News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

American Associated Pharmacies Struck by Ransomware Attack

Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections

Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.

Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”

AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”

API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.

The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”

“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)

Embargo on the Hunt for PHI

Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack. 

Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data. 

“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.

Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported. 

Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.  

Other Cyberattacks on Healthcare Organizations

Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.

In “Cyberattack Renders Healthcare Providers across Ascension’s Hospital Network Unable to Access Medical Records Endangering Patients,” we summarized how Ascension’s inability to access medical records during the attack caused major disruptions to patient healthcare. It took more than a month for Ascension’s electronic health record system to be fully restored.

In “Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide,” Dark Daily outlined how a February cyberattack on Change Healthcare caused its parent organization UnitedHealth Group to file a Material Cybersecurity Incidents Report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as BlackCat (aka, ALPHV), according to Reuters.

And in, “Continued Cyberattacks on Hospitals, Clinical Laboratories, and Other Providers Cause Closures as Hackers Grow in Sophistication,” we reported how hospitals of all sizes continue to be prime targets for sophisticated cyberattacks, where hackers remotely disable a healthcare network’s computer systems—including its clinical laboratory information system (LIS)—and extort ransomware payments.

Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.

Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.

—JP Schlingman

Related Information:

Ransomware Fiends Boast They’ve Stolen 1.4TB from US Pharmacy Network

Another Major US Healthcare Organization Has Been Hacked, with Potentially Major Consequences

Gang Shaking Down Pharmacy Group for Second Ransom Payment

US Pharmacy Network Loses 1.4 Terabytes of Data to Boasting Hackers

New Ransomware Group Embargo Uses Toolkit That Disables Security Solutions, ESET Research Discovers

Embargo Ransomware Group Claims Attack on American Associated Pharmacies

American Associated Pharmacies Resets All User Passwords after Ransomware Gang Claims Responsibility for Cyberattack

Ransomware Attack Disrupts Memorial Hospital’s EHR System, Temporarily Slows Operations

Weiser Memorial Hospital Investigating Cyberattack

Hospital Deals with IT Outage for 4 Weeks

Healthcare Cyberattacks at Two Hospitals Prompt Tough Decisions as Their Clinical Laboratories Are Forced to Switch to Paper Documentation

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

Preparing for Z-Codes as DEX Genetic Testing Registry Rolls Out to Commercial Health Plans

Palmetto GBA’s Chief Medical Officer will cover how clinical laboratories billing for genetic testing should prepare for Z-Codes at the upcoming Executive War College in New Orleans

After multiple delays, UnitedHealthcare (UHC) commercial plans will soon require clinical laboratories to use Z-Codes when submitting claims for certain molecular diagnostic tests. Several private insurers, including UHC, already require use of Z-Codes in their Medicare Advantage plans, but beginning June 1, UHC will be the first to mandate use of the codes in its commercial plans as well. Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD, who oversees the coding system and is Chief Medical Officer at Palmetto GBA, expects that other private payers will follow.

“A Z-Code is a random string of characters that’s used, like a barcode, to identify a specific service by a specific lab,” Bien-Willner explained in an interview with Dark Daily. By themselves, he said, the codes don’t have much value. Their utility comes from the DEX Diagnostics Exchange registry, “where the code defines a specific genetic test and everything associated with it: The lab that is performing the test. The test’s intended use. The analytes that are being measured.”

The registry also contains qualitative information, such as, “Is this a good test? Is it reasonable and necessary?” he said.

Bien-Willner will answer those questions and more at the upcoming annual Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management in New Orleans on April 30-May 1. Lab professionals still have time to register and attend this important presentation.

Molecular, anatomic, and clinical pathologist Gabriel Bien-Willner, MD, PhD (above), Palmetto GBA’s Chief Medical Officer, will speak about Z-Codes and the MolDX program during several sessions at the upcoming Executive War College on Diagnostics, Clinical Laboratory, and Pathology Management taking place in New Orleans on April 30-May 1. Clinical laboratories involved in genetic testing will want to attend these critical sessions. (Photo copyright: Bien-Willner Physicians Association.)

Palmetto GBA Takes Control

Palmetto’s involvement with Z-Codes goes back to 2011, when the company established the MolDX program on behalf of the federal Centers for Medicare and Medicaid Services (CMS). The purpose was to handle processing of Medicare claims involving genetic tests. The coding system was originally developed by McKesson, and Palmetto adopted it as a more granular way to track use of the tests.

