News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Change Healthcare Cyberattack Disrupts Pharmacy Order Processing for Healthcare Providers Nationwide

Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack

Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims. 

The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”

A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.

Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”

 Change Healthcare handles about 15 billion payments each year.

According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.

“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)

Millions of Records May be in Wrong Hands

Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.” 

The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies. 

“The healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV BlackCat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” noted a joint statement from the federal Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).

AHA Urges Disrupted Hospitals to Disconnect from Optum

In an AHA Cybersecurity Advisory, the American Hospital Association recommended that affected providers “consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”

In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”

“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.

Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”

In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”

Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:

  • Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
  • Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
  • Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
  • Groups have been unable to perform eligibility checks for patients.
  • Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
  • Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.

Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.

—Donna Marie Pocius

Related Information:

UnitedHealth Suspects “Nation-state” Behind Change Cyberattack

UnitedHealth Says ‘Blackcat’ Ransomware Group Behind Hack At Tech Unit

UnitedHealth Hackers Say They Stole ‘Millions’ of Records, then Delete Statement

US SEC Form 8-K

Change Healthcare Incident Status

Information on the Change Healthcare Cyber Response

UnitedHealth Confirms BlackCat Group Behind Recent Cybersecurity Attack

CISA Cybersecurity Advisory

Hackers Behind UnitedHealth Unit Cyberattack Reportedly Identified

Hospitals Affected by Cyberattack of UnitedHealth Subsidiary

UnitedHealth Group’s Change Healthcare Experiencing Cyberattack Could Impact Healthcare Providers

AHA Letter to HHS: Implications Change Healthcare Cyberattack

MGMA Letter to HHS

The Change Healthcare Cyberattack Is Still Impacting Pharmacies. It’s a Bigger Deal Than You Think

PwC Survey Finds 50% of Companies Plan Layoffs and 83% Intend to Move Forward with Streamlined Workforces

Amid cost pressures, healthcare providers also plan to cut staff though some jobs are plentiful; adequate staffing at medical laboratories continues to be a challenge

Thanks to the COVID-19 pandemic and subsequent “Great Resignation,” masses of people have left the workforce and companies large and small in all industries are struggling to retain employees. Clinical laboratories have been particularly hard hit with no relief in sight.

Now comes the results of a PricewaterhouseCoopers (PwC) survey which shows 50% of US companies in various industries—including major healthcare providers—plan to lay off employees. And 83% of organizations intend to move forward with a “streamlined workforce,” according to the latest PwC Pulse: Managing Business Risks in 2022 report.

How this will affect the workload on remaining hospital and medical laboratory staff is clear. And healthcare consumers may not take well to healthcare provides running leaner and with fewer staff than they currently do.

Nevertheless, the PwC survey results “illustrate the contradictory nature of today’s labor market, where skilled workers can still largely name their terms amid talent shortages even as companies look to let people go elsewhere,” Bloomberg wrote on the  CPA Practice Advisor website.

Bhushan Sethi

“Organizations are still walking a tightrope when it comes to talent as we begin to see the longer-term impacts of the ‘Great Resignation.’ Finding the proper balance between investing in specialized talent, managing headcount costs, and driving productivity and morale will remain a top focus,” said Bhushan Sethi (above), People and Organization Joint Global Leader at PwC and an adjunct professor at NYU Stern School of Business in a PwC news release. Clinical laboratories are finding it particularly challenging to fill staff positions across all areas of lab operations. (Photo copyright: PwC.)

Healthcare Has Biggest Challenges, says PwC

Clinical laboratory leaders and pathologist groups are well aware of the unique financial pressures on healthcare systems and medical labs, as well as shortages of pathologists, medical technologists, clinical laboratory scientists, information technology (IT) professionals, and other healthcare workers.

“Healthcare is seeing bigger talent challenges than other industries and is more focused on rehiring employees who have recently left,” the PwC report acknowledged. This is the second Pulse survey PwC conducted in 2022. The 722 respondents included leaders working in human capital and finance.  

