Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks
Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.
AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.
Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.
The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.
“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.
Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.
This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.
“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)
Why Do Hackers Target Healthcare?
Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.
Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”
With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.
“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”
But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.
“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.
“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.
Higgins elaborated on why healthcare is a highly targeted industry for hackers.
“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”
Steps Healthcare Organizations Should Take to Prevent Cyberattacks
Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.
“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”
To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.
Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.
Amid cost pressures, healthcare providers also plan to cut staff though some jobs are plentiful; adequate staffing at medical laboratories continues to be a challenge
Thanks to the COVID-19 pandemic and subsequent “Great Resignation,” masses of people have left the workforce and companies large and small in all industries are struggling to retain employees. Clinical laboratories have been particularly hard hit with no relief in sight.
Now comes the results of a PricewaterhouseCoopers (PwC) survey which shows 50% of US companies in various industries—including major healthcare providers—plan to lay off employees. And 83% of organizations intend to move forward with a “streamlined workforce,” according to the latest PwC Pulse: Managing Business Risks in 2022 report.
How this will affect the workload on remaining hospital and medical laboratory staff is clear. And healthcare consumers may not take well to healthcare provides running leaner and with fewer staff than they currently do.
Nevertheless, the PwC survey results “illustrate the contradictory nature of today’s labor market, where skilled workers can still largely name their terms amid talent shortages even as companies look to let people go elsewhere,” Bloomberg wrote on the CPA Practice Advisor website.
“Organizations are still walking a tightrope when it comes to talent as we begin to see the longer-term impacts of the ‘Great Resignation.’ Finding the proper balance between investing in specialized talent, managing headcount costs, and driving productivity and morale will remain a top focus,” said Bhushan Sethi (above), People and Organization Joint Global Leader at PwC and an adjunct professor at NYU Stern School of Business in a PwC news release. Clinical laboratories are finding it particularly challenging to fill staff positions across all areas of lab operations. (Photo copyright: PwC.)
Healthcare Has Biggest Challenges, says PwC
Clinical laboratory leaders and pathologist groups are well aware of the unique financial pressures on healthcare systems and medical labs, as well as shortages of pathologists, medical technologists, clinical laboratory scientists, information technology (IT) professionals, and other healthcare workers.
“Healthcare is seeing bigger talent challenges than other industries and is more focused on rehiring employees who have recently left,” the PwC report acknowledged. This is the second Pulse survey PwC conducted in 2022. The 722 respondents included leaders working in human capital and finance.
Finding Right Talent, Focusing on Growth, Automation
Finding the right employees is so important to companies that PwC ranks “talent acquisition” as the second highest risk (38%) behind cyber-attacks (40%).
“Finding the right talent continues to be a challenge for business leaders,” PwC said. “After a frenzy of hiring and a tight labor market over the past few years, executives see the distinction between having people and having people with the right skills.”
Unlike the high-touch and personal nature of healthcare, industries such as consumer technology, media, and telecommunications can turn to automation to alleviate staffing struggles. And that is what nearly two-thirds, or 63%, of companies in those sectors, aim to do, PwC said.
Other survey talent findings:
50% of companies plan layoffs.
46% are dropping or eliminating sign-on bonuses.
44% are rescinding job offers.
Conversely, the surveyed executives also told PwC they are “cautiously optimistic” and plan on growing and investing even as the economy gives mixed signals:
83% of companies are focused on growth.
70% plan an acquisition.
53% aim to invest in digital transformation, 52% in IT, 49% in cybersecurity and privacy, and 48% in customer experience.
“After more than two years dealing with uncertainty related to the pandemic, business leaders recognize the urgent need to focus on growth in order to compete, and they’re zeroing in on what they can control,” PwC said.
New Remote Work Programs, Reduction in Real Estate Investing, Big Tech
Although companies report having more than enough physical office space, many (42%) have launched remote work programs:
70% have expanded or plan to increase “permanent” remote work options as jobs permit.
22% are reducing real estate investment (financial services and healthcare industries lead the way with 30% and 29%, respectively, saying real estate buys are cooling off).
