Recent intrusions into the hospitals’ IT systems resulted in blocked medical records including medical laboratory data
Healthcare cyberattacks continue to be a threat that bring potentially costly business consequences for clinical laboratories. Just in the past month, two hospital systems had their health information technology (HIT) systems disrupted due to security incidents. In response, the hospitals’ medical laboratories were forced to switch from digital to paper documentation and, in at least one case, the organization reportedly had difficulty accessing electronic laboratory test results.
At Tallahassee Memorial, an “IT security issue” on Feb. 2 resulted in the organization shutting down its IT systems for 13 days, including at its clinical laboratory. The hospital’s computer network went back online on Feb. 15, according to a news release.
At Atlantic General Hospital, according to an AGH news release, IT personnel discovered a ransomware attack on Jan. 29 that affected the hospital’s central computer system. As a result, the walk-in outpatient laboratory was closed until Feb. 14.
These recent cyberattacks underscore the importance for clinical laboratory leaders to have plans and procedures already in place prior to a disruption in access to critical patient data.
Healthcare cyberattacks can be a “complete blindside for a lot of organizations that think they have protections in place because they bought a product or they developed a policy,” said Ben Denkers (above), Chief Innovation Officer at CynergisTek, an Austin, Texas-based cybersecurity company, in an exclusive interview with The Dark Report. Since clinical laboratory test results make up about 80% of a patient’s medical records, disruption of a hospital’s IT network can be life threatening. (Photo copyright: The Dark Report.)
Laboratory Staff Unable to View Digital Diagnostic Results at Tallahassee Memorial
Though the exact nature of the incident at Tallahassee Memorial HealthCare has not been divulged, hospital officials did report the incident to law enforcement, which suggests a cyberattack had occurred.
Electronic laboratory test results were among the casualties of the IT difficulties at TMH. “Staff have been unable to access digital patient records and lab results because of the shutdown,” a source told CNN.
Attempts by Dark Daily to reach a medical laboratory manager for comment at TMH were unsuccessful. However, in a news release posted online shortly after the cyberattack, the health system advised staff members on dealing with the IT outages.
“Patients and families may notice the switch to paper documentation during registration, admission, or during their care, as our providers will be using paper forms, prescription pads, handwritten notes, or other similar paper methods where they may usually use an electronic process,” the news release stated. “We apologize for any delays this may create. We practice for situations like this, and we are prepared to provide safe, high-quality care to our patients during computer system downtimes.”
Atlantic General Hospital Reports Ransomware Incident to the FBI
At Atlantic General Hospital, the outpatient walk-in laboratory and outpatient imaging department both temporarily closed because of the ransomware attack.
Staff members throughout the hospital were “forced to manually check patients in and out of appointments and record all other information by hand instead of online,” Ocean City Today reported.
The hospital immediately informed the FBI of the ransomware incident and continues to work with an incident response team to determine whether criminals accessed any sensitive data. It was not clear whether the organization ultimately paid a ransom to unlock its systems.
The hospital’s medical laboratory director did not respond to an email from Dark Daily seeking further comment.
Healthcare Cyberattacks Attempt to Gain Access to Data
Therefore, it is critical that clinical laboratory and hospital staff work with their IT counterparts to verify that technology and processes are in place to protect access to patient data.
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, who at that time was Chief Innovation Officer at CynergisTek, a cybersecurity firm based in Austin, Texas, told The Dark Report, “Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations.” (If you don’t subscribe to The Dark Report, try our free trial.)
An IT network attack is an attempt by a cybercriminal to gain unauthorized access to devices that contain and exchange data within an organization. Although this information may be on individual devices or on servers, network attacks are often only possible after a hacker enters a system through an endpoint, such as an individual’s email inbox.
“It’s important to understand that while the network server itself might have ultimately been the target, that doesn’t necessarily mean that it was compromised first,” Denkers told The Dark Report. “Phishing is a perfect example of a way an attacker could first gain access to a workstation, and then from there move laterally to a server.”