Finding Right Talent, Focusing on Growth, Automation

Finding the right employees is so important to companies that PwC ranks “talent acquisition” as the second highest risk (38%) behind cyber-attacks (40%).

“Finding the right talent continues to be a challenge for business leaders,” PwC said. “After a frenzy of hiring and a tight labor market over the past few years, executives see the distinction between having people and having people with the right skills.”

Unlike the high-touch and personal nature of healthcare, industries such as consumer technology, media, and telecommunications can turn to automation to alleviate staffing struggles. And that is what nearly two-thirds, or 63%, of companies in those sectors, aim to do, PwC said.

Other survey talent findings:

  • 50% of companies plan layoffs.
  • 46% are dropping or eliminating sign-on bonuses.
  • 44% are rescinding job offers.

Conversely, the surveyed executives also told PwC they are “cautiously optimistic” and plan on growing and investing even as the economy gives mixed signals:

  • 83% of companies are focused on growth.
  • 70% plan an acquisition.
  • 53% aim to invest in digital transformation, 52% in IT, 49% in cybersecurity and privacy, and 48% in customer experience.

“After more than two years dealing with uncertainty related to the pandemic, business leaders recognize the urgent need to focus on growth in order to compete, and they’re zeroing in on what they can control,” PwC said.

New Remote Work Programs, Reduction in Real Estate Investing, Big Tech

Although companies report having more than enough physical office space, many (42%) have launched remote work programs:

  • 70% have expanded or plan to increase “permanent” remote work options as jobs permit.
  • 22% are reducing real estate investment (financial services and healthcare industries lead the way with 30% and 29%, respectively, saying real estate buys are cooling off).

“While companies continue to invest in many areas of the business, they’re scaling back the most in real estate and capex ex [capital expenditure]. After two years of remote work, many companies simply need less space, and they’re allocating capital accordingly,” the PwC report noted.

In a somewhat parallel release to PwC’s findings, news sources are reporting reductions in real estate and staff at high-profile Big Tech companies.

Meta Platforms, Inc. in Menlo Park, Calif. (formerly Facebook Inc.), is closing one of its New York offices and cutting back on plans to expand two other locations in the city, the Observer reported.

Business Insider reported, “More than 32,000 tech workers have been laid off in the US till July, including at Big Tech companies like Microsoft and Meta (formerly Facebook), and the worst has not been over yet for the tech sector that has seen massive stock sell-off.”

According to Forbes, “San Francisco-based electronic signature company DocuSign will lay off 9% of its more than 7,400 employees (roughly 670 employees), the company announced in a Securities and Exchange filing Wednesday, saying the cuts are ‘necessary to ensure we are capitalizing on our long-term opportunity and setting up the company for future success.’”

And Bloomberg recently reported that Intel is planning to layoff thousands of people “around the same time as its third-quarter earnings report on Oct. 27.”

Healthcare Providers Plan Layoffs, Seek IT Pros

Meanwhile, major healthcare provider networks also are planning staff cuts amid service closures, rising costs, and other issues, according to Becker’s Hospital Review:

“Our health system, like others around the nation, is facing significant financial pressures from historic inflation, rising pharmaceutical and labor costs, COVID-19, expiration of CARES Act funding, and reimbursement not proportional with expenses,” BHSH said in a statement shared with Becker’s.

Amidst these layoffs, however, IT jobs in healthcare seem to be growing. According to Becker’s Health IT, some healthcare providers have posted information technology openings:

So, though it appears IT positions continue to expand, clinical laboratory leaders and pathology practice managers may want to prepare now for dealing with customers’ response to leaner healthcare systems overall.