“While companies continue to invest in many areas of the business, they’re scaling back the most in real estate and capex ex [capital expenditure]. After two years of remote work, many companies simply need less space, and they’re allocating capital accordingly,” the PwC report noted.
In a somewhat parallel release to PwC’s findings, news sources are reporting reductions in real estate and staff at high-profile Big Tech companies.
Meta Platforms, Inc. in Menlo Park, Calif. (formerly Facebook Inc.), is closing one of its New York offices and cutting back on plans to expand two other locations in the city, the Observer reported.
Business Insider reported, “More than 32,000 tech workers have been laid off in the US till July, including at Big Tech companies like Microsoft and Meta (formerly Facebook), and the worst has not been over yet for the tech sector that has seen massive stock sell-off.”
According to Forbes, “San Francisco-based electronic signature company DocuSign will lay off 9% of its more than 7,400 employees (roughly 670 employees), the company announced in a Securities and Exchange filing Wednesday, saying the cuts are ‘necessary to ensure we are capitalizing on our long-term opportunity and setting up the company for future success.’”
And Bloomberg recently reported that Intel is planning to layoff thousands of people “around the same time as its third-quarter earnings report on Oct. 27.”
Healthcare Providers Plan Layoffs, Seek IT Pros
Meanwhile, major healthcare provider networks also are planning staff cuts amid service closures, rising costs, and other issues, according to Becker’s Hospital Review:
Ascension in St. Louis, Mo., plans to close an Indiana hospital and nine medical practices and lay off 133 employees.
“Our health system, like others around the nation, is facing significant financial pressures from historic inflation, rising pharmaceutical and labor costs, COVID-19, expiration of CARES Act funding, and reimbursement not proportional with expenses,” BHSH said in a statement shared with Becker’s.
Amidst these layoffs, however, IT jobs in healthcare seem to be growing. According to Becker’s Health IT, some healthcare providers have posted information technology openings:
Mayo Clinic in Rochester, Minn., has 43 IT job openings.
So, though it appears IT positions continue to expand, clinical laboratory leaders and pathology practice managers may want to prepare now for dealing with customers’ response to leaner healthcare systems overall.
According to Damo Consulting’s 2019 Healthcare
IT Demand Survey, when it comes to spending money on information
technology (IT), healthcare executives believe AI and digital healthcare
technologies—though promising—need more development.
Damo’s report notes that 71% of healthcare providers
surveyed expect their IT budgets to grow by 20% in 2019. However, much of that
growth will be allocated to improving EHR functionality, Healthcare Purchasing News reported
in its analysis of Damo survey data.
As healthcare executives plan upgrades to their EHRs,
hospital-based medical laboratories will need to take steps to ensure
interoperability, while avoiding disruption to lab workflow during transition.
The survey also noted that some providers that are considering
investing in AI and digital health technology are struggling to understand the
market, the news release states.
Providers More
Positive Than Vendors on IT Spend
Damo Consulting is a Chicago-area based healthcare and
digital advisory firm. In November 2018, Damo surveyed 64 healthcare executives
(40 technology and service leaders, and 24 healthcare enterprise executives). Interestingly, healthcare providers were more
positive than the technology developers on IT spending plans, reported HITInfrastructure.com, which
detailed the following survey findings:
79% of healthcare executives anticipate high
growth in IT spending in 2019, but only 60% of tech company representatives
believe that is so.
75% of healthcare executives and 80% of vendor
representatives say change in healthcare IT makes buying decisions harder.
71% of healthcare executives and 55% of vendors say
federal government policies help IT spending.
50% of healthcare executives associate
immaturity with digital solution offerings.
42% of healthcare providers say they lack
resources to launch digital.
“While information technology vendors are aggressively
marketing ‘digital’ and ‘AI,’ healthcare executives note that the currently
available solutions in these areas are not very mature. These executives are
confused by the buzz around ‘AI’ and ‘digital,’ the changing landscape of who
is playing what role, and the blurred lines of capabilities and competition,” noted
Padmanabhan in the survey report.
The survey also notes that “Health systems are firmly
committed to their EHR vendors. Despite the many shortcomings, EHR systems
appear to be the primary choice for digital initiatives among health systems at
this stage.”
