Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Inability to access clinical laboratory test results forced hospitals to suspend critical procedures and surgeries causing major disruptions to healthcare
Cyberattacks continue to shut down the ability of hospitals to process orders for clinical laboratory tests, medical imaging, and prescriptions. One such cyberattack recently took place against Ascension, the largest nonprofit Catholic health system in the United States. It took more than a month for the health network’s electronic health record (EHR) system to be fully restored, according to a cybersecurity event press release.
Immediately following the event, Ascension announced it had hired a third party company to resolve the fallout from the cyberattack.
“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. … Access to some systems have been interrupted … We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities,” a press release states.
Based in Reston, Va., Mandiant is an American cybersecurity firm and a subsidiary of Google.
Cyberattacks are happening more frequently and medical professionals need to be aware that patient care can be severely disrupted by such attacks. The Ascension attack locked its employees out of the healthcare provider’s computer databases, rendering medical personnel unable to track and coordinate patient care. The health network’s EHR, phones, and databases used to order certain clinical laboratory tests, imaging services, procedures, and medications were all affected.
Hospital employees, including two doctors and a registered nurse, spoke anonymously to the Detroit Free Press regarding the issues at their facilities resulting from the cyberattack.
“It’s so, so dangerous,” said the nurse, describing the immediate aftermath of the cyberattack. “We are waiting four hours for head CT [computed tomography scan] results on somebody having a stroke or a brain bleed. We are just waiting. I don’t know why they haven’t at least paused the ambulances and accepting transfers because we physically … don’t have the capacity to care for them right now.”
“In some cases, what are supposed to be unique medical record numbers assigned to patients when they register in the emergency department at Ascension St. John [Detroit, Mich.] have been given to more than one patient at a time,” Detroit Free Press reported. “Because of that, the nurse told the Free Press she couldn’t be confident that a patient’s blood test results actually were his own.”
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” Jeff Tully, MD (above), Associate Clinical Professor, Anesthesiology, and co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego, told NPR. “These types of cybersecurity incidents should be thought of as a matter of when and not if,” he added. Inability to verify clinical laboratory test results or access patients’ electronic medical records endangers patients and undermines the confidence of critical healthcare workers. (Photo copyright: UC San Diego.)
Losing Track of Patients and Their Records
According to the HIPAA Journal’sH1, 2024 Healthcare Data Breach Report, “In H1 [first half of the fiscal year], 2024, 387 data breaches of 500 or more [healthcare] records were reported to OCR, which represents an 8.4% increase from H1, 2023, and a 9.3% increase from H1, 2022.”
After the Ascension cyberattack, the healthcare organization’s computer systems were inoperable, and its pharmacy services were temporarily closed. Medical orders for clinical laboratory testing, imaging tests, and prescriptions had to be handwritten on paper and faxed to appropriate departments, which led to long wait times for patients.
There were cases where singular medical record numbers were assigned to multiple patients. Staff resorted to Google documents, paper charting, and text messaging to communicate with one another. But they still lost track of some patients.
“For a lot of our nurses, they’ve never paper charted at all,” said Connie Smith, a charge capture coordinator and head of the Wisconsin Federation of Nurses and Health Professionals, in a ThinkStack blog post. “We were using forms that we pulled out of drawers that hadn’t seen the light of day in a long, long time.”
“They are texting me to find out where the patient went,” a St. John Hospital Emergency Room physician anonymously told the Free Press immediately following the Ascension cyberattack. “They don’t even know where the patient is going or if they’ve been admitted. People are getting lost.
“The pharmacy is getting requests for patient medications, and they have no idea where the patient is in the hospital,” the doctor continued. “Some of the attending physicians are putting in orders for medications, somewhat dangerous medications, and we have no idea if the medications are actually being administered. It’s a scary thing when your medical license is tied to this. If medication mistakes become lawsuits, they will follow us throughout our entire careers and that is not fair to us. It’s not fair to patients.”
According to online updates provided by Ascension, the cyberattack began when an employee downloaded a malicious file thinking it was a legitimate document. That allowed hackers to access seven of Ascension’s 25,000 servers. The resulting cyberattack stifled operations across the organization’s facilities and among its healthcare providers for weeks.