Donna Marie Pocius

Related Information:

PwC Pulse: Managing Business Risks in 2022

Layoffs are Being Planned at Half of US Companies, PwC Survey Shows

Business Executives Remain Bullish about Their Ability to Manage Turbulent Conditions, according to New PwC Survey

Meta Is Closing a Manhattan Office as It Consolidates Its New York City Presence

50% of Companies Planning Job Cuts Amid Economic Downturn: Report

Ascension to Close Hospital, Lay Off 133 Workers

Microsoft Reportedly Cuts Nearly 1,000 Employees—Here Are the Biggest US Layoffs This Year

Intel Is Planning Thousands of Job Cuts in Face of PC Slump

Hospitals Cut Jobs to Resuscitate Finances

IT Job Openings at Mayo, Northwell, CommonSpirit, and Providence

Ransomware Attacks on Scripps Health, Universal, and Utah Pathology Services Show Hospitals and Health Systems Are Increasingly in the Crosshairs

Recent attacks illustrate how costly a security breach can be and why clinical laboratories and pathology groups must work to protect their information systems from ransomware attacks

Recent ransomware attacks on Scripps Health, Universal Health Services, and Utah Pathology Services clearly illuminate the vulnerabilities within the healthcare industry to being targeted. These attacks left patients’ protected health information (PHI) exposed and the healthcare organizations open to federal scrutiny and possibly fines or other punitive actions.

Therefore, it is crucial clinical laboratories and pathology groups have a cybersecurity strategy in place for dealing with ransomware attacks. Running security drills may need to be part of that strategy. Managers and employees should undergo specific training and vendors must be vetted carefully. Without such a strategy, the question is not if an attack will happen, but rather when an attack will succeed.

Ransomware Attackers are Getting Better

“Ransomware is increasing in sophistication; it’s increasing in prevalence. The purveyors of ransomware are generally reinvesting the fees that they collect from the entities they extort to acquire more capabilities,” Beau Woods, Senior Advisor at the federal Cybersecurity and Infrastructure Security Agency (CISA), told The San Diego Tribune.

“They’re getting better, they’re getting more frequent, particularly during the pandemic where we’ve opened up more connectivity to allow more remote work,” he added.

The Scripps Health attack is notable for several reasons, with one being the length of the outage it caused. The attack was first detected on May 1 of this year. It took four weeks before Scripps could restore most of its network and get its Epic EHR back online, Health IT Security reported.

However, the ransomware attack on Universal Health Services (NYSE:UHS) may be the biggest attack so far. It took place on September 27, 2020, and caused a three-week outage. The company told The San Diego Tribune the incident had a $67 million impact on operations.

According to HIPAA Journal, “The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.”

At Utah Pathology Services, an employee e-mail hack resulted in the potential exposure of patient data. The malicious actors attempted to divert funds intended for a physician but failed to do so. However, the information of 112,000 patients was accessible to the hacker during the attempt.

“The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers,” Health IT Security reported.

Bryan-S.-Ware-and-Christopher-Krebs

“We are seeing adversaries that are targeting our pharmaceutical companies, pharmaceutical research, laboratory companies, testing and really even out into the future manufacturing of the vaccine systems,” Bryan S. Ware (above left) Assistant Director for Cybersecurity for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) told CyberScoop. CISA Director Christopher Krebs (above right) added, “At the onset of the COVID-19 pandemic, we recognized just how vital the healthcare sector was to the response and we established Project Taken to bring to bear the government’s particular set of skills to protect those organizations.” (Photo copyrights: CyberScoop/Business Insider.)

Value of Patient Data on the Dark Web is Increasing

In the case of the Utah Pathology Services attack, the hackers were specifically after money. However, according to cybersecurity company SecureLink, patient records are “the new prize” for hackers. Healthcare data carries a value of its own on the digital black market. In fact, healthcare data is more valuable than credit card or banking data.

“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” SecureLink wrote in a blog post.

In “Here’s How Much Your Personal Information Is Selling for on the Dark Web,” credit rating agency Experian estimated a stolen medical record could sell for between $1 and $1,000, while a Social Security number alone is worth about a dollar.

A 2018 Trustwave Global Security Report estimated that a healthcare record is worth about $250. Trustwave, however, estimated the value of a banking record at less than $5. That strongly suggests health records are increasing in value.