The final cost of a healthcare cyberattack often exceeds the ransom. Media coverage can lead to an organization’s diminished reputation within the community, and if protected health information (PHI) is accessed by the criminals, a hospital or health system may need to pay for identity theft monitoring for affected patients.
There also are regulatory repercussions that can be costly depending on the circumstances surrounding a cyberattack. For example, on Feb. 2, the US Department of Health and Human Services’ Office for Civil Rights announced a settlement with Banner Health Affiliated Covered Entities (Banner Health), a nonprofit health system headquartered in Phoenix, to resolve a data breach resulting from a hacking incident in 2016. That incident disclosed PHI for 2.81 million patients.
As part of the settlement, Banner Health paid a $1.25 million penalty and will carry out a corrective action plan to protect PHI in the future and resolve any alleged HIPAA violations, according to the HHS Office for Civil Rights.
This hefty penalty is a reminder to pathologists and clinical laboratory managers that—when it comes to cyberattacks—the classic adage “an ounce of prevention is worth a pound of cure” is appropriate advice.
Across the nation, healthcare attorneys and others report that ransomware attacks are happening weekly, and that once providers’ data systems are encrypted, they have few options to regain control of their information systems
Ransomware is now the single biggest threat to your hospital, clinical laboratory, and anatomic pathology group’s ability to operate a viable business. Few practice administrators and managers are fully aware of this threat. And yet, many still have not taken even basic steps to protect their organizations from ransomware attacks.
Encryption attacks that shut down a hospital or lab’s information services come without warning, rendering the provider unable to access electronic healthcare records (EHRs), to schedule appointments, or conduct most other normal business activities.
Further, negotiating with the ransomware attackers to obtain a de-encryption key can take weeks. During that time, the hospital or lab cannot access its essential information systems and that disrupts or even stops patient care.
Think this cannot happen to your hospital or lab? Think again.
Just this spring, Scripps Health of San Diego was hit with a ransomware attack. Key information systems were encrypted, and it did not take patients long to notice that they could not email their physicians, access their medical records, or see their test results.
The ransomware attack became the headline story on the San Diego nightly news. Scripps would only admit that many essential information systems had been encrypted and that the organization was using paper to conduct business.
The ransomware attack on Colonial Pipeline of Houston, which took place one week after the Scripps Health attack, also became global news. Colonial Pipeline supplies gasoline and similar fuels to 14 states—from Georgia in the South to New York and New Jersey in the North. Dark Daily readers living along the Atlantic Coast personally experienced the shortage of gasoline in their communities because of the ransomware attack on Colonial Pipeline.
No Ransom Payment, No De-encryption Key
Ransomware is probably the single biggest threat to every hospital and every clinical lab in this country. But few healthcare organizations are taking the essential steps needed to make their information systems more resistant to an encryption attack. Even fewer hospitals and labs have policies or procedures in place that outline how management should react when an encryption attack is first discovered. Yet these attacks are hitting medical providers every week across the US.
Dark Daily surveyed several major law firms that have sizeable healthcare practices. Each firm stated it is contacted weekly by one or more hospitals, labs, and medical clinics that have had their digital systems encrypted, followed by a demand for ransom. The healthcare providers were told by the hackers that if they did not pay the ransom, they would not receive the de-encryption key required to bring their software, apps, and digital systems back into service.
“This is the biggest story in healthcare, yet it gets little attention,” stated Robert L. Michel, Editor-in-Chief of Dark Daily’s sister publication The Dark Report. “The reason why you don’t read more news stories about ransomware attacks on hospitals and labs is simple. If it becomes known that a hospital or a lab paid ransom to obtain the de-encryption key needed to restore access to its information systems, that encourages other hackers to attack the organization as well, since the hackers know the organization will pay the ransom. They figure if the provider paid the ransom once, the same provider will likely pay it again.”
Payment of Ransom Does Not Guarantee Restoration of Critical Systems
As bad as a ransomware attack on a hospital, lab, or a medical clinic can be—it can get worse. “Experts involved in helping hospitals and labs respond to a ransomware attack say there is no guarantee the de-encryption key provided by the hackers after payment of ransom will restore access to the encrypted systems,” Michel noted. “We hear reports of hospitals and labs that spent more on their efforts to bring the encrypted systems back online and functioning than they did on the actual ransom.”
