Sophisticated cyberattacks have already hit hospitals and healthcare networks in Oregon, California, New York, Vermont, and other states
Attention medical laboratory managers and pathology group administrators: It’s time to ramp up your cyberdefenses. The FBI, the federal Department of Health and Human Services (HHS), and the federal Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory (AA20-302A) warning US hospitals, clinical laboratories, and other healthcare providers to prepare for impending ransomware attacks, in which cybercriminals use malware, known as ransomware, to encrypt files on victims’ computers and demand payment to restore access.
The joint advisory, titled, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” states, “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” It includes technical details about the threat—which uses a type of ransomware known as Ryuk—and suggests best practices for preventing and handling attacks.
In his KrebsOnSecurity blog post, titled, “FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals,” former Washington Post reporter, Brian Krebs, wrote, “On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics, and medical care facilities across the United States. Today, officials from the FBI and the US Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an ‘imminent cybercrime threat to US hospitals and healthcare providers.’”
Krebs went on to reported that the threat is linked to a notorious cybercriminal gang known as UNC1878, which planned to launch the attacks against 400 healthcare facilities.
Clinical Labs, Pathology Groups at Risk Because of the Patient Data They Keep
Hackers initially gain access to organizations’ computer systems through phishing campaigns, in which users receive emails “that contain either links to malicious websites that host the malware or attachments with the malware,” the advisory states. Krebs noted that the attacks are “often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called ‘command and control’ servers used to transmit data between and among compromised systems.”
Charles Carmakal, SVP and Chief Technology Officer of cybersecurity firm Mandiant told Reuters, “UNC1878 is one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career,” adding, “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”
Multiple Healthcare Provider Networks Under Attack
Hospitals in Oregon, California, and New York have already been hit by the attacks, Reuters reported. “We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” a doctor at one facility told Reuters, which reported that “staff could see historic records but not update those files.”
Some of the hospitals that have reportedly experienced cyberattacks include:
In October, the Associated Press (AP) reported that a recent cyberattack disrupted computer systems at six hospitals in the University of Vermont (UVM) Health Network. The FBI would not comment on whether that attack involved ransomware, however, it forced the UVM Medical Center to shut down its computer system and reschedule elective procedures.
Threat intelligence analyst Allan Liska of US cybersecurity firm Recorded Future told Reuters, “This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country.”
He added, “While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.”
An earlier ransomware attack in September targeted 250 healthcare facilities operated by Universal Health Services Inc. (UHS). A clinician at one facility reported “a high-anxiety scramble” where “medical staff could not easily see clinical laboratory results, imaging scans, medication lists, and other critical pieces of information doctors rely on to make decisions,” AP reported.
Outside of the US, a similar ransomware attack in October at a hospital in Düsseldorf, Germany, prompted a homicide investigation by German authorities after the death of a patient being transferred to another facility was linked to the attack, the BBC reported.
CISA, FBI, HHS, Advise Against Paying Ransoms
To deal with the ransomware attacks, CISA, FBI, and HHS advise against paying ransoms. “Payment does not guarantee files will be recovered,” the advisory states. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.” The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should “ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.”
Regular backups of data and software. These should be “maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.” Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain “hard copies of digital information that would be required for critical patient healthcare.”
“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations,” the advisory states. “Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies.”
Dark Daily Publisher and Editor-in-Chief, Robert Michel, suggests that clinical laboratories and anatomic pathology groups should have their cyberdefenses assessed by security experts. “This is particularly true because the technologies and methods used by hackers change rapidly,” he said, “and if their laboratory information systems have not been assessed in the past year, then this proactive assessment could be the best insurance against an expensive ransomware attack a lab can purchase.”
Clinical laboratory leaders interested in positioning their labs to be paid for added-value services will get knowledge, insights, and more at upcoming third annual Clinical Lab 2.0 Workshop in November
It’s a critical time for medical laboratories. Healthcare is transitioning from a fee-for-service payment system to new value-based payment models, creating disruption and instability in the clinical lab test market. In addition, payers are cutting reimbursement for many lab tests.
