Study found highest incidences of occupational carcinogenesis among clinical laboratory and histology technicians, followed by pathologists
It has been known for years that formalin (a form of formaldehyde used as a disinfectant and preservative in the handling of tissues samples in anatomy, pathology, and microbiology labs), as well as xylene and toluene, are dangerous to clinical laboratory workers. Nations around the world have taken steps to minimize exposure to these dangerous chemicals. However, a recent study in Iran found that those measures may not have gone far enough to protect histology and clinical laboratory technicians, pathologists, and medical laboratory scientists.
The study conducted by researchers in the Department of Occupational Health Engineering, School of Public Health, at Tehran University of Medical Sciences, showed that levels of exposure to these chemicals is still significantly higher than recommended, resulting in a higher risk for cancer among lab workers in Iran’s hospitals.
“Employing risk assessment techniques as a complementary tool in monitoring programs for respiratory exposure in the different work setting should be considered to protect the staffs against both non-cancerous and cancer-related hazards,” the study authors wrote.
Lessons learned from the Iranian hospital lab study could benefit clinical laboratory workers in US hospitals and help those who work with formaldehyde, toluene, and xylene worldwide to reduce their chances of developing a vascular condition known as Raynaud’s phenomenon (shown above) which can lead to necrosis and gangrene, as well as other dangerous health conditions affecting the lungs, brain, and other systems and organs in the body. (Photo copyright: Wikipedia.)
Study Details
The Iranian study considered the carcinogenic and non-carcinogenic impact of occupational exposure to formaldehyde in the pathology laboratories of four Tehran hospitals. The researchers “used a quantitative risk assessment method proposed by the United States Environmental Protection Agency (EPA), along with its provided database known as the Integrated Risk Information System (IRIS). Respiratory symptoms were assessed using the American Thoracic Society (ATS) questionnaire,” the study authors wrote in NatureScientific Reports.
The scientists found that “91.23% of exposure levels in occupational groups exceed the NIOSH [National Institute for Occupational Safety and Health] standard of 0.016 ppm.” They determined that “41.03% of all the studied subjects were in the definite carcinogenic risk range (LCR > 10−4), 23.08% were in the possible carcinogenic risk range (10−5 < LCR < 10−4), and 35.90% were in the negligible risk range (LCR < 10−6),” they wrote.
“The highest index of occupational carcinogenesis was observed in the group of lab technicians with a risk number of 3.7 × 10-4, followed by pathologists with a risk number of 1.7 × 10-4,” the scientists wrote. “Furthermore, 23.08% of the studied subjects were within the permitted health risk range (HQ < 1.0), while 76.92% were within the unhealthy risk range (HQ > 1.0),” they added.
“Formaldehyde exhibits high solubility in water and is rapidly absorbed by the nasal cavity, sinuses, throat, and mucous membrane of the upper respiratory tract upon exposure,” the study authors wrote. “Consequently, due to the elevated potential for both carcinogenic and non-carcinogenic formaldehyde exposure among pathology staff—particularly laboratory technicians—the implementation of management measures … becomes imperative to lower the exposure levels of all employees below permissible limits.”
Those management measures include:
“Strict guideline adherence and safe work protocols,
“Increasing staff numbers to decrease exposure duration,
“Adoption of engineering solutions such as localized ventilation systems, and
“Use of respiratory protective equipment during sample handling and tissue processing.”
Previous Reports on Exposure Risk to Clinical Lab Workers
The knowledge of the danger behind these chemicals isn’t new.
In 2017, a pathology lab in Auckland, New Zealand, lost its accreditation because formaldehyde levels were so high the lab had to be evacuated nearly every day, The New Zealand Herald reported.
“In epidemiological studies on industrial workers, pathologists and anatomists, the relationship between exposure to formaldehyde and an increased risk of various types of cancer including nasal cavity, nasopharynx, lung, brain, pancreas, prostate, colon and atopic lymphoma system has been determined,” the Iranian scientists wrote in Nature Scientific Reports.
Call for Stronger Regulations
“The Food and Drug Administration (FDA), the Consumer Product Safety Commission (CPSC), and the Environmental Protection Agency have expressed serious concern about the carcinogenicity of formaldehyde,” the Iranian scientists noted, adding that “the potential carcinogenic risk to humans has been studied in a number of cohort and case-control studies.”
There is room for more studies looking at the health effects of exposure to these chemicals among lab workers, as well as continued evaluation of the risks and preventative measures that could be taken. Perhaps tightened regulations will make its way to US labs, echoing more stringent ones of the European Union.
“It is imperative to implement control measures across various hospital departments to mitigate occupational formaldehyde exposure levels proactively. These findings can be valuable for policymakers in the health sector, aiding in the elimination or reduction of airborne formaldehyde exposure in work environments,” the Iranian scientists wrote.
Managers of histology and clinical laboratories may find useful advice in hospital laboratory studies like that coming out of Iran. Protecting the health of lab workers worldwide starts with reducing their exposure to deadly chemicals.
Settlement is a reminder to all clinical laboratories that state and federal DOJs and AGs are willing to file actions against genetic testing companies that intentionally mislead the public
California’s Attorney General, in cooperation with the Federal Trade Commission (FTC), announced a recent settlement with CRI Genetics regarding deceptive trade practices. The at-home genetics testing company will have to pay $700,000 in civil penalties and according to the Santa Monica Daily Press, “will be barred from a wide range of deceptive practices to settle charges from the Federal Trade Commission and the California Attorney General that the company deceived users about the accuracy of its DNA reports.”