This is a must-attend webinar—not only for you—but for everyone in your hospital, health system, or clinical laboratory who will be working to prevent ransomware attacks, or who is involved in restoring digital services following such an attack.
Two experts who are contacted each week by multiple hospitals, labs, and medical clinics that were attacked, had their digital systems encrypted, and received a ransom demand for hundreds of thousands—even millions—of dollars from hackers, will be sharing their knowledge and experience in the legal implications of—and the recovery from—ransomware attacks.
Johnson and Caron will cover best practices designed to provide crucial training and decision-making skills for handling a ransomware attack on hospital and health system clinical laboratories and anatomic pathology practices. These best practices include:
Legal issues triggered by a ransomware attack: What to do when an incident is a breach and when it is not.
Your obligations in response to a ransomware attack: HIPAA privacy and other regulatory rules, contractual arrangements (e.g., reference labs), and crisis communication to patients and other stakeholders.
Responding to and negotiating with ransomware perpetrators—including the expected “etiquette” in dealing with cybercriminals—and collaborating with consultants who are experienced in how to deal with ransomware demands.
And much more.
The roundtable discussion will help you understand how a security incident can occur with or without a breach of protected health information (PHI). Johnson and Caron also will discuss how knowing what to do in each scenario is essential to reducing collateral damage to both patients and your organization, and how to educate your hospital, lab and the broader medical community to address—both proactively and in response—the surging risk of ransomware attacks.
And because so many healthcare administrators, physicians, and pathologists are working remotely, Dark Daily has arranged special group rates for hospitals, practices, and physicians that would like their essential leaders to participate in this important webinar and roundtable discussion on protecting against—and recovering from—ransomware attacks.
Inquire at info@darkreport.com or call 512-264-7103.
Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened
being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.
In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.
Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”
In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”
The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.
“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.
What Type of Cyberattack?
Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.
ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.
“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)
Federal Rules and Regulations Concerning HIPAA and PHI
The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.
With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.
Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.
This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.
Strategists agree that big tech is disrupting healthcare,
so how will clinical laboratories and anatomic pathology groups serve virtual
healthcare customers?
Visionary XPRIZE founder Peter Diamandis, MD, sees big tech as “the doctor of the future.” In an interview with Fast Company promoting his new book, “The Future Is Faster Than You Think,” Diamandis, who is the Executive Chairman of the XPRIZE Foundation, said that the healthcare industry is “phenomenally broken” and that Apple, Amazon, and Google could do “a thousandfold” better job.
Diamandis, who also founded Singularity University, a global learning and innovation community that uses exponential technologies to tackle worldwide challenges, according to its website, said, “We’re going to see Apple and Amazon and Google and all the data-driven companies that are in our homes right now become our healthcare providers.”
If this prediction becomes reality, it will bring significant changes in the traditional ways that consumers and patients have selected providers and access healthcare services. In turn, this will require all clinical laboratories and pathology groups to develop business strategies in response to these developments.
Amazon Arrives in Healthcare Markets
Several widely-publicized business initiatives by Amazon, Google, and Apple substantiate these predictions. According to an Amazon blog, healthcare insurers, providers, and pharmacy benefit managers are already operating HIPAA-eligible Amazon Alexa for:
Alexa also enables HIPAA-compliant blood glucose updates as part of the Livongo for Diabetes program. “Our members now have the ability to hear their last blood glucose check by simply asking Alexa,” said Jennifer Schneider, MD, President of Livongo, a digital health company, in a news release.
And Cigna’s “Answers By Cigna” Alexa “skill” gives members who install the option responses to 150 commonly asked health insurance questions, explained a Cigna news release.
“Google plans to disrupt healthcare and use data and artificial intelligence,” Toby Cosgrove, Executive Advisor to the Google Cloud team and former Cleveland Clinic President, told B2B information platform PYMNTs.com.
