Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened
being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.
In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.
Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”
In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”
The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.
“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.
What Type of Cyberattack?
Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.
ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.
“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.
Federal Rules and Regulations Concerning HIPAA and PHI
The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.
With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.
Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.
This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.
Despite the widespread adoption of electronic health record (EHR) systems and billions in government incentives, lack of interoperability still blocks potential benefits of digital health records, causing frustration among physicians, medical labs, and patients
Clinical laboratories and anatomic pathology groups understand the complexity of today’s electronic health record (EHR) systems. The ability to easily and securely transmit pathology test results and other diagnostic information among multiple providers was the entire point of shifting the nation’s healthcare industry from paper-based to digital health records. However, despite recent advances, true interoperability between disparate health networks remains elusive.
One major reason for the current situation is that multi-hospital health systems and health networks still use EHR systems from different vendors. This fact is well-known to the nation’s medical laboratories because they must spend money and resources to maintain electronic lab test ordering and resulting interfaces with all of these different EHRs.
Healthcare IT News highlighted the scale of this problem in recent coverage. Citing data from the Healthcare Information and Management Systems Society (HIMSS) Logic database, they note that—when taking into account affiliated providers—the typical health network engages with as many as 18 different electronic medical record (EMR) vendors. Similarly, hospitals may be engaging with as many as 16 different EMR vendors.
The graphics above illustrates why interoperability is the most important hurdle facing healthcare today. Although the shift to digital is well underway, medical laboratories, physicians, and patients still struggle to communicate data between providers and access it in a universal or centralized manner. (Images copyright: Healthcare IT News.)
The lack of interoperability forces healthcare and diagnostics facilities to develop workarounds for locating, transmitting, receiving, and analyzing data. This simply compounds the problem.
Pressure from Technology Giants Fuels Push for Interoperability
According to HITECH Answers, the Centers for Medicare and Medicaid Services (CMS) has paid out more than $38-billion in EHR Incentive Program payments since April 2018.
Experts, however, point out that government incentives are only one part of the pressure vendors are seeing to improve interoperability.
“There needs to be a regulatory push here to play referee and determine what standards will be necessary,” Blain Newton, Executive Vice President, HIMSS Analytics, told Healthcare IT News. “But the [EHR] vendors are going to have to do it because of consumer demand, as things like Apple Health Records gain traction.”
Another solution, according to TechTarget, involves developing application programming interfaces (APIs) that allow tech companies and EHR vendors to achieve better interoperability by linking information in a structured manner, facilitating secure data transmission, and powering the next generation of apps that will bring interoperability ever closer to a reality.
TechTarget reported on how University of Utah Hospital’s five hospital/12 community clinic health network, and Intermountain Healthcare, also in Utah, successfully used APIs to develop customized interfaces and apps to improve accessibility and interoperability with their Epic and Cerner EHR systems.
Diagnostic Opportunities for Clinical Laboratories
As consumers gain increased access to their data and healthcare providers harness the current generation of third-party tools to streamline EHR use, vendors will continue to feel pressure to make interoperability a native feature of their EHR systems and reduce the need to rely on HIT teams for customization.
For pathology groups, medical laboratories, and other diagnosticians who interact with EHR systems daily, the impact of interoperability is clear. With the help of tech companies, and a shift in focus from government incentives programs, improved interoperability might soon offer innovative new uses for PHI in diagnosing and treating disease, while further improving the efficiency of clinical laboratories that face tightening budgets, reduced reimbursements, and greater competition.
Future EHRs will focus on efficiency, machine learning, and cloud services—improving how physicians and medical laboratories interact with the systems to support precision medicine and streamlined workflows
When the next generation of electronic health record (EHR) systems reaches the market, they will have advanced features that include cloud-based services and the ability to collect data from and communicate with patients using mobile devices. These new developments will provide clinical laboratories and anatomic pathology groups with new opportunities to create value with their lab testing services.
Proposed Improvements and Key Trends
Experts with EHR developers Epic Systems, Allscripts, Accenture, and drchrono spoke recently with Healthcare IT News about future platform initiatives and trends they feel will shape their next generation of EHR offerings.
They include:
Automation analytics and human-centered designs for increased efficiency and to help reduce physician burnout;
Improved feature parity across mobile and computer EHR interfaces to provide patients, physicians, and medical laboratories with access to information across a range of technologies and locations;
A shift toward cloud-hosted EHR solutions with support for application programming interfaces (APIs) designed for specific healthcare facilities that reduce IT overhead and make EHR systems accessible to smaller practices and facilities.
