Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened
being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.
In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.
Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”
In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”
The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.
“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.
What Type of Cyberattack?
Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.
ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.
“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)
Federal Rules and Regulations Concerning HIPAA and PHI
The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.
With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.
Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.
This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.
Despite the widespread adoption of electronic health record (EHR) systems and billions in government incentives, lack of interoperability still blocks potential benefits of digital health records, causing frustration among physicians, medical labs, and patients
Clinical laboratories and anatomic pathology groups understand the complexity of today’s electronic health record (EHR) systems. The ability to easily and securely transmit pathology test results and other diagnostic information among multiple providers was the entire point of shifting the nation’s healthcare industry from paper-based to digital health records. However, despite recent advances, true interoperability between disparate health networks remains elusive.
One major reason for the current situation is that multi-hospital health systems and health networks still use EHR systems from different vendors. This fact is well-known to the nation’s medical laboratories because they must spend money and resources to maintain electronic lab test ordering and resulting interfaces with all of these different EHRs.
Healthcare IT News highlighted the scale of this problem in recent coverage. Citing data from the Healthcare Information and Management Systems Society (HIMSS) Logic database, they note that—when taking into account affiliated providers—the typical health network engages with as many as 18 different electronic medical record (EMR) vendors. Similarly, hospitals may be engaging with as many as 16 different EMR vendors.
The graphics above illustrates why interoperability is the most important hurdle facing healthcare today. Although the shift to digital is well underway, medical laboratories, physicians, and patients still struggle to communicate data between providers and access it in a universal or centralized manner. (Images copyright: Healthcare IT News.)
The lack of interoperability forces healthcare and diagnostics facilities to develop workarounds for locating, transmitting, receiving, and analyzing data. This simply compounds the problem.
Pressure from Technology Giants Fuels Push for Interoperability
According to HITECH Answers, the Centers for Medicare and Medicaid Services (CMS) has paid out more than $38-billion in EHR Incentive Program payments since April 2018.
Experts, however, point out that government incentives are only one part of the pressure vendors are seeing to improve interoperability.
“There needs to be a regulatory push here to play referee and determine what standards will be necessary,” Blain Newton, Executive Vice President, HIMSS Analytics, told Healthcare IT News. “But the [EHR] vendors are going to have to do it because of consumer demand, as things like Apple Health Records gain traction.”
Another solution, according to TechTarget, involves developing application programming interfaces (APIs) that allow tech companies and EHR vendors to achieve better interoperability by linking information in a structured manner, facilitating secure data transmission, and powering the next generation of apps that will bring interoperability ever closer to a reality.
TechTarget reported on how University of Utah Hospital’s five hospital/12 community clinic health network, and Intermountain Healthcare, also in Utah, successfully used APIs to develop customized interfaces and apps to improve accessibility and interoperability with their Epic and Cerner EHR systems.
Diagnostic Opportunities for Clinical Laboratories
As consumers gain increased access to their data and healthcare providers harness the current generation of third-party tools to streamline EHR use, vendors will continue to feel pressure to make interoperability a native feature of their EHR systems and reduce the need to rely on HIT teams for customization.
For pathology groups, medical laboratories, and other diagnosticians who interact with EHR systems daily, the impact of interoperability is clear. With the help of tech companies, and a shift in focus from government incentives programs, improved interoperability might soon offer innovative new uses for PHI in diagnosing and treating disease, while further improving the efficiency of clinical laboratories that face tightening budgets, reduced reimbursements, and greater competition.
Meaningful Use Stage 3 focuses on interoperability, which is good news for medical laboratories that must spend time and money to develop effective LIS-EHR interfaces
On December 15, 2015, the final rule for Stage 3 meaningful use (MU) went into effect. By now, pathologists and clinical laboratory managers and personnel are well-acquainted with the MU incentive program and the myriad of challenges it presents for almost everyone working in the healthcare sector.
That’s good news for providers struggling with EHR attestation. However, the struggle for clinical laboratories isn’t with attestation per se, it’s with interoperability between lab information systems (LIS) and physicians’ EHRs. (more…)
New blood chemistry monitoring device could replace some traditional laboratory testing
There’s a new technology that makes it possible to continuously monitor an individual’s blood chemistry and wirelessly transmit the data. This technology uses a transdermal patch and is a different approach to clinical diagnostics with the potential to supplant some traditional medical laboratory testing.
This transdermal patch was developed by Sano Intelligence, one of San Francisco-based Rock Health’s start ups for 2012. These developments were reported in a story published by Co.EXIST. (more…)