In 2017, McKesson merged its information technology business with Change Healthcare Holdings LLC to form Change Healthcare. Palmetto GBA acquired the Z-Codes and DEX registry from Change in 2020. Palmetto GBA had already been using the codes in MolDX and “we felt we needed better control of our own operations,” Bien-Willner explained.

In addition to administering MolDX, Palmetto is one of four regional Medicare contractors who require Z-Codes in claims for genetic tests. Collectively, the contractors handle Medicare claims submissions in 28 states.

Benefits of Z-Codes

Why require use of Z-Codes? Bien-Willner explained that the system addresses several fundamental issues with molecular diagnostic testing.

“Payers interact with labs through claims,” he said. “A claim will often have a CPT code [Current Procedural Technology code] that doesn’t really explain what was done or why.”

In addition, “molecular diagnostic testing is mostly done with laboratory developed tests (LDTs), not FDA-approved tests,” he said. “We don’t see LDTs as a problem, but there’s no standardization of the services. Two services could be described similarly, or with the same CPT codes. But they could have different intended uses with different levels of sophistication and different methodologies, quality, and content. So, how does the payer know what they’re paying for and whether it’s any good?”

When the CPT code is accompanied by a Z-Code, he said, “now we know exactly what test was done, who did it, who’s authorized to do it, what analytes are measured, and whether it meets coverage criteria under policy.”

The process to obtain a code begins when the lab registers for the DEX system, he explained. “Then they submit information about the test. They describe the intended use, the analytes that are being measured, and the methodologies. When they’ve submitted all the necessary information, we give the test a Z-Code.”

Then, the test undergoes a technical assessment. Bien-Willner described this as a risk-based process where complex tests, such as those employing next-generation sequencing or gene expression profiling, get more scrutiny than less-complex methodologies such as a polymerase chain reaction (PCR) test.

The assessment could be as simple as a spreadsheet that asks the lab which cancer types were tested in validation, he said. On the other end of the scale, “we might want to see the entire validation summary documentation,” he said.

Commercial Potential

Bien-Willner joined the Palmetto GBA in 2018 primarily to direct the MolDX program. But he soon saw the potential use of Z-Codes and the DEX registry for commercial plans. “It became instantly obvious that this is a problem for all payers, not just Medicare,” he said.

Over time, he said, “we’ve refined these processes to make them more reproducible, scalable, and efficient. Now commercial plans can license the DEX system, which Z-Codes are a part of, to better automate claims processing or pre-authorizations.”

In 2021, the company began offering the coding system for Medicare Advantage plans, with UHC the first to come aboard. “It was much easier to roll this out for Medicare Advantage, because those programs have to follow the same policies that Medicare does,” he explained.

As for UHC’s commercial plans, the insurer originally planned to require Z-Codes in claims beginning Aug. 1, 2023, then pushed that back to Oct. 1, according to Dark Daily’s sister publication The Dark Report.

Then it was pushed back again to April 1 of this year, and now to June 1.

“The implementation will be in a stepwise fashion,” Bien-Willner advised. “It’s difficult to take an entirely different approach to claims processing. There are something like 10 switches that have to be turned on for everything to work, and it’s going to be one switch at a time.”

For Palmetto GBA, the commercial plans represent “a whole different line of business that I think will have a huge impact in this industry,” he said. “They have the same issues that Medicare has. But for Medicare, we had to create automated solutions up front because it’s more of a pay and chase model,” where the claim is paid and CMS later goes after errors or fraudulent claims.

“Commercial plans in general just thought they could manually solve this issue on a claim-by-claim basis,” he said. “That worked well when there was just a handful of genetic tests. Now there are tens of thousands of tests and it’s impossible to keep up.

They instituted programs to try to control these things, but I don’t believe they work very well.”

Bien-Willner is scheduled to speak about Palmetto GBA’s MolDX program, Z-Codes, and related topics during three sessions at the upcoming 29th annual Executive War College conference. Clinical laboratory and pathology group managers would be wise to attend his presentations. Visit here (or paste this URL into your browser: https://www.executivewarcollege.com/registration) to learn more and to secure your seat in New Orleans.

—Stephen Beale

Related Information:

Palmetto Issuing ‘Z-Codes’ to Track Molecular Dx Utilization, Gather Data CPT Codes Can’t Provide

McKesson and Change Healthcare Complete the Creation of New Healthcare Information Technology Company

UnitedHealthcare Commercial: Reimbursement Policy Update Bulletin: January 2024

UnitedHealthcare’s Z-Code Requirement for Genetic Testing Claims Impacts Laboratories and Payers

UHC Delays April 1st Z-Code Commercial Implementation to June 1, 2024

UHC Will Delay Enforcement of Z-Codes for Genetic Test Claims

Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide

Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack

Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims. 