A June 12 update read, “we are pleased to announce that electronic health record (EHR) access has been restored across our ministries. This means that clinical workflow in our hospitals and clinics will function similarly to the way it did prior to the ransomware attack.” The updates did not mention how the attack was resolved or if a ransom was paid to restore the hospitals’ systems.
Preparing for System Disruptions
According to its website, St. Louis-based Ascension has 134,000 associates, 35,000 affiliated providers, and 140 hospitals serving communities in 18 states and the District of Columbia.
“Despite the challenges posed by the recent ransomware incident, patient safety continues to be our utmost priority. Our dedicated doctors, nurses, and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper based systems during the ongoing disruption to normal systems,” Ascension noted in a Michigan Cybersecurity Event Update.
Clinical laboratory managers and anatomic pathology practice administrators may want to learn from Ascension’s experience and make advanced preparations that will secure patient information and enable their lab to continue functioning during a cyberattack. The Ascension cyberattack illustrates how easily computer systems containing critical information can be hacked and affect patient care.
Amid cost pressures, healthcare providers also plan to cut staff though some jobs are plentiful; adequate staffing at medical laboratories continues to be a challenge
Thanks to the COVID-19 pandemic and subsequent “Great Resignation,” masses of people have left the workforce and companies large and small in all industries are struggling to retain employees. Clinical laboratories have been particularly hard hit with no relief in sight.
Now comes the results of a PricewaterhouseCoopers (PwC) survey which shows 50% of US companies in various industries—including major healthcare providers—plan to lay off employees. And 83% of organizations intend to move forward with a “streamlined workforce,” according to the latest PwC Pulse: Managing Business Risks in 2022 report.
How this will affect the workload on remaining hospital and medical laboratory staff is clear. And healthcare consumers may not take well to healthcare provides running leaner and with fewer staff than they currently do.
Nevertheless, the PwC survey results “illustrate the contradictory nature of today’s labor market, where skilled workers can still largely name their terms amid talent shortages even as companies look to let people go elsewhere,” Bloomberg wrote on the CPA Practice Advisor website.
“Organizations are still walking a tightrope when it comes to talent as we begin to see the longer-term impacts of the ‘Great Resignation.’ Finding the proper balance between investing in specialized talent, managing headcount costs, and driving productivity and morale will remain a top focus,” said Bhushan Sethi (above), People and Organization Joint Global Leader at PwC and an adjunct professor at NYU Stern School of Business in a PwC news release. Clinical laboratories are finding it particularly challenging to fill staff positions across all areas of lab operations. (Photo copyright: PwC.)
Healthcare Has Biggest Challenges, says PwC
Clinical laboratory leaders and pathologist groups are well aware of the unique financial pressures on healthcare systems and medical labs, as well as shortages of pathologists, medical technologists, clinical laboratory scientists, information technology (IT) professionals, and other healthcare workers.
“Healthcare is seeing bigger talent challenges than other industries and is more focused on rehiring employees who have recently left,” the PwC report acknowledged. This is the second Pulse survey PwC conducted in 2022. The 722 respondents included leaders working in human capital and finance.
Finding Right Talent, Focusing on Growth, Automation
Finding the right employees is so important to companies that PwC ranks “talent acquisition” as the second highest risk (38%) behind cyber-attacks (40%).
“Finding the right talent continues to be a challenge for business leaders,” PwC said. “After a frenzy of hiring and a tight labor market over the past few years, executives see the distinction between having people and having people with the right skills.”
Unlike the high-touch and personal nature of healthcare, industries such as consumer technology, media, and telecommunications can turn to automation to alleviate staffing struggles. And that is what nearly two-thirds, or 63%, of companies in those sectors, aim to do, PwC said.
Other survey talent findings:
50% of companies plan layoffs.
46% are dropping or eliminating sign-on bonuses.
44% are rescinding job offers.
Conversely, the surveyed executives also told PwC they are “cautiously optimistic” and plan on growing and investing even as the economy gives mixed signals:
83% of companies are focused on growth.
