Sophisticated cyberattacks have already hit hospitals and healthcare networks in Oregon, California, New York, Vermont, and other states
Attention medical laboratory managers and pathology group administrators: It’s time to ramp up your cyberdefenses. The FBI, the federal Department of Health and Human Services (HHS), and the federal Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory (AA20-302A) warning US hospitals, clinical laboratories, and other healthcare providers to prepare for impending ransomware attacks, in which cybercriminals use malware, known as ransomware, to encrypt files on victims’ computers and demand payment to restore access.
The joint advisory, titled, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” states, “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” It includes technical details about the threat—which uses a type of ransomware known as Ryuk—and suggests best practices for preventing and handling attacks.
In his KrebsOnSecurity blog post, titled, “FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals,” former Washington Post reporter, Brian Krebs, wrote, “On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics, and medical care facilities across the United States. Today, officials from the FBI and the US Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an ‘imminent cybercrime threat to US hospitals and healthcare providers.’”
Krebs went on to reported that the threat is linked to a notorious cybercriminal gang known as UNC1878, which planned to launch the attacks against 400 healthcare facilities.
Clinical Labs, Pathology Groups at Risk Because of the Patient Data They Keep
Hackers initially gain access to organizations’ computer systems through phishing campaigns, in which users receive emails “that contain either links to malicious websites that host the malware or attachments with the malware,” the advisory states. Krebs noted that the attacks are “often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called ‘command and control’ servers used to transmit data between and among compromised systems.”
Charles Carmakal, SVP and Chief Technology Officer of cybersecurity firm Mandiant told Reuters, “UNC1878 is one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career,” adding, “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”
Multiple Healthcare Provider Networks Under Attack
Hospitals in Oregon, California, and New York have already been hit by the attacks, Reuters reported. “We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” a doctor at one facility told Reuters, which reported that “staff could see historic records but not update those files.”
Some of the hospitals that have reportedly experienced cyberattacks include:
In October, the Associated Press (AP) reported that a recent cyberattack disrupted computer systems at six hospitals in the University of Vermont (UVM) Health Network. The FBI would not comment on whether that attack involved ransomware, however, it forced the UVM Medical Center to shut down its computer system and reschedule elective procedures.
Threat intelligence analyst Allan Liska of US cybersecurity firm Recorded Future told Reuters, “This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country.”
He added, “While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.”
An earlier ransomware attack in September targeted 250 healthcare facilities operated by Universal Health Services Inc. (UHS). A clinician at one facility reported “a high-anxiety scramble” where “medical staff could not easily see clinical laboratory results, imaging scans, medication lists, and other critical pieces of information doctors rely on to make decisions,” AP reported.
Outside of the US, a similar ransomware attack in October at a hospital in Düsseldorf, Germany, prompted a homicide investigation by German authorities after the death of a patient being transferred to another facility was linked to the attack, the BBC reported.
CISA, FBI, HHS, Advise Against Paying Ransoms
To deal with the ransomware attacks, CISA, FBI, and HHS advise against paying ransoms. “Payment does not guarantee files will be recovered,” the advisory states. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should “ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.”
Regular backups of data and software. These should be “maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.” Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain “hard copies of digital information that would be required for critical patient healthcare.”
“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations,” the advisory states. “Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies.”
Dark Daily Publisher and Editor-in-Chief, Robert Michel, suggests that clinical laboratories and anatomic pathology groups should have their cyberdefenses assessed by security experts. “This is particularly true because the technologies and methods used by hackers change rapidly,” he said, “and if their laboratory information systems have not been assessed in the past year, then this proactive assessment could be the best insurance against an expensive ransomware attack a lab can purchase.”
Schwan’s concerns about inaccurate or unreliable COVID-19 serology tests were supported when the FDA issued more restrictive rules for these medical laboratory tests on May 4
During a conference call with investors about the company’s first-quarter results, Schwan said of the recently-launched COVID-19 antibody assays, “These tests are not worth anything, or have very little use,” according to reporting from Reuters and other publications. “Some of these companies, I tell you, this is ethically very questionable to get out with this stuff.”
