News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

American Society for Clinical Pathology Website Was Hacked Last Year, Possibly Exposing Credit Card Information of Members and Online Shoppers

Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened

For a “limited time period” in 2020, the American Society for Clinical Pathology (ASCP) was the target of a cyberattack that “potentially exposed payment card data as it was

being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.

In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.

Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”

In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”

The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.

“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.

What Type of Cyberattack?

Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.

ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.

“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.

Peter-Blum-Group-Product-Manager-Google
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)

Federal Rules and Regulations Concerning HIPAA and PHI

The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.

With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.

Although no reported violations under the Health Insurance Portability and Accountability Act (HIPAA) occurred in this ASCP data breach, it should be noted that there are rules under HIPAA for data breaches where Protected Health Information (PHI) may have been compromised.

Under the HIPAA Breach Notification Rule, entities that were hacked must perform the following steps:

  • Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
  • For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.

This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.

—JP Schlingman

Related Information:

World’s Largest Pathologists Association Discloses Card Incident

American Society for Clinical Pathology—Incident Notification

ASCP Disclosed Payment Card Web Skimming Incident

Magecart Attack: What It is, How it Works, and How to Prevent It

What is Magecart? How This Hacker Group Steals Payment Card Data

A Deep Dive into Magecart: What Is Magecart?

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

University of California San Diego Researchers Demonstrates How Easily Medical Laboratory Systems and Devices Can Be Compromised, Putting Patient Lives at Risk

WannaCry Ransomware Holds Critical Data Hostage Worldwide, Including UK’s National Health Service and Russia’s Interior Ministry

Sorting through EHR Interoperability: A Modern Day Tower of Babel That Corrects Problems for Clinical Laboratories, Other Providers

Despite the widespread adoption of electronic health record (EHR) systems and billions in government incentives, lack of interoperability still blocks potential benefits of digital health records, causing frustration among physicians, medical labs, and patients

Clinical laboratories and anatomic pathology groups understand the complexity of today’s electronic health record (EHR) systems. The ability to easily and securely transmit pathology test results and other diagnostic information among multiple providers was the entire point of shifting the nation’s healthcare industry from paper-based to digital health records. However, despite recent advances, true interoperability between disparate health networks remains elusive.

One major reason for the current situation is that multi-hospital health systems and health networks still use EHR systems from different vendors. This fact is well-known to the nation’s medical laboratories because they must spend money and resources to maintain electronic lab test ordering and resulting interfaces with all of these different EHRs.

Healthcare IT News highlighted the scale of this problem in recent coverage. Citing data from the Healthcare Information and Management Systems Society (HIMSS) Logic database, they note that—when taking into account affiliated providers—the typical health network engages with as many as 18 different electronic medical record (EMR) vendors. Similarly, hospitals may be engaging with as many as 16 different EMR vendors.

The graphics above illustrates why interoperability is the most important hurdle facing healthcare today. Although the shift to digital is well underway, medical laboratories, physicians, and patients still struggle to communicate data between providers and access it in a universal or centralized manner. (Images copyright: Healthcare IT News.)

The lack of interoperability forces healthcare and diagnostics facilities to develop workarounds for locating, transmitting, receiving, and analyzing data. This simply compounds the problem.

According to a 2018 Physician’s Foundation survey, nearly 40% of respondents identified EHR design and interoperability as the primary source of physician dissatisfaction. It has also been found to be the cause of physician burnout, as Dark Daily reported last year in, “EHR Systems Continue to Cause Burnout, Physician Dissatisfaction, and Decreased Face-to-Face Patient Care.”

Pressure from Technology Giants Fuels Push for Interoperability

According to HITECH Answers, the Centers for Medicare and Medicaid Services (CMS) has paid out more than $38-billion in EHR Incentive Program payments since April 2018.

Experts, however, point out that government incentives are only one part of the pressure vendors are seeing to improve interoperability.

“There needs to be a regulatory push here to play referee and determine what standards will be necessary,” Blain Newton, Executive Vice President, HIMSS Analytics, told Healthcare IT News. “But the [EHR] vendors are going to have to do it because of consumer demand, as things like Apple Health Records gain traction.”

