts, Accenture, and drchrono spoke recently with Healthcare IT News about future platform initiatives and trends they feel will shape their next generation of EHR offerings.

They include:

  • Automation analytics and human-centered designs for increased efficiency and to help reduce physician burnout;
  • Improved feature parity across mobile and computer EHR interfaces to provide patients, physicians, and medical laboratories with access to information across a range of technologies and locations;
  • Integration of machine learning and predictive modeling to improve analytics and allow for better implementation of genomics-informed medicine and population health features; and
  • A shift toward cloud-hosted EHR solutions with support for application programming interfaces (APIs) designed for specific healthcare facilities that reduce IT overhead and make EHR systems accessible to smaller practices and facilities.

Should these proposals move forward, future generations of EHR platforms could transform from simple data storage/retrieval systems into critical tools physicians and medical laboratories use to facilitate communications and support decision-making in real time.

And, cloud-based EHRs with access to clinical labs’ APIs could enable those laboratories to communicate with and receive data from EHR systems with greater efficiency. This would eliminate yet another bottleneck in the decision-making process, and help laboratories increase volumes and margins through reduced documentation and data management overhead.

Cloud-based EHRs and Potential Pitfalls

Cloud-based EHRs rely on cloud computing, where IT resources are shared among multiple entities over the Internet. Such EHRs are highly scalable and allow end users to save money by hiring third-party IT services, rather than maintaining expensive IT staff.

Kipp Webb, MD, provider practice lead and Chief Clinical Innovation Officer at Accenture told Healthcare IT News that several EHR vendors are only a few years out on releasing cloud-based inpatient/outpatient EHR systems capable of meeting the needs of full-service medical centers.

While such a system would mean existing health networks would not need private infrastructure and dedicate IT teams to manage EHR system operations, a major shift in how next-gen systems are deployed and maintained could lead to potential interoperability and data transmission concerns. At least in the short term.

Yet, the transition also could lead to improved flexibility and connectivity between health networks and data providers—such as clinical laboratories and pathologist groups. This would be achieved through application programming interfaces (APIs) that enable computer systems to talk to each other and exchange data much more efficiently.

“Perhaps one of the biggest ways having a fully cloud-based EHR will change the way we as an industry operate will be enabled API access.” Daniel Kivatinos, COO and founder of drchrono, told Healthcare IT News. “You will be able to add other partners into the mix that just weren’t available before when you have a local EHR install only.”

Paul Black, CEO of Allscripts, believes these changes will likely require more than upgrading existing software or hardware. “The industry needs an entirely new approach to the EHR,” he told Healthcare IT News. “We’re seeing a huge need for the EHR to be mobile, cloud-based, and comprehensive to streamline workflow and get smarter with every use.” (Photo copyright: Allscripts.)

Reducing Physician Burnout through Human-Centered Design

As Dark Daily reported last year, EHRs have been identified as contributing to physician burnout, increased dissatisfaction, and decreased face-to-face interactions with patients.

Combined with the increased automation, Carl Dvorak, President of Epic Systems, notes next-gen EHR changes hold the potential to streamline the communication of orders, laboratory testing data, and information relevant to patient care. They could help physicians reach treatment decisions faster and provide laboratories with more insight, so they can suggest appropriate testing pathways for each episode of care.

“[Automation analytics] holds the key to unlocking some of the secrets to physician well-being,” Dvorak told Healthcare IT News. “For example, we can avoid work being unnecessarily diverted to physicians when it could be better managed by others.”

Black echoes similar benefits, saying, “We believe using human-centered design will transform the way physicians experience and interact with technology, as well as improve provider wellness.”

Some might question the success of the first wave of EHR systems. Though primarily built to address healthcare reform requirements, these systems provided critical feedback and data to EHR developers focused not on simply fulfilling regulatory requirements, but on meeting the needs of patients and care providers as well.

If these next-generations systems can help improve the quality of data recording, storage, and transmission, while also reducing physician burnout, they will have come a long way from the early EHRs. For medical laboratory professionals, these changes will likely impact how orders are received and lab results are reported back to doctors in the future. Thus, it’s worth monitoring these developments.

—Jon Stone

Related Information:

Next-Gen EHRs: Epic, Allscripts and Others Reveal Future of Electronic Health Records

Next-Gen IT Infrastructure: A Nervous System Backed by Analytics and Context

EHR Systems Continue to Cause Burnout, Physician Dissatisfaction, and Decreased Face-to-Face Patient Care

ONC Releases Final Rule for Stage 3 Meaningful Use: What Most Affects Clinical Laboratories and Anatomic Pathology Groups

Meaningful Use Stage 3 focuses on interoperability, which is good news for medical laboratories that must spend time and money to develop effective LIS-EHR interfaces

On December 15, 2015, the final rule for Stage 3 meaningful use (MU) went into effect. By now, pathologists and clinical laboratory managers and personnel are well-acquainted with the MU incentive program and the myriad of challenges it presents for almost everyone working in the healthcare sector.

Although the implementation of electronic health records (EHRs) has caused labs some headaches, the Stage 3 MU requirements could reduce some of that pressure. One of the biggest changes in Stage 3, according to the Office of the Federal Register (OFR), is that the ONC is “finalizing changes to remove the menu and core structure of Stage 1 and Stage 2 and reduce the number of objectives to which a provider must attest.” There will be fewer objectives to prove an EHR system is being used in a meaningful way.

That’s good news for providers struggling with EHR attestation. However, the struggle for clinical laboratories isn’t with attestation per se, it’s with interoperability between lab information systems (LIS) and physicians’ EHRs. (more…)

Leaders at the Association for Pathology Informatics Conference Issue Broad Call to Action in Response to Clinical and Financial Threats to Pathology Profession

Other topics of keen interest at the meeting were digital pathology, whole-slide imaging, and the role of pathology informatics in healthcare ‘big data’

PITTSBURGH, PENNSYLVANIA—During their annual meeting here last week, pathologists who are members of the Association for Pathology Informatics (API) made it clear that they are prepared to support fast and radical changes to anatomic pathology and clinical pathology.

Several speakers called attention to specific threats already disrupting the long-established model of the private pathology group practice. There was also no disagreement that cuts in fee-for-service reimbursement for key anatomic pathology CPT codes were already eroding the financial stability of many pathology practices and pathology lab companies. (more…)

;