On May 3, Roche announced that its own Elecsys Anti-SARS-CoV-2 antibody test for SARS-CoV-2, the coronavirus that causes the COVID-19 illness, had obtained an emergency use authorization (EUA) from the federal Food and Drug Administration (FDA). In its news release, Roche stated that “the serology test has a specificity greater than 99.8% and sensitivity of 100% (14 days post-PCR confirmation).”
In a separate interview with Bloomberg, Schwan said about antibody testing, “It is very important to pick the right test and then to validate those tests with enough patients.” He then returned to the issue of poor quality in some antibody tests for the SARS-CoV-2 virus, saying, “Unfortunately, there are a number of tests already out there in the market which are not reliable simply because they haven’t been tested sufficiently.”
A ‘Wild West’ of Unregulated Assays
Prior to issuing tougher rules for how a manufacturer can market a COVID-19 serological test, the FDA had listed about 200 serological tests designed to identify antibodies produced by the human immune system in response to a SARS-CoV-2 infection. This is the process of seroconversion, which is the development of detectable antibodies in a patient’s blood against a pathogen. Detection of IgG antibodies indicates exposure to SARS-CoV-2, according to ARUP Laboratories.
Public health experts have raised questions about the proliferation of such tests for the new coronavirus. Under the FDA’s previous March 16 rules—which were more relaxed than those FDA applied when granting EUAs—the agency was swamped with requests to review more than 200 COVID-19 antibody tests. The looser regulations resulted in nearly no oversight of those tests, reported the Associated Press (AP).
In comments to the AP, Eric Blank, DrPH, Senior Director of Public Health Systems and Programs for the Association for Public Health Laboratories (APHL), said, “Right now it’s a wild west show out there. It really has created a mess that’s going to take a while to clean up.”
“In the meantime,” Blank added, “you’ve got a lot of companies marketing a lot of stuff and nobody has any idea of how good it is.” Blank confirmed to Dark Daily that he made these comments and stands by them.
Calls for Closer Scrutiny of Serological Antibody Tests
In response to the FDA’s March 16 rules for COVID-19 serology tests, APHL requested the federal agency to review its looser approach to reviewing these tests. The impact of the FDA’s much tougher COVID-19 serological testing rules released on May 4 was immediate.
In a press release issued on May 2, the FDA said, “to date, the FDA has authorized 105 tests under EUAs, which include 92 molecular tests, 12 antibody tests, and one antigen test.”
Clinical laboratories in the United States still face difficult challenges if they plan to launch their own COVID-19 serology testing programs. They must select one or more tests from among the antibody and antigen tests that have an FDA EUA. However, data for each of these tests is not as comprehensive as is the data for diagnostic test kits reviewed by the FDA and cleared for market under the pre-market approval process.
This webinar was conducted by James O. Westgard, PhD, and Sten Westgard of Westgard QC, Inc., and the full program is available for free download by clicking here, or by placing this URL in your web browser: https://www.darkdaily.com/webinar/quality-issues-your-clinical-laboratory-should-know-before-you-buy-or-select-covid-19-serology-tests/.
In the webinar recording, the Westgards provide a detailed overview of what elements are required for a clinical lab to have confidence that its COVID-19 serology testing program is producing accurate, reliable results. They explain that labs must understand the unique aspects of the populations they are testing in their communities. All of these factors can then be used by labs to evaluate the different COVID-19 serology tests available for them to purchase, and to select the test that best fits their lab’s capabilities and the characteristics of the patient population that will be tested.
Another important requirement for clinical laboratories to understand is the list of steps necessary to bring up a COVID-19 serological testing program. That starts with validating the test, then bringing it into daily production. As that happens, issues associated with quality control (QC), proficiency testing (PT), and regulatory compliance take center stage, so that the clinical lab has high confidence in the accuracy and reproducibility of the COVID-19 serology test results they are using in patient care or in support of employers who are screening employees for COVID-19.