These are among the market factors leading some pathologists
and clinical lab leaders to seek new or alternative sources of revenue to keep
the lights on and the machines running in their laboratories. Some might say,
it’s a dark time for the lab industry.
“This is not the time to be shy or timid,” he declared. “The
quantitative value of medical laboratory domain is significant and will be lost
if not exploited or leveraged.”
Shotorbani has reason to be positive. In recent years the Project Santa Fe Foundation (PSFF) has emerged to advocate for, and teach, the Clinical Lab 2.0 model. Clinical Lab 2.0 is an approach which focuses on longitudinal clinical laboratory data to augment population health in new payment arrangements.
Earlier this year, PSFF filed for 501(c) status, according to a news release. It is now positioned as a nonprofit organization, guided by a board of directors whose mission is “to create a disruptive value paradigm and alternative payment model that defines placement of diagnostic services in healthcare.”
Progressing Toward Clinical Lab 2.0
At the 24th Annual Executive War College on Lab and Pathology Management held in New Orleans last May, the nation’s first ever Clinical Lab 2.0 “Shark Tank” competition was won by Aspenti Health, a full-service diagnostic laboratory specializing in toxicology screening.
“This project, as well as all of the other cases that were presented, were quite strong and all were aligned with the mission of the Clinical Lab 2.0 movement,” said Shotorbani, in a news release. “This movement transforms the analytic results from a laboratory into actionable intelligence at the patient visit in partnership with front-liners and clinicians—allowing for identification of patient risks—and arming providers with insights to guide therapeutic interventions.
“Further, it reduces the administrative burden on providers by collecting SDH [social determinants of health] predictors in advance and tying them to outcomes of interest,” he continued. “By bringing SDH predictors to the office visit, it enables providers to engage in SDH without relying on their own data collection—a current care gap in many practices. The lab becomes a catalyst helping to manage the population we serve.”
Aspenti Health’s Shark Tank entry, “Integration of the Clinical Laboratory and Social Determinants of Health in the Management of Substance Use,” focused on the social factors tied to the co-use of opioids and benzodiazepines, a combination that puts patients at higher risk of drug-related overdose or death.
The project revealed that the top-two predictors of co-use
were the prescribing provider practice and the patient’s age.
“They did an interesting thing—what clinical laboratories
alone cannot do—the predictive value of lab test data mapped by zip code for
patients admitted in partnership with social determinants of health. This helps
to create delivery models to potentially help prevent opioid overdose,” said
Shotorbani, who sees economic implications for chronic conditions.
“If clinical laboratories have that ability to do that in
acute conditions such as opioid overdose, what is our opportunity to use lab test
data in chronic conditions, such as diabetes? The cost of healthcare is in
chronic conditions, and that is where clinical lab data has an essential role—to
support early detection and early prevention,” he added.
Clinical Laboratory Data is Health Business Data
One clinical laboratory working toward that opportunity is TriCore Reference Laboratories in Albuquerque, N.M. It recently launched Diagnostic Optimization with the goal of improving the health of their communities.
“TriCore turned to this business model,” Shotorbani
explained. “It is actively pursuing the strategy of intervention, prevention,
and cost avoidance. TriCore is in conversation with health plans on how its lab
test data and other data sets can be combined and analyzed to risk-stratify a
population and to identify care gaps and assist in closing gaps.
“Further, TriCore is identifying high-risk patients early
before they are admitted to hospitals and ERs—the whole notion of facilitating
intervention between the healthcare provider and the potential person who may
get sick,” he added. “These are no longer theoretical goals. They are
realizations. Now the challenge is for Project Santa Fe to help other lab
organizations develop similar value-added collaborations in their communities.”
Renee Ennis, TriCore’s Chief Financial Officer, told American Healthcare Leader, “Women go in (to an ER) for some condition, and the lab finds out they are pregnant before anyone else,” she said, adding that TriCore reaches out to insurers who can offer care coordinators for prenatal services.