Dark Daily covered Apple’s progress into organizing protected health information (PHI) and personal health records (PHRs) earlier this year in, “Apple’s Update of Its Mobile Health App Consolidates Data from Multiple EHRs and Makes It Easier to Push Clinical Laboratory Data to Patients.” It is one of the latest examples of Silicon Valley tech companies attempting to jump into the health sector and providing patients and consumers access to the troves of medical data created in their lifetime.

Another solution, according to TechTarget, involves developing application programming interfaces (APIs) that allow tech companies and EHR vendors to achieve better interoperability by linking information in a structured manner, facilitating secure data transmission, and powering the next generation of apps that will bring interoperability ever closer to a reality.

TechTarget reported on how University of Utah Hospital’s five hospital/12 community clinic health network, and Intermountain Healthcare, also in Utah, successfully used APIs to develop customized interfaces and apps to improve accessibility and interoperability with their Epic and Cerner EHR systems.

Diagnostic Opportunities for Clinical Laboratories

As consumers gain increased access to their data and healthcare providers harness the current generation of third-party tools to streamline EHR use, vendors will continue to feel pressure to make interoperability a native feature of their EHR systems and reduce the need to rely on HIT teams for customization.

For pathology groups, medical laboratories, and other diagnosticians who interact with EHR systems daily, the impact of interoperability is clear. With the help of tech companies, and a shift in focus from government incentives programs, improved interoperability might soon offer innovative new uses for PHI in diagnosing and treating disease, while further improving the efficiency of clinical laboratories that face tightening budgets, reduced reimbursements, and greater competition.

—Jon Stone

Related Information:

Why EHR Data Interoperability Is Such a Mess in 3 Charts

EHR Incentive Program Status Report April 2018

New FDA App Streamlines EHR Patient Data Collection for Researchers

AAFP Nudges ONC toward EHR Interoperability

A New Breed of Interoperable EHR Apps Is Coming, but Slowly

Top Interoperability Questions to Consider during EHR Selection

EHR Design, Interoperability Top List of Physician Pain Points

2018 Survey of America’s Physicians: Practice Patterns & Perspectives

ONC: 93% of Hospitals Have Adopted Most Recent EHR Criteria, but Most Lag in Interoperability

Open Standards and Health Care Transformation: It’s Finally Delivering on the Value It Promised

Apple’s Update of Its Mobile Health App Consolidates Data from Multiple EHRs and Makes It Easier to Push Clinical Laboratory Data to Patients

EHR Systems Continue to Cause Burnout, Physician Dissatisfaction, and Decreased Face-to-Face Patient Care

 

ONC Releases Final Rule for Stage 3 Meaningful Use: What Most Affects Clinical Laboratories and Anatomic Pathology Groups

Meaningful Use Stage 3 focuses on interoperability, which is good news for medical laboratories that must spend time and money to develop effective LIS-EHR interfaces

On December 15, 2015, the final rule for Stage 3 meaningful use (MU) went into effect. By now, pathologists and clinical laboratory managers and personnel are well-acquainted with the MU incentive program and the myriad of challenges it presents for almost everyone working in the healthcare sector.

Although the implementation of electronic health records (EHRs) has caused labs some headaches, the Stage 3 MU requirements could reduce some of that pressure. One of the biggest changes in Stage 3, according to the Office of the Federal Register (OFR), is that the ONC is “finalizing changes to remove the menu and core structure of Stage 1 and Stage 2 and reduce the number of objectives to which a provider must attest.” There will be fewer objectives to prove an EHR system is being used in a meaningful way.

That’s good news for providers struggling with EHR attestation. However, the struggle for clinical laboratories isn’t with attestation per se, it’s with interoperability between lab information systems (LIS) and physicians’ EHRs. (more…)

Transdermal Patch Continuously Monitors Blood Chemistry—Without Needles and Clinical Pathology Laboratory Testing

New blood chemistry monitoring device could replace some traditional laboratory testing

There’s a new technology that makes it possible to continuously monitor an individual’s blood chemistry and wirelessly transmit the data. This technology uses a transdermal patch and is a different approach to clinical diagnostics with the potential to supplant some traditional medical laboratory testing.

This transdermal patch was developed by Sano Intelligence, one of San Francisco-based Rock Health’s start ups for 2012. These developments were reported in a story published by Co.EXIST. (more…)

;