70% plan an acquisition.
53% aim to invest in digital transformation, 52% in IT, 49% in cybersecurity and privacy, and 48% in customer experience.
“After more than two years dealing with uncertainty related to the pandemic, business leaders recognize the urgent need to focus on growth in order to compete, and they’re zeroing in on what they can control,” PwC said.
New Remote Work Programs, Reduction in Real Estate Investing, Big Tech
Although companies report having more than enough physical office space, many (42%) have launched remote work programs:
70% have expanded or plan to increase “permanent” remote work options as jobs permit.
22% are reducing real estate investment (financial services and healthcare industries lead the way with 30% and 29%, respectively, saying real estate buys are cooling off).
“While companies continue to invest in many areas of the business, they’re scaling back the most in real estate and capex ex [capital expenditure]. After two years of remote work, many companies simply need less space, and they’re allocating capital accordingly,” the PwC report noted.
In a somewhat parallel release to PwC’s findings, news sources are reporting reductions in real estate and staff at high-profile Big Tech companies.
Meta Platforms, Inc. in Menlo Park, Calif. (formerly Facebook Inc.), is closing one of its New York offices and cutting back on plans to expand two other locations in the city, the Observer reported.
Business Insider reported, “More than 32,000 tech workers have been laid off in the US till July, including at Big Tech companies like Microsoft and Meta (formerly Facebook), and the worst has not been over yet for the tech sector that has seen massive stock sell-off.”
According to Forbes, “San Francisco-based electronic signature company DocuSign will lay off 9% of its more than 7,400 employees (roughly 670 employees), the company announced in a Securities and Exchange filing Wednesday, saying the cuts are ‘necessary to ensure we are capitalizing on our long-term opportunity and setting up the company for future success.’”
And Bloomberg recently reported that Intel is planning to layoff thousands of people “around the same time as its third-quarter earnings report on Oct. 27.”
Healthcare Providers Plan Layoffs, Seek IT Pros
Meanwhile, major healthcare provider networks also are planning staff cuts amid service closures, rising costs, and other issues, according to Becker’s Hospital Review:
Ascension in St. Louis, Mo., plans to close an Indiana hospital and nine medical practices and lay off 133 employees.
“Our health system, like others around the nation, is facing significant financial pressures from historic inflation, rising pharmaceutical and labor costs, COVID-19, expiration of CARES Act funding, and reimbursement not proportional with expenses,” BHSH said in a statement shared with Becker’s.
Amidst these layoffs, however, IT jobs in healthcare seem to be growing. According to Becker’s Health IT, some healthcare providers have posted information technology openings:
Mayo Clinic in Rochester, Minn., has 43 IT job openings.
So, though it appears IT positions continue to expand, clinical laboratory leaders and pathology practice managers may want to prepare now for dealing with customers’ response to leaner healthcare systems overall.
Nearly two years after passage of price transparency law, only a small number of the nation’s hospitals are fully compliant, according to two separate reports
Price transparency is a major trend in the US healthcare system. Yet, hospitals, physicians, clinical laboratories, and other providers have been reticent to design their websites so it is easy for patients to find prices in advance of clinical care. Now comes news that federal officials are ready to issue fines to hospitals that fail to comply with regulations mandating price transparency for patients.
Many of the largest healthcare networks claim that complying with federal hospital price transparency regulation is costly, time consuming, and provides no return on investment. Nevertheless, the federal Centers for Medicare and Medicaid Services is quite serious about enforcing price transparency laws, and to that end the agency has, for the first time, levied fines against two hospitals in Georgia that have not complied with the regulations.
As many pathologists and medical laboratory managers know, on January 1, 2021, a federal rule on price transparency for medical facilities went into effect. The rule requires hospitals—as well as clinical laboratories and other healthcare providers—to post a comprehensive list of their services and the pricing for those services on their websites, and to provide access to a patient-friendly tool to help consumers shop for 300 common services.
The CMS recently issued its first penalties to two hospitals located in Georgia for violating the law by not updating their websites or replying to the agency’s warning letters. The letters CMS sent to the two hospitals alleged there were several violations of the transparency rules, including the failure to post a listing of their charges on their websites and requested corrective action plans by the hospitals.