The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.

Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”

 Change Healthcare handles about 15 billion payments each year.

According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.

“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)

Millions of Records May be in Wrong Hands

Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.” 

The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies. 

“The healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” noted a joint statement from the federal Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

AHA Urges Disrupted Hospitals to Disconnect from Optum

In an AHA Cybersecurity Advisory, the American Hospital Association recommended that affected providers “consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”

In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”

“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.

Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”

In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”

Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:

  • Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
  • Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
  • Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
  • Groups have been unable to perform eligibility checks for patients.
  • Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
  • Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.

Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.

—Donna Marie Pocius

Related Information:

UnitedHealth Suspects “Nation-state” Behind Change Cyberattack

UnitedHealth Says ‘Blackcat’ Ransomware Group Behind Hack At Tech Unit

UnitedHealth Hackers Say They Stole ‘Millions’ of Records, then Delete Statement

US SEC Form 8-K

Change Healthcare Incident Status

Information on the Change Healthcare Cyber Response

UnitedHealth Confirms BlackCat Group Behind Recent Cybersecurity Attack

CISA Cybersecurity Advisory

Hackers Behind UnitedHealth Unit Cyberattack Reportedly Identified

Hospitals Affected by Cyberattack of UnitedHealth Subsidiary

UnitedHealth Group’s Change Healthcare Experiencing Cyberattack Could Impact Healthcare Providers

AHA Letter to HHS: Implications Change Healthcare Cyberattack

MGMA Letter to HHS

The Change Healthcare Cyberattack Is Still Impacting Pharmacies. It’s a Bigger Deal Than You Think

Hackensack Meridian Health and Hologic Tap Google Cloud’s New Medical Imaging Suite for Cancer Diagnostics

Google designed the suite to ease radiologists’ workload and enable easy and secure sharing of critical medical imaging; technology may eventually be adapted to pathologists’ workflow

Clinical laboratory and pathology group leaders know that Google is doing extensive research and development in the field of cancer diagnostics. For several years, the Silicon Valley giant has been focused on digital imaging and the use of artificial intelligence (AI) algorithms and machine learning to detect cancer.

Now, Google Cloud has announced it is launching a new medical imaging suite for radiologists that is aimed at making healthcare data for the diagnosis and care of cancer patients more accessible. The new suite “promises to make medical imaging data more interoperable and useful by leveraging artificial intelligence,” according to MedCity News.

In a press release, medical technology company Hologic, and healthcare provider Hackensack Meridian Health in New Jersey, announced they were the first customers to use Google Cloud’s new suite of medical imaging products.

“Hackensack Meridian Health has begun using it to detect metastasis in prostate cancer patients earlier, and Hologic is using it to strengthen its diagnostic platform that screens women for cervical cancer,” MedCity News reported.

Alissa Hsu Lynch

“Google pioneered the use of AI and computer vision in Google Photos, Google Image Search, and Google Lens, and now we’re making our imaging expertise, tools, and technologies available for healthcare and life sciences enterprises,” said Alissa Hsu Lynch (above), Global Lead of Google Cloud’s MedTech Strategy and Solutions, in a press release. “Our Medical Imaging Suite shows what’s possible when tech and healthcare companies come together.” Clinical laboratory companies may find Google’s Medical Imaging Suite worth investigating. (Photo copyright: Influencive.)

.

Easing the Burden on Radiologists

Clinical laboratory leaders and pathologists know that laboratory data drives most healthcare decision-making. And medical images make up 90% of all healthcare data, noted an article in Proceedings of the IEEE (Institute of Electrical and Electronics Engineers).

More importantly, medical images are growing in size and complexity. So, radiologists and medical researchers need a way to quickly interpret them and keep up with the increased workload, Google Cloud noted.

“The size and complexity of these images is huge, and, often, images stay sitting in data siloes across an organization,” said Alissa Hsu Lynch, Global Lead, MedTech Strategy and Solutions at Google, told MedCity News. “In order to make imaging data useful for AI, we have to address interoperability and standardization. This suite is designed to help healthcare organizations accelerate the development of AI so that they can enable faster, more accurate diagnosis and ease the burden for radiologists,” she added.