To register for the June 11 webinar, click here, or place this URL in your web browser: https://www.darkdaily.com/webinar/achieving-high-confidence-levels-in-the-quality-and-accuracy-of-your-clinical-labs-chosen-covid-19-serology-tests/.
New COVID-19 Intelligence from Dark Daily
Announcing Dark Daily’s new COVID-19 STAT Intelligence Briefings! This free service for clinical laboratories, anatomic pathology groups, and diagnostics companies features:
daily breaking news,
business intelligence, and
innovations that clinical labs are using to respond to the COVID-19 pandemic.
This critical information includes effective ways labs can restore their cash flow to pre-pandemic levels and get test claims paid by government and private payers.
One popular feature is the COVID-19 Live! conference calls that happen every Tuesday and Thursday for 30 minutes at 1 PM, EDT. Visit the COVID-19 STAT Intelligence Briefings website and join us for the live calls.
This rural health system has nearly a decade of experience offering cash-only package pricing for medical services including, most recently, inpatient stays
While healthcare networks and hospital organizations nationwide argued over pricing transparency, Pomerene Hospital in Millersburg, Ohio, embraced the concept. The not-for-profit hospital developed packages of care that include “one all-inclusive price for tests, procedures, and episodes of care, rather than a lengthy list of itemized charges that didn’t even include professional fees” for its self-paying customers, Modern Healthcare reported.
A companion proposed rule (CMS‑9915‑P) will, if passed, require health plans and healthcare insurers to disclose covered healthcare costs to customers upon request, including “an estimate of such individual’s cost-sharing liability for covered items or services furnished by a particular provider.”
These rules have created a fire storm of controversy. Hospital systems and healthcare organizations like the American Hospital Association (AHA) argue that revealing payer-negotiated rates will undermine health networks’ negotiating power with insurers and increases hospital prices.
They may be right. But that hasn’t stopped one health
network in rural Ohio from providing a blueprint on price transparency that
could be a model for the rest of the nation—at least for one segment of its
customer base.
Bundled Care Packages Increase Revenues at Pomerene
Pomerene is a not-for-profit healthcare provider established
in 1919. Originally, the tiny hospital had “a six bed women’s ward, a three bed
men’s ward, six private rooms, a three bed OB ward, and a nursery with five
cribs. There were ten physicians on staff,” notes the hospital’s website.
Today, Pomerene has more than 325 employees, 80 physicians, and 55 licensed beds. The hospital has 30 departments on three floors and is one of the largest employers in Holmes County.
Pomerene has developed bundled care packages for more than 300 services—including inpatient care—for Amish and Anabaptist patients, as well as any other self-pay patients who pay their bills in full at the time of service, Modern Healthcare reported.
The initiative came in response to concerns raised by the
area’s Amish and Anabaptist communities, which make up roughly 40% of the
county’s population. They do not use commercial health insurance. Instead, they
pay their medical bills out of pocket, and when they are unable to pay for
medical services, benefit actions and church support fill the financial gaps.
Church members asked Pomerene for guaranteed bundled pricing.
They did not want the uncertainty of hospital bills that might include lists of
itemized charges, but not professional fees and other potential costs.
“We have our own healthcare,” a retired Amish carpenter (who asked that his name not be used) told Reuters. “They (hospitals) give you a bill. If you can’t pay it, your church will.”
Both religious groups also value thriftiness and are known
to be fierce negotiators. In recent years, they lobbied Pomerene Hospital to
include inpatient care in its all-inclusive pricing structure.
“We assume a certain level of risk with this financial arrangement,” Pomerene Hospital CEO Jason Justus, who at the time was Pomerene’s Chief Financial Officer, told Modern Healthcare. “But it’s about saying what we’ll do and doing what we say. That builds a great deal of trust in the community.” Justus took over as CEO in July, 2019, reported The Daily Record.