Should these proposals move forward, future generations of EHR platforms could transform from simple data storage/retrieval systems into critical tools physicians and medical laboratories use to facilitate communications and support decision-making in real time.
And, cloud-based EHRs with access to clinical labs’ APIs could enable those laboratories to communicate with and receive data from EHR systems with greater efficiency. This would eliminate yet another bottleneck in the decision-making process, and help laboratories increase volumes and margins through reduced documentation and data management overhead.
Cloud-based EHRs and Potential Pitfalls
Cloud-based EHRs rely on cloud computing, where IT resources are shared among multiple entities over the Internet. Such EHRs are highly scalable and allow end users to save money by hiring third-party IT services, rather than maintaining expensive IT staff.
Kipp Webb, MD, provider practice lead and Chief Clinical Innovation Officer at Accenture told Healthcare IT News that several EHR vendors are only a few years out on releasing cloud-based inpatient/outpatient EHR systems capable of meeting the needs of full-service medical centers.
While such a system would mean existing health networks would not need private infrastructure and dedicate IT teams to manage EHR system operations, a major shift in how next-gen systems are deployed and maintained could lead to potential interoperability and data transmission concerns. At least in the short term.
Yet, the transition also could lead to improved flexibility and connectivity between health networks and data providers—such as clinical laboratories and pathologist groups. This would be achieved through application programming interfaces (APIs) that enable computer systems to talk to each other and exchange data much more efficiently.
“Perhaps one of the biggest ways having a fully cloud-based EHR will change the way we as an industry operate will be enabled API access.” Daniel Kivatinos, COO and founder of drchrono, told Healthcare IT News. “You will be able to add other partners into the mix that just weren’t available before when you have a local EHR install only.”
Paul Black, CEO of Allscripts, believes these changes will likely require more than upgrading existing software or hardware. “The industry needs an entirely new approach to the EHR,” he told Healthcare IT News. “We’re seeing a huge need for the EHR to be mobile, cloud-based, and comprehensive to streamline workflow and get smarter with every use.” (Photo copyright: Allscripts.)
Reducing Physician Burnout through Human-Centered Design
As Dark Daily reported last year, EHRs have been identified as contributing to physician burnout, increased dissatisfaction, and decreased face-to-face interactions with patients.
Combined with the increased automation, Carl Dvorak, President of Epic Systems, notes next-gen EHR changes hold the potential to streamline the communication of orders, laboratory testing data, and information relevant to patient care. They could help physicians reach treatment decisions faster and provide laboratories with more insight, so they can suggest appropriate testing pathways for each episode of care.
“[Automation analytics] holds the key to unlocking some of the secrets to physician well-being,” Dvorak told Healthcare IT News. “For example, we can avoid work being unnecessarily diverted to physicians when it could be better managed by others.”
Black echoes similar benefits, saying, “We believe using human-centered design will transform the way physicians experience and interact with technology, as well as improve provider wellness.”
Some might question the success of the first wave of EHR systems. Though primarily built to address healthcare reform requirements, these systems provided critical feedback and data to EHR developers focused not on simply fulfilling regulatory requirements, but on meeting the needs of patients and care providers as well.
If these next-generations systems can help improve the quality of data recording, storage, and transmission, while also reducing physician burnout, they will have come a long way from the early EHRs. For medical laboratory professionals, these changes will likely impact how orders are received and lab results are reported back to doctors in the future. Thus, it’s worth monitoring these developments.
Meaningful Use Stage 3 focuses on interoperability, which is good news for medical laboratories that must spend time and money to develop effective LIS-EHR interfaces
On December 15, 2015, the final rule for Stage 3 meaningful use (MU) went into effect. By now, pathologists and clinical laboratory managers and personnel are well-acquainted with the MU incentive program and the myriad of challenges it presents for almost everyone working in the healthcare sector.
That’s good news for providers struggling with EHR attestation. However, the struggle for clinical laboratories isn’t with attestation per se, it’s with interoperability between lab information systems (LIS) and physicians’ EHRs. (more…)
Other topics of keen interest at the meeting were digital pathology, whole-slide imaging, and the role of pathology informatics in healthcare ‘big data’
PITTSBURGH, PENNSYLVANIA—During their annual meeting here last week, pathologists who are members of the Association for Pathology Informatics (API) made it clear that they are prepared to support fast and radical changes to anatomic pathology and clinical pathology.
Several speakers called attention to specific threats already disrupting the long-established model of the private pathology group practice. There was also no disagreement that cuts in fee-for-service reimbursement for key anatomic pathology CPT codes were already eroding the financial stability of many pathology practices and pathology lab companies. (more…)