And even after a healthcare entity has regained control of its IT infrastructure, the hacker still has possession of the stolen patient information. It may take weeks or years for the hacker to sell that information, meaning the breach represents a continuing threat to the healthcare organization and its patients.

Clinical Laboratories Must Prepare for an Attack

Simply understanding the threat is not enough. Clinical laboratory and pathology group managers must have robust plans in place for both protecting patient information and for dealing with a security breach should one occur.

According to a Health IT Security report, “The ransomware attack that struck all 400 UHS care sites and caused three weeks of EHR downtime in September, cost the health system $67 million in recovery costs and lost revenue.”

The report added, “Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.”

In “Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses,” Dark Daily reported on an FBI, federal Department of Health and Human Services (HHS), and federal Cybersecurity and Infrastructure Security Agency (CISA) joint advisory (AA20-302A) that warned US hospitals, clinical laboratories, and other healthcare providers to prepare for impending ransomware attacks in 2020.

To deal with the ransomware attacks, we wrote, “CISA, FBI, and HHS advise against paying ransoms. ‘Payment does not guarantee files will be recovered,’ the advisory states. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’ The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.

“The advisory suggests:

  • Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should ‘ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.’
  • Regular backups of data and software. These should be ‘maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.’ Personnel should also test the backups.
  • Continuity plans in case information systems are not accessible. For example, organizations should maintain ‘hard copies of digital information that would be required for critical patient healthcare.’”

Given the enormous amounts of money hackers can earn from selling protected health information on the Dark Web, it is a near certainty these attacks will continue. Clinical laboratory and anatomic pathology group managers would be well advised to plan for the inevitability that their health system will be targeted.

—Dava Stewart

Related Information:

It’s Not Just Scripps. Ransomware Has Become Rampant During Pandemic

Scripps Health Network Still Down, 2 Weeks After Cyberattack

Universal Health Services Ransomware Attack Cost $67 Million in 2020

112K Patients Impacted by Utah Pathology Services Email Hack

Healthcare Data: The New Prize for Hackers

Here’s How Much Your Personal Information Is Selling for on the Dark Web

Trustwave Global Security Report

UHS Ransomware Attack Cost $67M in Lost Revenue, Recovery Efforts

CISA Turns to Security Experts with Street Cred to Protect Health Sector

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

HHS Announces Culpability Limits for HIPAA Violations, Drops Annual Fines Owed by Providers

Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties

Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.

The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:

In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:

What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.

Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.

Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:

  • No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:

  • No Knowledge, $100-$50,000 fine, $25,000 annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit

In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”

Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”

Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.

In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)

Did HHS Go Too Far?

Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.

“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.

“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”

New Annual Limits Recognize ‘Unintentional’ Violations

But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.

Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.

Advice for Clinical Laboratories

Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI. 

“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).

“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”

Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.

—Donna Marie Pocius

Related Information:

HHS Implements HIPAA Fine Caps Based on Level of Culpability

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties

HHS Moves to Reduce HIPAA Fines Lowering the Cap More Than $M for Some Violations

HHS to Cap HIPAA Fines Based on “Culpability”

Labs Should Heed Lessons from Huge Data Breach

Late-Breaking Lab News: Add Eight More Laboratories to the List of Lab Companies Whose Patient Data Were Breached

PwC Predicts Forces Shaping Healthcare in 2018; Some Could Impact Clinical Laboratories and Anatomic Pathology Groups

PwC’s list of 12 factors that will shape the healthcare landscape in 2018 calls attention to many new innovations Dark Daily has reported on that will impact how medical laboratories perform their tests

PwC’s Health Research Institute (HRI) issued its annual report, detailing the 12 factors expected to impact the healthcare industry the most in 2018. Dark Daily culled items from the list that will most likely impact clinical laboratories and anatomic pathology groups. They include:

How clinical laboratory leaders respond to these items could, in part, be determined by new technologies.