PYMNTs speculated that Google, which recently acquired Fitbit, could be aiming at connecting consumers’ Fitbit fitness watch data with their electronic health records (EHRs).
“Ultimately what’s best is human and AI collaboratively,” Peter Diamandis, MD, founder of XPRIZE Foundation and Singularity University told Fast Company. “But I think for reading x-rays, MRIs, CT scans, genome data, and so forth, that once we put human ego aside, machine learning is a much better way to do that.” (Photo copyright: SALT.)
Apple Works with Insurers, Integrating Health Data
The Apple Watch health app also enables people to access medical laboratory test results and vaccination records, and “sync up” information with some hospitals, Business Insider explained.
Virtual Care, a Payer Priority: Survey
Should healthcare providers feel threatened by the tech giants? Not necessarily. However, employers and payers surveyed by the National Business Group on Health (NBGH), an employer advocacy organization, said they want to see more virtual care solutions, a news release stated.
“One of the challenges employers face in managing their healthcare costs is that healthcare is delivered locally, and change is not scalable. It’s a market-by-market effort,” said Brian Marcotte, President and CEO of the NBGH, in the news release. “Employers are turning to market-specific solutions to drive meaningful changes in the healthcare delivery system.
“Virtual care solutions bring healthcare to the consumer
rather than the consumer to healthcare,” Marcotte continue. “They continue to
gain momentum as employers seek different ways to deliver cost effective,
quality healthcare while improving access and the consumer experience.”
“In AI, there are three trends to watch,” said health strategist Ted Schwab (above) while speaking at the 2019 Executive War College. “The first major AI trend will affect clinical laboratories and pathologists. It involves how diagnosis will be done on the Internet and via telehealth. The second AI trend is care delivery, such as what we’ve seen with Amazon’s Alexa—you should know that Amazon’s business strategy is to disrupt healthcare. And the third AI trend involves biological engineering,” he concluded. (Photo copyright: Dark Daily.)
“If you use Google in the United States to check symptoms,
you’ll get five-million to 11-million hits,” Schwab told The Dark Report.
“Clearly, there’s plenty of talk about symptom checkers, and if you go online
now, you’ll find 350 different electronic applications that will give you
medical advice—meaning you’ll get a diagnosis over the internet. These
applications are winding their way somewhere through the regulatory process.
“The FDA just released a report saying it plans to regulate
internet doctors, not telehealth doctors and not virtual doctors,” he
continued. “Instead, they’re going to regulate machines. This news is
significant because, today, within an hour of receiving emergency care, 45% of
Americans have googled their condition, so the cat is out of the bag as it
pertains to us going online for our medical care.”
Be Proactive, Not Reactive, Health Leaders Say
Healthcare leaders need to work on improving access to primary care, instead of becoming defensive or reactive to tech companies, several healthcare CEOs told Becker’s Hospital Review.
Clinical laboratory leaders are advised to keep an eye on
these virtual healthcare trends and be open to assisting doctors engaged in
telehealth services and online diagnostic activities.
Many other healthcare systems also are partnering with private genetic testing companies to pursue research that drive precision medicine goals
It is certainly unusual when a major health network announces that it will give away free genetic tests to 10,000 of its patients as a way to lay the foundation to expand clinical services involving precision medicine. However, pathologists and clinical laboratory managers should consider this free genetic testing program to be the latest marketplace sign that acceptance of genetic medicine continues to move ahead.
Notably, it is community hospitals that are launching this
new program linked to clinical laboratory research that uses genetic tests for
specific, treatable conditions. The purpose of such genetic research is to
identify patients who would benefit from test results that identify the best
therapies for their specific conditions, a core goal of precision medicine.
Clinical laboratory leaders will be interested in this
initiative, as well other partnerships between healthcare systems and private
genetic testing companies aimed at identifying and enrolling patients in
research studies for disease treatment protocols and therapies.
The Future of Precision Medicine
Modern Healthcare reported that data from the WholeMe DNA study, which was funded through donations to the AdventHealth Foundation, also will be used by the healthcare network for research beyond FH, as AdventHealth develops its genomics services. The project’s cost is estimated to reach $2 million.