According to the press release, Google Cloud’s Medical Imaging Suite features include:

  • Imaging Storage: Easy and secure data exchange using the international DICOM (digital imaging and communications in medicine) standard for imaging. A fully managed, highly scalable, enterprise-grade development environment that includes automated DICOM de-identification. Seamless cloud data management via a cloud-native enterprise imaging PACS (picture archiving and communication system) in clinical use by radiologists.
  • Imaging Lab: AI-assisted annotation tools that help automate the highly manual and repetitive task of labeling medical images, and Google Cloud native integration with any DICOMweb viewer.
  • Imaging Datasets and Dashboards: Ability to view and search petabytes of imaging data to perform advanced analytics and create training datasets with zero operational overhead.
  • Imaging AI Pipelines: Accelerated development of AI pipelines to build scalable machine learning models, with 80% fewer lines of code required for custom modeling.
  • Imaging Deployment: Flexible options for cloud, on-prem (on-premises software), or edge deployment to allow organizations to meet diverse sovereignty, data security, and privacy requirements—while providing centralized management and policy enforcement with Google Distributed Cloud.

First Customers Deploy Suite

Hackensack Meridian Health hopes Google’s imaging suite will, eventually, enable the healthcare provider to predict factors affecting variance in prostate cancer outcomes.

“We are working toward building AI capabilities that will support image-based clinical diagnosis across a range of imaging and be an integral part of our clinical workflow,” said Sameer Sethi, Senior Vice President and Chief Data and Analytics Officer at Hackensack, in a news release.

The New Jersey healthcare network said in a statement that its work with Google Cloud includes use of AI and machine learning to enable notification of newborn congenital disorders and to predict sepsis risk in real-time.

Hologic, a medical technology company focused on women’s health, said its collaboration integrates Google Cloud AI with the company’s Genius Digital Diagnostics System.

“By complementing our expertise in diagnostics and AI with Google Cloud’s expertise in AI, we’re evolving our market-leading technologies to improve laboratory performance, healthcare provider decision making, and patient care,” said Michael Quick, Vice President of Research and Development and Innovation at Hologic, in the press release.

Hologic says its Genius Digital Diagnostics System combines AI with volumetric medical imaging to find pre-cancerous lesions and cancer cells. From a Pap test digital image, the system narrows “tens of thousands of cells down to an AI-generated gallery of the most diagnostically relevant,” according to the company website.

Hologic plans to work with Google Cloud on storage and “to improve diagnostic accuracy for those cancer images,” Hsu Lynch told MedCity News.

Medical image storage and sharing technologies like Google Cloud’s Medical Imaging Suite provide an opportunity for radiologists, researchers, and others to share critical image studies with anatomic pathologists and physicians providing care to cancer patients.   

One key observation is that the primary function of this service that Google has begun to deploy is to aid in radiology workflow and productivity, and to improve the accuracy of cancer diagnoses by radiologists. Meanwhile, Google continues to employ pathologists within its medical imaging research and development teams.

Assuming that the first radiologists find the Google suite of tools effective in support of patient care, it may not be too long before Google moves to introduce an imaging suite of tools designed to aid the workflow of surgical pathologists as well.

Donna Marie Pocius

Related Information:

Google Cloud Delivers on the Promise of AI and Data Interoperability with New Medical Imaging Suite

Review of Deep Learning in Medical Imaging: Imaging Traits, Technology Trends, Case Studies with Progress Highlights, and Future Promises

Google Cloud Unveils Medical Imaging Suite with Hologic, Hackensack Meridian as First Customers

Google Cloud Medical Imaging Suite and its Deep Insights

Hackensack Meridian Health and Google Expand Relationship to Improve Patient Care

Google Cloud Introduces New AI-Powered Medical Imaging Suite

EHR Sales Reached $31.5 Billion in 2018 Despite Concerns over Usability, Interoperability, and Ties to Medical Errors

Cerner and Epic are the industry’s revenue leaders, though smaller vendors remain popular with physician groups

Sales of electronic health record (EHR) systems and related hardware and services reached $31.5 billion in 2018. And those sales will increase, according to a 2019 market analysis from Kalorama Information. This is important information for clinical laboratories and anatomic pathology groups that must interface with the EHRs of their physician clients to enable electronic transmission of lab orders and test results between doctor and lab.

The Kalorama report, titled, “EMR 2019: The Market for Electronic Medical Records,” ranks EHR companies based on revenue rather than market penetration. Kansas City-based Cerner holds the No.1 spot on the list. That may be due to Cerner’s securing one of the largest IT contracts in the federal government—a potential $10 billion deal over 10 years with the U.S. Department of Veterans Affairs (VA) to replace the VA’s VistA medical record system.