AI Is Everywhere, Including in the Medical Laboratory

Artificial intelligence is becoming highly popular in the healthcare industry. According to an article in Healthcare IT News, business executives who were polled want to “automate tasks such as routine paperwork (82%), scheduling (79%), timesheet entry (78%), and accounting (69%) with AI tools.” However, only about 20% of the executives surveyed have the technology in place to use AI effectively. The majority—about 75%—plan to invest in AI over the next three years—whether they are ready or not.

One such example of how AI could impact clinical laboratories was demonstrated by a recent advancement in microscope imaging. Researchers at the University of Waterloo (UW) developed a new spectral light fusion microscope that captures images in full color and is far less expensive than microscopes currently on the market.

“In medicine, we know that pathology is the gold standard in helping to analyze and diagnose patients, but that standard is difficult to come by in areas that can’t afford it,” Alexander Wong, PhD, one of the UW researchers, told CLP.

“The newly developed microscope has no lens and uses artificial intelligence and mathematical models of light to develop 3D images at a large scale. To get the same effect using current technologies—using a machine that costs several hundred thousand dollars—a technician is required to ‘stitch together’ multiple images from traditional microscopes,” CLP noted.

Healthcare Intermediaries Could Become Involved with Clinical Laboratory Data

Pricing is one of the biggest concerns for patients and government entities. This is a particular concern for the pharmaceutical sector. PwC’s report notes that “stock values for five of the largest intermediaries in the pharmacy supply chain have slumped in the last two years as demands for lower costs and better outcomes have intensified.”

Thus, according to PwC, pressure may come to bear on intermediaries such as Pharmacy Benefit Managers (PBMs) and wholesalers, to “prove value and success in creating efficiencies or risk losing their place in the supply chain.”

Similar pressures to lower costs and improve efficiency are at work in the clinical laboratory industry as well. Dark Daily reported on one such cost-cutting measure that involves shifting healthcare payments toward digital assets using blockchains. The technology digitally links trusted payers and providers with patient data, including medical laboratory test results. (See, “Blockchain Technology Could Impact How Clinical Laboratories and Pathology Groups Exchange Lab Test Data,” September 29, 2017.)

PwC 2018 Annual Report

PwC’s latest report predicts 12 forces that will continue to impact healthcare, including clinical laboratories and anatomic pathology groups, in 2018. Click on the image of the cover above to access an online version of the report. (Photo copyright: PwC/Issuu.)

The Opioid Crisis Remains at the Forefront

Healthcare will continue to feel the impact of the opioid crisis, according to the PwC report. Medical laboratories will continue to be involved in the diagnosis and treatment of opioid addition, which has garnered the full attention of the federal government and has become a multi-million-dollar industry.

Security Remains a Concern

Cybersecurity will continue to impact every facet of healthcare in 2018. Healthcare IT News reported, “While 95% of provider executives believe their organization is protected against cybersecurity attacks, only 36% have access management policies and just 34% have a cybersecurity audit process.”

Patients are aware of the risks and are often skeptical of health information technology (HIT), Dark Daily reported in June of last year. Clinical laboratories must work together with providers and healthcare organizations to audit their security measures. Recognizing the importance of the topic, the National Independent Laboratory Association (NILA) has named cybersecurity for laboratory information systems (LIS) a focus area.

Patient Experience a Priority

Although there have been significant improvements in the area of administrative tasks, there is still an enormous demand for a better patient experience, including in clinical laboratories. Healthcare providers want patients to make changes for the better that ultimately improve outcomes and the patient experience is one path toward that goal.

“Provider reimbursements will be based in part on patient engagement efforts such as promoting self-management and coaching patients between visits,” PwC noted in its report, a fact that Dark Daily has continually reported on for years. (See, “Pathologists and Clinical Lab Executives Take Note: Medicare Has New Goals and Deadlines for Transitioning from Fee-For-Service Healthcare Models to Value-Based Reimbursement,” April 1, 2015.)

Demands for Price Transparency Increase

As they follow healthcare reform guidelines to increase quality while lowering costs, state governments will continue to ramp up pressure on healthcare providers and third parties in the area of pricing. Rather than simply requiring organizations to report on pricing, states are moving towards legislating price controls, as Dark Daily reported in February.