“Genomics is the future of medicine, and the field is rapidly evolving. As we began our internal discussions about genomics and how to best incorporate it at AdventHealth, we knew research would play a strong role,” Wes Walker MD, Director, Genomics and Personalized Health, and Associate CMIO at AdventHealth, told Becker’s Hospital Review.
“We decided to focus on familial hypercholesterolemia
screening initially because it’s a condition that is associated with
life-threatening cardiovascular events,” he continued. “FH is treatable once
identified and finding those who have the condition can lead to identifying
other family members who are subsequently identified who never knew they had
the disease.”
The AdventHealth Orlando website states that participants in the WholeMe study receive information stored in a confidential data repository that meets HIPAA security standards. The data covers ancestry and 22 other genetic traits, such as:
Asparagus Odor Detection
Bitter Taste
Caffeine Metabolism
Cilantro Taste Aversion
Circadian Rhythm
Coffee Consumption
Delayed Sleep
Earwax Type
Endurance vs Power
Exercise Impact on Weight
Eye Color
Freckling
Hair Curl and Texture
Hand Grip Strength
Height
Lactose Tolerance
Sleep Duration
Sleep Movement
Sleeplessness
Sweet Tooth
Tan vs. Sunburn
Waist Size
Those who test positive for a disease-causing FH variant will be referred by AdventHealth for medical laboratory blood testing, genetic counseling, and a cardiologist visit, reported the Ormond Beach Observer.
One in 250 people have FH, and 90% of them are undiagnosed,
according to the FH Foundation,
which also noted that children have a 50% chance of inheriting FH from parents
with the condition.
AdventHealth plans to expand the free testing beyond central
Florida to its 46 other hospitals located in nine states, Modern Healthcare
noted.
Other Genetics Data Company/Healthcare Provider Partnerships
Helix (above) is one of the world’s largest CLIA-certified, CAP-accredited next-generation sequencing labs. The partnership with AdventHealth offered study participants Exome+: a panel-grade medical exome enhanced by more than 300,000 informative non-coding regions; a co-branded ancestry + traits DNA product for all participants; secure storage of genomic data for the lifetime of the participant; infrastructure and data to facilitate research; and in-house clinical and scientific expertise, according to Helix’s website. (Photo copyright: Orlando Sentinel.)
Business Insider noted that Helix has focused on clinical partnerships for about a year and seems to be filling a niche in the genetic testing market.
“Helix is able to sidestep the costs of direct-to-consumer
marketing and clinical test development, while still expanding its customer
base through predefined hospital networks. And the company is in a prime
position to capitalize on providers’ interest in population health management,”
Business Insider reported.
Ochsner’s program is the first “fully digital population
health program” aimed at including clinical genomics data in primary care in an
effort to affect patients’ health, FierceHealthcare
reported.
Hereditary breast and ovarian cancer due to
mutations in BRCA1 and BRCA2 genes;
Lynch
syndrome, associated with colorectal and other cancers; and
FH.
Color also offers genetic testing and whole genome sequencing services to NorthShore’s DNA10K program, which plans to test 10,000 patients for risk for hereditary cancers and heart diseases, according to news release.
And, Jefferson Health offered Color’s genetic testing to the healthcare system’s 33,000 employees, 10,000 of which signed up to learn their health risks as well as ancestry, a Color blog post states.
“Understanding the genome warning signals of every patient will be an essential part of wellness planning and health management,” said Geisinger Chief Executive Officer David Feinberg, MD, when he announced the new initiative at the HLTH (Health) Conference in Las Vegas. “Geisinger patients will be able to work with their family physician to modify their lifestyle and minimize risks that may be revealed,” he explained. “This forecasting will allow us to provide truly anticipatory healthcare instead of the responsive sick care that has long been the industry default across the nation.”
It will be interesting to see how and if genetic tests—free
or otherwise—will advance precision medicine goals and population health
treatments. It’s important for medical laboratory leaders to be involved in health
network agreements with genetic testing companies. And clinical laboratories should
be informed whenever private companies share their test results data with
patients and primary care providers.