Some Healthcare
Providers Starting to Use AI
Even as EHRs receive the lion’s share of healthcare IT
spends, some providers are devoting significant resources to AI-related
projects and processes.
For example, clinical
pathologists may be intrigued by work being conducted at Cleveland Clinic’s Center for
Clinical Artificial Intelligence (CCAI), launched in March. The CCAI is using
AI and machine learning in pathology, genetics, and cancer research, with the
ultimate goal of improving patient outcomes, reported Becker’s Hospital Review.
“We’re not in it because AI is cool, but because we believe
it can advance medical research and collaboration between medicine and
industry—with a focus on the patient,” Aziz Nazha, MD, Clinical
Hematology and Oncology Specialist and Director of the CCAI, stated in an
article posted by the American Medical Association (AMA).
AI Predictions Lower
Readmissions and Improve Outcomes
Cleveland Clinic’s CCAI reportedly has gathered data from
1.6 million patients, which it uses to predict length-of-stays and reduce
inappropriate readmissions. “But a prediction itself is insufficient,” Nazha told
the AMA. “If we can intervene, we can change the prognosis and make things
better.”
The CCAI’s ultimate goal is to use predictive models to “develop
a new generation of physician-data scientists and medical researchers.” Toward
that end, Nazha notes how his team used AI to develop genomic biomarkers that identify
whether a certain chemotherapy drug—azacitidine (aka,
azacytidine and marketed as Vidaza)—will work for specific patients. This is a
key goal of precision
medicine.
CCAI also created an AI prediction model that outperforms
existing prognosis scoring systems for patients with Myelodysplastic
syndromes (MDS), a form of cancer in bone marrow.
Meanwhile, at Johns
Hopkins Hospital, AI applications track availability of beds and more. The
Judy Reitz Capacity Command Center, built in collaboration with GE Healthcare Partners, is a
5,200 square feet center outfitted with AI apps and staff to transfer patients
and help smooth coordination of services, according to a news release.
Forbes described the Reitz command
center as a “cognitive hospital” and reports that it has essentially enabled
Johns Hopkins to expand its capacity by 16 beds without undergoing bricks-and-mortar-style
construction.
In short, medical laboratory leaders may want to interact
with IT colleagues to ensure uninterrupted workflows as EHR functionality evolves.
Furthermore, AI developments suggest opportunities for clinical laboratories to
leverage patient data and assist in improving the diagnostic accuracy of providers
in ways that improve patient care.
New studies show number of Americans who are unwilling to reveal private health information is growing, hindering medical technology developers
Healthcare consumers appear not only to be raising their expectations of the quality of care they receive, but also in the privacy and security of their protected health information (PHI) as well. This is an important development for clinical laboratories and pathology groups, since they hold large quantities of patient test data.
News reports indicate that, due to the increase in patient distrust about privacy and security, developers of health information technology (HIT) products that collect and transmit patient data are struggling to insert their products into the broader healthcare market.
However, there is a positive side to this trend for medical laboratory professionals. Patients’ interest in tighter security and privacy protections provides pathology groups and clinical laboratory leaders with an invaluable opportunity to inform patients on their lab’s use of cybersecurity measures and to reiterate their commitment to protecting their patients’ data.
Clinical Laboratories Can Ease Patient Fears
It’s not enough that medical laboratories promote their services and efficiencies. They also must tout the capability of their laboratory information management systems (LIMS) to protect a patient’s PHI. That’s critical because recent studies indicate high proportions of healthcare consumers are becoming increasingly wary of how their healthcare data are protected.
The graphic above taken from a 2017 Accenture survey may indicate why healthcare consumer trust in an organization’s ability to secure protected health data (PHI) has eroded so deeply. (Graphic copyright: Accenture.)
Numerous reports of data hacking and security breaches have eroded healthcare consumers’ trust. Patients are more skeptical than ever about the benefits of HIT, such as:
The poll aimed at exploring consumers’ adoption and acceptance of HIT. It found:
87% of consumers are unwilling to divulge all their medical information (up from 66% in 2013);
70% of Americans distrust health technology (a significant increase from 10% in 2014);
And 57% of people who underwent actual encounters with providers’ technology (including ancillary providers, such as clinical laboratories) remain skeptical of HIT.