Social Factors Affect Healthcare Access

The transition to value-based care makes the fact that patients’ socioeconomic statuses matter when it comes to their health. “The most important part of getting good results is not the knowledge of the doctors, not the treatment, not the drug. It’s the logistics, the social support, the ability to arrange babysitting,” David Berg, MD, co-founder of Redirect Health told PwC.

One such transition that is helping patients gain access to healthcare involves microhospitals and their adoption of telemedicine technologies, which Dark Daily reported on in March.

“Right now, they seem to be popping up in large urban and suburban metro areas,” Priya Bathija, Vice President, Value Initiative American Hospital Association, told NPR. “We really think they have the potential to help in vulnerable communities that have a lack of access.”

Data Collection Challenges Pharma

The 21st Century Cures Act, along with the potential exploitation of Big Data, will make it possible for organizations to gain faster, less expensive approvals from the US Food and Drug Administration (FDA). As Dark Daily noted in April, the FDA “released guidelines on how the agency intends to regulate—or not regulate—digital health, clinical-decision-support (CDS), and patient-decision-support (PDS) software applications.

“Physician decision-support software utilizes medical laboratory test data as a significant part of a full dataset used to guide caregivers,” Dark Daily noted. “Thus, if the FDA makes it easier for developers to get regulatory clearance for these types of products, that could positively impact medical labs’ ability to service their client physicians.”

Healthcare Delivery During and Following Natural Disasters

PwC predicts the long-term physical results, financial limitations, and supply chain disruptions following natural disasters will continue to affect healthcare in 2018. The devastation can prevent many people from receiving adequate, timely healthcare.

However, new laboratory-on-a-chip (LOC) and other “lab-on-a-…” testing technologies, coupled with medical drone deliver services, can bring much need healthcare to remote, unreachable areas that lack electricity and other services. (See Dark Daily, “Lab-on-a-Fiber Technology Continues to Highlight Nano-Scale Clinical Laboratory Diagnostic Testing in Point-of-Care Environments,” April 2, 2018, and, “Johns Hopkins’ Test Drone Travels 161 Miles to Set Record for Delivery Distance of Clinical Laboratory Specimens,” November 15, 2017.)

PwC’s report is an important reminder of from where the clinical laboratory/anatomic pathology industry has come, and to where it is headed. Sharp industry leaders will pay attention to the predictions contained therein.

—Dava Stewart

Related Information:

Top Health Industry Issue of 2018

PwC Health Research Institute Top Health Industry Issues of 2018 Report: Issuu Slide Presentation

12 Defining Healthcare Issues of 2018

Is Laboratory Medicine Ready for Artificial Intelligence?

Artificial Intelligence Imaging Research Facilitates Disease Diagnosis

Blockchain Technology Could Impact How Clinical Laboratories and Pathology Groups Exchange Lab Test Data

Skepticism, Distrust of HIT by Healthcare Consumers Undermines Physician Adoption of Medical Reporting Technologies, But Is Opportunity for Pathology Groups, Clinical Laboratories

Pathologists and Clinical Lab Executives Take Note: Medicare Has New Goals and Deadlines for Transitioning from Fee-For-Service Healthcare Models to Value-Based Reimbursement

Researchers Point to Cost of Services, including Medical Laboratories, for Healthcare Spending Gap Between the US and Other Developed Countries

Telemedicine and Microhospitals Could Make Up for Reducing Numbers of Primary Care Physicians in US Urban and Metro Suburban Areas

New FDA Regulations of Clinical Decision-Support/Digital Health Applications and Medical Software Has Consequences for Medical Laboratories

Lab-on-a-Fiber Technology Continues to Highlight Nano-Scale Clinical Laboratory Diagnostic Testing in Point-of-Care Environments

Johns Hopkins’ Test Drone Travels 161 Miles to Set Record for Delivery Distance of Clinical Laboratory Specimens

;