In November 2021, Northside Hospital Atlanta informed regulators that consumers should call or email the facility to obtain price estimates for services. Later in January 2022, during a “technical assistance call,” a hospital representative told CMS “the previous violations had not been corrected and, in fact, the hospital system had intentionally removed all previously posted pricing files,” according to a Notice of Imposition of a Civil Monetary Penalty letter CMS sent to Robert Quattrocchi, President and Chief Executive Officer, Northside Hospital Atlanta.
Under the rules of the Hospital Price Transparency law, each hospital operating in the US is required to provide clear, accessible pricing information online about the items and services they provide in two ways:
As a comprehensive machine-readable file listing all items and services.
In a display of shoppable services in a consumer-friendly format.
CMS fined Northside Hospital Atlanta $883,180 and Northside Cherokee Hospital $214,320 for noncompliance with the law. The penalties are calculated based on the size of the hospital and the length of time of the noncompliance—up to $300 per day. In addition, the facilities could endure further monetary penalties if they continue to fail to comply. The organizations will have 30 days to appeal the charges or have 60 days to remit payment for the fines.
Both hospitals are owned by Northside, a Georgia health system with five acute care hospitals, more than 250 outpatient facilities, over 4,100 providers, and 25,500 employees, according to the provider’s website.
Compliance with Price Transparency Laws Low
Analysis of the healthcare industry shows that many facilities are not in compliance with the transparency rules. In April, a report released by health IT firm KLAS Research, found that hospitals believe the transparency rule is too costly to implement and confusing to consumers, which helps explain the low compliance issues. KLAS surveyed 66 hospital revenue cycle leaders for their report.
“There are concerns about cost, data accuracy, and patient options of pricing tools; some respondents worry about patients’ ability to understand the displayed pricing data, and today, most patients are unaware online pricing information exists,” the report states. In addition, the report notes that “many organizations are not investing beyond the bare minimum requirements, and they don’t plan to do more until there is further clarity around the regulations and the expectations going forward.”
The KLAS report also noted that organizations are struggling to find the resources to comply with the price transparency rule and consider it a financial burden to continually add new employees and technology to become and remain in compliance. Many organizations see no merit in investing in a regulation that provides no return on that investment.
Another compliance report released in February by Patient Rights Advocate maintained that only 14.3% of the 1,000 hospitals they reviewed were in full compliance with the Hospital Price Transparency regulation. About 37.9% of the hospitals posted a sufficient detailing of service rates, but over half of those hospitals were noncompliant in other criteria of the rule, such as rates by insurer and insurance plans.
“We are now entering the second year since the Hospital Price Transparency rule became law, and compliance remains at very low levels,” according to the report. “The largest hospital systems are effectively ignoring the law, with no consequences.”
The Patient Rights Advocate analysis also found that a mere 0.5% of hospitals owned by the three largest hospital systems in the country—HCA Healthcare, CommonSpirit Health, and Ascension—were in full compliance of the law.
Notably, only two of the 361 hospitals owned by these three hospital systems were fully compliant. In addition, none of the 188 hospitals owned by HCA Healthcare, the largest for-profit hospital system in the country, were in compliance.
Hospitals Fail to Provide Consumers with Critical Information
The Patient Rights Advocate report found that the most significant reason for noncompliance was failure to post all payer-specific and plan-specific negotiated rates on their websites. They estimated that 85.7% of the 1,000 hospitals reviewed did not post a complete machine-readable file of standard charges, as required by the law.
“The lack of compliance by hospitals is about more than simply the failure to follow the legal requirements,” the report states. “It is also about the failure of hospitals to provide critically needed information to consumers so they can make better health decisions. Empowered with comparative price and quality information in advance of care, consumers, including employers and unions, can improve health outcomes while lowering costs by taking advantage of the benefits of competitive market efficiencies.”
With the CMS starting to issue fines for noncompliance, it is probable that more healthcare organizations will focus on adhering to the Hospital Price Transparency law. Since the transparency rules also apply to clinical laboratories, lab managers should be aware of the regulations and any further enforcement actions taken by the CMS.