“There is definitely a movement within the industry in this
direction [of Clinical Lab 2.0],” she added. “But others might not be moving as
quickly as we are. As a leader in this transition, I think a lot of eyes are on
what we are doing and how we are doing it.”
Why Don’t More Lab Leaders Move Their Labs to Clinical
Lab 2.0?
So, what holds labs back from pursing Clinical Lab 2.0?
Shotorbani pointed to a couple of possibilities:
A lab’s traditional focus on volume while not
developing partnerships (such as with pharmacy colleagues) inside the
organization; and
Limited longitudinal data due to a provider’s
sale of lab outreach services or outsourcing the lab.
“The whole notion of Clinical Lab 2.0 is basically connecting the longitudinal data—the Holy Grail of lab medicine. That is the business model. Without the longitudinal view, the ability to become a Clinical Lab 2.0 is extremely limited,” added Shotorbani.
New Clinical Lab 2.0 Workshop Focuses on Critical ‘Pillars’
Project Santa Fe Foundation will host the Third Annual Clinical Lab. 2.0 Workshop in Chicago on November 3-5. New this year are sessions aligned with Clinical Lab 2.0 “pillars” of leadership, standards, and evidence. The conference will feature panels addressing:
C-suite Drivers: moderated by Mark Dixon, President of The Mark Dixon Group;
Vermont-based clinical laboratory company integrates social determinants of health (SDH) with lab data to help doctors at University of Vermont Health Network better manage their opioid patients
“We are thrilled to be recognized for our work serving the unique
needs of substance use healthcare. And, most importantly, across our
organization for our unyielding commitment to employing innovations to solve
this [opioid] crisis,” Aspenti Health CEO
Chris Powell stated in the news release.
The projects were judged on Clinical Lab 2.0 attributes,
such as:
Risk stratification by population;
Closure of care gaps;
Lab results as early detection; and
Lab intervention for improved clinical outcomes.
“This project, as well as all of the other cases that were
presented, were quite strong and all were aligned with the mission of the
Clinical Lab 2.0 Movement,” said Khosrow
R. Shotorbani, President, Executive Director, Project Santa Fe Foundation,
in a news
release. “This movement transforms the analytic results from a laboratory
into actionable intelligence at the patient visit in partnership with
front-liners and clinicians—allowing for identification of patient risks—and
arming providers with insights to guide therapeutic interventions.
“Further, it reduces the administrative burden on providers
by collecting SDH [social determinants
of health] predictors in advance and tying them to outcomes of interest,”
continued Shotorbani. “By bringing SDH predictors to the office visit, it
enables providers to engage in SDH without relying on their own data collection—a
current care gap in many practices. The lab becomes a catalyst helping to
manage the population we serve.”
Co-Use of Opioids Tied to Social Factors
Aspenti Health’s “Shark Tank” entry—“Integration of the
Clinical Laboratory and Social Determinants of Health in the Management of
Substance Use”—focused on the social factors tied to the co-use of opioids and benzodiazepines, a
combination that puts patients at higher risk of drug-related overdose or death.
The project revealed the top two predictors of co-use were the:
Prescribing provider practice, and the
Patient’s age.
Myra L.
Wilkerson, MD, who served on a three-judge panel tasked with selecting the
winning project, said the Vermont toxicology laboratory’s entry stood out in
two key areas.
“We felt their project had an application to a broader
population, but also moved beyond traditional [laboratory] functions or even
medicine,” explains Wilkerson, who is Chair of the Diagnostic
Medicine Institute for the Geisinger
Health System. “Patient advocacy groups, payers, and providers all have
come to realize you can identify a disease, you can provide a treatment, but so
many other things impact it, especially in this community. When it is an
addiction, there are so many other factors that play into whether or not they
are going to be successful in their treatment plan. And a lot of them are
social things.”