In total, nearly one-quarter of the hospital’s patient revenue comes from bundled-service packages, with 3,387 packages provided last year, Modern Healthcare reported. In 2018, Pomerene brought in $36,971,931 in operating revenue, according to Modern Healthcare Metrics.
Bundled Payments Drive Innovation
Bundled payments also have forced hospital administrators and staff at Pomerene to find innovative ways to cut costs by shortening patient stays. For example, Modern Healthcare reported that the length of hospital stay for childbirth, which at the time averaged two-to-four days, dropped to 24 hours after the hospital created a 24-hour package for obstetrical deliveries. Within 18 months, 80% of childbirth cases fit the 24-hour model.
“Here is free market economics at work,” said Robert Michel,
Dark Daily’s Editor-in-Chief. “This hospital understands that it must
meet the needs of this unique group of patients with good service and quality
at a fair price. That understanding comes with an incentive for the hospital’s
staff to identify and implement innovations to cut costs while improving
quality.”
However, Pomerene Hospital’s policy of disclosing prices to patients in advance of services remains uncommon in the healthcare industry. “Outside of Medicare, bundled pricing is rare-to-nonexistent among full-service US hospitals, most of which say they don’t know their actual costs for providing care and, therefore, can’t offer such prices,” Modern Healthcare stated.
For competitive reasons, Pomerene does not publicly post its
package prices and only prospective cash-paying patients are provided the cost
breakdowns. That will most likely change following enactment of the CMS final
rule.
Other Health Systems That Bundled Prices
Though Pomerene does not shares its price-packaging methods
with other hospitals, its track record for attracting cash-paying patients made
it an example to other hospitals serving similar religious communities.
The Medical Center at Scottsville in Kentucky followed Pomerene’s lead and discounted cash prices—paid upfront or before discharge—by 25% for 300 medical services, including childbirth and common surgical procedures. This was to attract the area’s Mennonite population, noted Quartz magazine.
“I will tell you they are very conscientious about cost.
They are very business-savvy and will shop around,” Eric Hagan, Regional
Vice President of Operations at Med
Center Health and Administrator of the Medical Center at Scottsville, told Quartz.
Will Americans as a whole be just as eager to shop for
medical services? The answer to that question may determine whether increased
price transparency throughout healthcare, including clinical laboratory testing
and anatomic pathology services, results in lowering their healthcare costs.
Challenges getting paid likely to continue as high deductibles make patients responsible for paying much more of their healthcare bills
Rising out-of-pocket costs for healthcare consumers is translating into increasing amounts of red ink for hospitals and healthcare providers struggling to collect bills from patients with high-deductible health plans (HDHPs). Clinical laboratories and pathology groups are unlikely to be immune from these challenges, as increasing numbers of patients with smaller healthcare debts also are failing to pay their bills in full.
That’s according to a recent TransUnion Healthcare analysis of patient data from across the country. It revealed that 99% of hospital bills of $3,000 or more were not paid in full by the end 2016. For bills under $500, more than two-thirds of patients (68%) didn’t pay the full balance by year’s end (an increase from 53% in 2015 and 49% in 2014). The study also revealed that the percentage of patients that have made partial payments toward their hospital bills has fallen dramatically from nearly 90% in 2015 to 77% in 2016.
Increased Patient Responsibility Causing Decrease in Patient Payments
“The shift in healthcare payments has been taking place for well over a decade, but we are seeing more pronounced changes in how hospital bills are paid during just the last few years,” Jonathan Wilk, Principal for Healthcare Revenue Cycle Management at TransUnion (NYSE:TRU), said in a statement.
Millions of Americans are in high-deductible health plans. And, as the graphic above illustrates, that number has been increasing since the ACA was signed into law in 2010. (Graphic copyright: Reuters.)