Is Bigger Better?

Kalorama’s ranking includes familiar big EHR manufacturer names—Cerner (NASDAQ:CERN) and Epic—and includes a new name, Change Healthcare, which was born out of Change Healthcare Holding’s merger with McKesson. However, smaller EHR vendors remain popular with many independent physicians.

“We estimate that 40% of the market is not in the top 15 [in total revenue rankings],” said Bruce Carlson, Kalorama’s publisher, in an exclusive interview with Dark Daily. “There’s a lot of room. There are small vendors out there—Amazing Charts, e-MDs, Greenway, NextGen, Athena Health—that show up on a lot of physician surveys.”

“The EHR is really important,” noted Bruce Carlson (above), Publisher at Kalorama. “Since there are a variety of systems—sometimes different from the LIS [laboratory information management system]—you want to make sure you know the vendors and the space.” Carlson says opportunities remain for new entrants in the 700-plus competitor space, which is expected to see continued mergers and acquisitions that will affect clinical laboratories and their client physicians. (Photo copyright: Twitter.)

Interoperability a Key Challenge, as Most Medical Laboratories Know

Interoperability—or the lack thereof—remains one of the industry’s biggest challenges. For pathologists, that means seamless electronic communication between medical laboratories and provider hospitals can be elusive and can create a backlash against EHR vendors.

Kalorama notes a joint investigation by Fortune and Kaiser Health News (KHN), titled, “Death by a Thousand Clicks: Where Electronic Health Records Went Wrong.” The report details the growing number of medical errors tied to EHRs. One instance involved a California lawyer with herpes encephalitis who allegedly suffered irreversible brain damage due to a treatment delay caused by the failure of a critical lab test order to reach the hospital laboratory. The order was typed into the EHR, but the hospital’s software did not fully interface with the clinical laboratory’s software, so the lab did not receive the order.

“Many software vendors and LIS systems were in use prior to the real launching of EHRs—the [federal government] stimulus programs,” Carlson told Dark Daily. “There are a lot of legacy systems that aren’t compatible and don’t feed right into the EHR. It’s a work in progress.”

Though true interoperability isn’t on the immediate horizon, Carlson expects its arrival within the next five years as the U.S. Department of Health and Human Services ramps up pressure on vendors.

“I think it is going to be a simple matter eventually,” he said. “There’s going to be much more pressure from the federal government on this. They want patients to have access to their medical records. They want one record. That’s not going to happen without interoperability.”

Other common criticisms of EHRs include:

  • Wasted provider time: a recent study published in JAMA Internal Medicine notes providers now spend more time in indirect patient care than interacting with patients.
  • Physician burnout: EHRs have been shown to increase physician stress and burnout.
  • Not worth the trouble: The debate continues over whether EHRs are improving the quality of care.
  • Negative patient outcomes: Fortune’s investigation outlines patient safety risks tied to software glitches, user errors, or other flaws.

There’s No Going Back

Regardless of the challenges—and potential dangers—it appears EHRs are here to stay. “Any vendor resistance of a spirited nature is gone. Everyone is part of the CommonWell Health Alliance now,” noted Carlson.

Clinical laboratories and pathology groups should expect hospitals and health networks to continue moving forward with expansion of their EHRs and LIS integrations.

“Despite the intensity of attacks on EHRs, very few health systems are going back to paper,” Carlson said in a news release. “Hospital EHR systems are largely in place, and upgrades, consulting, and vendor switches will fuel the market.”

Thus, it behooves clinical laboratory managers and stakeholders to anticipate increased demand for interfaces to hospital-based healthcare providers, and even off-site medical settings, such as urgent care centers and retail health clinics.

—Andrea Downing Peck

Related Information:

EMR 2019

EMR Market Tops $30 Billion, Despite Intensifying Criticism and Challenges

VA-Cerner $10B EHR Control Finally Gets Signed

McKesson and Change Healthcare Announce New Company Will be Named Change Healthcare

Assessment of Inpatient Time Allocation among First-Year Internal Medicine Students Using Time-Motion Observation

Kalorama Report Analyzes Global EMR/EHR Market as Tech Giants Apple, Google, and Microsoft Prepare to Launch Their Own Offerings. Will This Alter Current Conditions for Clinical Laboratories and Pathologists?

;