Educating Care Givers and Public on Dangers of Co-Use
Drug Addictions
Working in collaboration with Staple Health and the University of Vermont Health
Network, Aspenti selected “co-use” for this initial lab outcome study because
of the significant patient safety implications and relative simplicity of its
definition—the co-presence of positive laboratory results for both opioids and
benzodiazepines.
According to the National
Institute on Drug Abuse, more than 30% of overdoses involving opioids also
involve benzodiazepines. Aspenti’s “Shark Tank” presentation highlighted the
fact that co-use of the drugs accounts for nearly 2.5% of opioid-related
emergency department visits, costing the healthcare system an estimated $47.5
million per year.
Based on the study results, Aspenti Health plans to develop
educational programs that warn about the dangers of co-using opioids and
benzodiazepines.
“We identified geographically hotspots where co-use was more
prevalent, so we can target our educational initiatives centered on those
geographical locations—not just to providers, but also to families and patients—to
raise awareness about co-use so the risks are mitigated collectively,” Warrington
said.
Advancing the Value-based Healthcare Agenda
The Executive War College Clinical Lab 2.0 “Shark Tank”
advances a conversation about the lab industry’s future that began at the
inaugural 2016
Project Santa Fe meeting. Lab industry stakeholders brainstormed about the
transition from volume-based to value-based healthcare, and the role
laboratory-driven innovations could play in reducing total cost of care.
As healthcare shifts to a value-based reimbursement model,
Wilkerson believes laboratory leaders must re-engineer their role in the
continuum of care by creating meaningful clinical diagnostic insights for population health
initiatives.
“What’s your executive leadership concerned about? What are
your payers concerned about? What are your accrediting or regulatory bodies
concerned about? What are their top priorities and how can you do something
that improves patient care but helps them address their problems as well?” she asks.
“That’s where you create value.”
As the Clinical Lab 2.0 Innovation Award winner, Aspenti Health
will receive:
An invitation to speak at national lab
conferences this fall;
A consultation with a Project Santa Fe member lab
to discuss successful Clinical Lab 2.0 innovations and identify new ways to
deliver more value in patient care; and
Publication of a case study of their Clinical
Lab 2.0 project by Dark Daily or its sister publication The Dark
Report.
With labs in Vermont and Massachusetts, Aspenti continues to
identify opportunities for directly contributing to improvements in the care of
substance abuse and pain management patients. Warrington says that with its SDH
project, Aspenti plans to focus on other key laboratory outcome measures—such
as treatment adherence and relapse. Next steps include integrating this work
into the practices of partner doctors within the University of Vermont Health
Network.
Wilkerson’s advice to other clinical laboratories is to
follow Aspenti Health’s lead.
“When you look at the national trends, the percentage of
traditional fee-for-service or volume-based healthcare is going to go down to
25% of the total healthcare spend by 2021,” she points out. “The other 75% will
be based on value-added services around quality metrics, efficiency, cost
reduction, utilization, etc. Labs that aren’t starting to think this way now
are going to be behind and at risk in the future.”
If this medical imaging collaborative develops a way to use the unstructured data in radiology images and anatomic pathology reports, it could create a new revenue stream for pathologists
Unstructured data has been regularly recognized as one Achilles heel for the anatomic pathology profession. It means invaluable information about the cancers and other diseases diagnosed by surgical pathologists are “locked up,” making it difficult for this information to be accessed in efforts to advance population health management (PHM) or conduct clinical studies.
Similarly, medical imaging has an essential role in the diagnosis of cancer and other diseases. And, like most anatomic pathology reports, medical imaging also is considered to be “unstructured” by data experts because it is not easily accessible by computers, reported Fortune magazine.
Unstructured Data in Anatomic Pathology and Radiology
Now one of the world’s largest information technology companies wants to tackle the challenge of unstructured data in radiology images. IBM (NYSE: IBM) Watson Health launched a global initiative involving 16 health systems, radiology providers, and imaging technology companies.
The Watson Health medical imaging collaborative is working to apply cognitive computing of radiology images to clinical practice. IBM aims to transform how physicians use radiology images to diagnose and monitor patients. (more…)