Even with all the bells and whistles, HIT cannot penetrate the healthcare system if people don’t adopt it, a Black Book news release pointed out.
89% of Patients Withhold Information During Office Visits
Respondents to Black Book’s poll reported being especially alarmed by their data being shared (without their acknowledgement or consent) beyond their hospital and physician. This includes:
Pharmacy prescriptions (90%);
Mental health notes (99%); and
Chronic conditions (81%).
Other key findings from the Black Book poll include the fact that:
89% of consumers withheld health information during their 2016 provider visits;
93% are concerned about security of their personal financial information;
69% say their primary care doctor does not have the technological expertise necessary for them to feel safe divulging extensive personal information.
Missing Data Compromises Care, Analytics
An article in Healthcare IT News reported that fear of breaches is translating to consumers’ reticence to share information. And, the Black Book survey states that data analytics and population health efforts by healthcare providers could be compromised due to consumer distrust, according to a FierceHealthcare article.
“Incomplete medical histories and undisclosed conditions, treatment, or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk-based analytics, care plans, modeling, payment reforms, and population health programming,” stated Doug Brown, President, Black Book, in the news release.
“This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability,” he concluded.
Patients/Doctors at Odds Over Use of Patient Data
According to the Black Book poll, 91% of people surveyed who use wearable medical tracking devices believe their physician’s EHR should be able to store any health-related data they wish. However, physicians responding to the provider section of the survey stated they have all the information they need. In fact, 94% of the doctors stated patient-generated data (generated by wearables) are “overwhelming, redundant, and unlikely to make a clinical difference.”
The disconnect has led to miscommunication and frustration in the doctor/patient relationship, noted a HealthITSecurity article.
People who struggle to find and understand medical information tend to also be wary of health technologies, such as wearables, patient portals, and mobile apps, noted a UT news release.
Conversely, Americans with a high degree of health literacy are more likely to use fitness trackers and online portals and view them as useful and trustworthy, UT researchers stated.
This study of nearly 5,000 Americans also explored patients’ perceptions of privacy and trust in institutions. Researchers found lower health literacy was associated with more distrust and less adoption of HIT tools.
“There is a pressing need to further the understanding of how health literacy is related to HIT app adoption and usage. This will ensure that all users receive the full health benefits from these technologies in a manner that protects health information privacy, and that users engage with organizations and providers they trust,” the researchers wrote.
Another Dark Daily e-briefing summarized accounts of ransomware and cyberattacks on hospitals and medical labs in 2016. Clinical laboratory leaders are reminded to work with provider teams and appropriate experts to determine the lab’s ability to prevent and withstand cyberattacks.
Labs may glean some ideas from these cybersecurity “2017 must-haves” shared (along with others) in a Healthcare IT News article:
Invest in a risk assessment that makes clear exactly what needs to be protected;
Recognize that beyond medical and billing information, high tech equipment (such as lab analyzers) need to be addressed in planning.
Medical laboratory leaders should not be shy about communicating their lab’s cybersecurity priority, investment, and actions taken to keep their patient’s PHI private and secure. That message could be just what skeptical consumers need to hear and could be well received by the lab’s patients.
Medical laboratories now taking the steps to deliver patient-centric lab testing services report solid successes in improving patient/physician satisfaction, increasing lab revenue, and gaining more network access
Evidence is accumulating that “patient-centric” medical laboratory testing services are poised to become one of the most important new paradigms to reshape the house of pathology and clinical laboratory medicine in decades. Better yet, patient-centric lab services will earn more revenue for those labs that move fastest to incorporate these capabilities into their service mix.
“The paradigm of patient-center lab testing services couldn’t come at a better time for the clinical laboratory industry. Most labs are reeling from what is now nearly a full decade of successive and painful reductions in lab test prices and lab budgets,” observed Robert Michel, Editor-in-Chief of The Dark Report, which is Dark Daily’s sister publication. “After years of aggressive cost-cutting, most labs are down to the bare essentials and staff is overworked. That is why there is an urgent need for an operational and clinical strategy that will earn more payment from payers. (more…)