Strategists agree that big tech is disrupting healthcare,
so how will clinical laboratories and anatomic pathology groups serve virtual
healthcare customers?
Visionary XPRIZE founder Peter Diamandis, MD, sees big tech as “the doctor of the future.” In an interview with Fast Company promoting his new book, “The Future Is Faster Than You Think,” Diamandis, who is the Executive Chairman of the XPRIZE Foundation, said that the healthcare industry is “phenomenally broken” and that Apple, Amazon, and Google could do “a thousandfold” better job.
Diamandis, who also founded Singularity University, a global learning and innovation community that uses exponential technologies to tackle worldwide challenges, according to its website, said, “We’re going to see Apple and Amazon and Google and all the data-driven companies that are in our homes right now become our healthcare providers.”
If this prediction becomes reality, it will bring significant changes in the traditional ways that consumers and patients have selected providers and access healthcare services. In turn, this will require all clinical laboratories and pathology groups to develop business strategies in response to these developments.
Amazon Arrives in Healthcare Markets
Several widely-publicized business initiatives by Amazon, Google, and Apple substantiate these predictions. According to an Amazon blog, healthcare insurers, providers, and pharmacy benefit managers are already operating HIPAA-eligible Amazon Alexa for:
Alexa also enables HIPAA-compliant blood glucose updates as part of the Livongo for Diabetes program. “Our members now have the ability to hear their last blood glucose check by simply asking Alexa,” said Jennifer Schneider, MD, President of Livongo, a digital health company, in a news release.
And Cigna’s “Answers By Cigna” Alexa “skill” gives members who install the option responses to 150 commonly asked health insurance questions, explained a Cigna news release.
“Google plans to disrupt healthcare and use data and artificial intelligence,” Toby Cosgrove, Executive Advisor to the Google Cloud team and former Cleveland Clinic President, told B2B information platform PYMNTs.com.
PYMNTs speculated that Google, which recently acquired Fitbit, could be aiming at connecting consumers’ Fitbit fitness watch data with their electronic health records (EHRs).
Apple Works with Insurers, Integrating Health Data
The Apple Watch health app also enables people to access medical laboratory test results and vaccination records, and “sync up” information with some hospitals, Business Insider explained.
Virtual Care, a Payer Priority: Survey
Should healthcare providers feel threatened by the tech giants? Not necessarily. However, employers and payers surveyed by the National Business Group on Health (NBGH), an employer advocacy organization, said they want to see more virtual care solutions, a news release stated.
“One of the challenges employers face in managing their healthcare costs is that healthcare is delivered locally, and change is not scalable. It’s a market-by-market effort,” said Brian Marcotte, President and CEO of the NBGH, in the news release. “Employers are turning to market-specific solutions to drive meaningful changes in the healthcare delivery system.
“Virtual care solutions bring healthcare to the consumer
rather than the consumer to healthcare,” Marcotte continue. “They continue to
gain momentum as employers seek different ways to deliver cost effective,
quality healthcare while improving access and the consumer experience.”
“If you use Google in the United States to check symptoms,
you’ll get five-million to 11-million hits,” Schwab told The Dark Report.
“Clearly, there’s plenty of talk about symptom checkers, and if you go online
now, you’ll find 350 different electronic applications that will give you
medical advice—meaning you’ll get a diagnosis over the internet. These
applications are winding their way somewhere through the regulatory process.
“The FDA just released a report saying it plans to regulate
internet doctors, not telehealth doctors and not virtual doctors,” he
continued. “Instead, they’re going to regulate machines. This news is
significant because, today, within an hour of receiving emergency care, 45% of
Americans have googled their condition, so the cat is out of the bag as it
pertains to us going online for our medical care.”
Be Proactive, Not Reactive, Health Leaders Say
Healthcare leaders need to work on improving access to primary care, instead of becoming defensive or reactive to tech companies, several healthcare CEOs told Becker’s Hospital Review.
Clinical laboratory leaders are advised to keep an eye on
these virtual healthcare trends and be open to assisting doctors engaged in
telehealth services and online diagnostic activities.