While the Affordable Care Act (ACA) has increased the number of Americans receiving medical coverage through Medicaid or commercial insurance, TransUnion noted in its statement that hospitals still wrote off roughly $35.7 billion in bad debt in 2015. By 2020, TransUnion predicts that figure will continue to rise, with an estimated 95% of patients unable to pay their healthcare bills in full by the start of the next decade.
“Higher deductibles and the increase in patient responsibility are causing a decrease in patient payments to providers for patient care services rendered. While uncompensated care has declined, it appears to be primarily due to the increased number of individuals with Medicaid and commercial insurance coverage,” John Yount, Vice President for Healthcare Products at TransUnion, said in the TransUnion statement.
Collecting Patients’ Out-of-Pocket Costs Upfront
According to Reuters, hospitals in states that did not expand Medicaid under Obamacare have witnessed a more than 14% increase in unpaid bills as the number of people using health plans with high out-of-pocket costs increased. For hospitals in those states, HDHPs are impacting their bottom lines.
“It feels like a sucker punch,” declared Chief Executive Officer John Henderson of Childress Regional Medical Center, Texas Panhandle Region, in a Bloomberg Business article. “When someone has a really high deductible, effectively they’re still uninsured, and most people in Childress don’t have $5,000 lying around to pay their bills.”
A recent report from payment network InstaMed found that 72% of healthcare providers reported an increase in patient financial responsibility in 2016, a trend that coincides with a rise in the average deductible for a single worker to $1,478, more than double the $735 total in 2010.
In response to the increase in patient responsibility, hospitals and other providers are turning to new tactics for collecting money directly from patients, including estimating patients’ out-of-pocket payments and collecting those amounts upfront.
“Hospitals have gotten much more aggressive in trying to collect at time of service, because their ability to collect on self-pay amounts decreases significantly when the patient leaves the building,” Arquilla noted. “You can’t say, ‘Give me your credit card’ to someone in the emergency room bleeding from a gunshot wound, but you can to someone going in for an elective procedure.”
Revenue loss due to unpaid medical bills among states that complied with Medicaid Expansion under the ACA has increase so dramatically, some hospitals are now offering patients prepayment discounts and no-interest loans to ensure payments. Clinical laboratories and anatomic pathology groups should develop strategies to respond to the increase collections from patients at the time of service. (Graphic copyright: Reuters.)
Richard Gundling, a Senior Vice President at the Healthcare Financial Management Association (HFMA), told Kaiser Health News that an estimated 75% of healthcare and hospital systems now ask for payment at the time services are provided. To soften the blow, some healthcare systems are providing patients with a range of payment options, from prepayment discounts to no-interest loans.
Novant Health, headquartered in North Carolina, is among those healthcare systems offering patients new payment strategies. Offering no interest loans to patients has enabled Novant to lower its patient default rate from 32% to 12%.
“To remain financially stable, we had to do something,” April York, Senior Director of Patient Finance at Novant Health, told Reuters. “Patients needed longer to pay. They needed a variety of options.”
Providers Must Adapt to New Patient Procedures
“Doctors need to understand the landscape has changed. A doctor’s primary concern use
While clinical laboratories and anatomic pathology groups traditionally have not collected money directly from patients, Herrick says healthcare providers must accept that the rules of the game have changed. “Patients are more cost-conscious now. That means patients will question their physicians about costs for procedures,” he adds.
Most insurers still determine coverage on a case-by-case basis, but two major payers now have coverage policies that are helpful to clinical labs that perform WES
This is due to two reasons. First, researchers are identifying new ways to use whole exome sequencing to improve patient care. Second, the cost of whole genome sequencing continues to fall at a steady rate, making it ever more affordable to use in clinical settings.
As recently as 2009, WES was prohibitively expensive and there was little possibility that insurers would cover the cost of the test, as it was considered experimental. Now, however, evidence is mounting that it is an effective diagnostic tool. Therefore, more payers are announcing coverage for WES for an expanding number of diagnostic purposes. (more…)