Santa Monica, Calif.-based CRI Genetics (CRI), which also does business as OmniPGx, offers DNA saliva-swab test kits that are analyzed by a third party laboratory to return customers ancestry data, health information, optimal nutritional guidelines, and potential allergies. The company’s website states a guaranteed 8-week turn around for the kits.
The original complaint against CRI alleged the company used misleading marketing practices by claiming its DNA tests are more accurate and detailed than their competitors, such as Ancestry DNA and 23andMe. CRI also claimed their ancestry data was more than 90% accurate and could determine ancestry dating back 50 generations.
In addition, the company stated its algorithm for matching DNA was patented, which it was not, according to the complaint.
The complaint also alleged the CRI website contained deceitful information and was formatted to appear independent but included inflated reviews and false testimonials.
“CRI Genetics could have found legitimatewaysto market its services. Unfortunately, in its pursuit of growth and profits, the company repeatedly misled consumers. The FTC and my office took notice, we investigated, and we are delivering results today,” said California Attorney General Rob Bonta (above) in a press release. (Photo copyright: State of California Department of Justice.)
Alleged Deceptive Business Practices
According to court documents, CRI manipulated customers into purchasing add-on services and forced consumers to click through a myriad of pop-up pages to lure them into purchasing more products. Customers were informed they would have a chance to review their orders before being charged but were immediately billed. Consumers then had to go through a lengthy and often confusing process to obtain refunds for returned items.
“Based on the facts and violations of law alleged in this Complaint, the FTC has reason to believe that Defendant has violated or is about to violate laws enforced by the Commission because, among other things, Defendant engaged in the unlawful conduct over a period of four years, willfully and knowingly, despite having knowledge of hundreds of consumer complaints and refund requests, as well as inquiries by the Better Business Bureau regarding their deceptive practices and only ceased its unlawful activities after the FTC notified Defendant of its pending investigation,” the court filings state.
“Our settlement not only holds CRI Genetics accountable for its past misconduct, it also aims to ensure that CRI Genetics doesn’t engage in similar misconduct going forward,” said California Attorney General Rob Bonta in the press release. “I want to thank our federal counterparts at the FTC for their continued partnership and commitment to ensuring that all businesses play by the same rules.”
In addition to the $700,000 fine, CRI is obligated to change its practices by:
Ceasing to make misrepresentations about its testing and analysis services.
Not using deceptive tactics to sell its products, represent endorsements, or in billing practices.
Accurately disclosing its website billing practices.
Disclosing any sharing or usage of genetic data for purposes besides the services the consumer purchases.
Refraining from offering the sale of any DNA information testing product or service.
“Today’s action continues the FTC’s crackdown on deceptive reviews, dark patterns, and baseless claims around algorithmic solutions,” said Samuel Levine, Director, Bureau of Consumer Protection at the FTC, in the press release. “We are proud to partner with California on this important matter and will continue to carefully scrutinize claims around biometric information technologies.”
This settlement serves as a reminder to all genetic testing firms and clinical laboratories that state and federal Departments of Justice and state Attorney Generals are willing to file actions against genetic testing organizations that intentionally mislead the public. It is also useful for lab managers to stay aware of the lengths some genetic testing companies will go to deceive consumers and that regulatory agencies are noticing egregious practices.
Only about a third of the hospitals surveyed are in full compliance with giving public access to prices, the watchdog group contends, but the AHA disputes its methodology
It’s been almost four years since the Centers for Medicare and Medicaid Services (CMS) enacted its Hospital Price Transparency rule which requires hospitals—including their medical laboratories—to make their prices available and easily accessible to the public. But according to a 2024 report from PatientRightsAdvocate.org (PRA), just 34.5% of reviewed hospitals are fully compliant with the transparency rule. That’s a slight decrease from the 36% compliance rate the PRA listed in its 2023 report, the watchdog group stated in a blog post.
Released on Feb. 29, this was the group’s sixth semi-annual hospital price transparency report since the CMS rule took effect in 2021.
The rule “requires hospitals to post all prices online, easily accessible and searchable, in the form of (i) a single machine-readable standard charges file for all items, services, and drugs by all payers and all plans, the de-identified minimum and maximum negotiated rates, and all discounted cash prices, as well as (ii) prices for the 300 most common shoppable services either as a consumer-friendly standard charges display listing actual prices or, alternatively, as a price estimator tool,” the report states.
The required viewable prices are to be for, among others, medical imaging, clinical laboratory testing, and outpatient procedures such as a colonoscopies, etc.
“With full transparency, consumers can benefit from competition to make informed decisions, protect from overcharges, billing errors, and fraud, and lower their costs,” the report states. “Employer and union plans can use pricing and claims data to improve their plan designs and direct members to lower cost, high-quality facilities. However, continued noncompliance impedes this ability.”
At any time, the US Department of Justice (DOJ) could decide to file charges against a hospital or a clinical laboratory for not posting their prices on their websites in compliance with the federal rule. Such an action by DOJ officials would be to specifically put the entire industry on notice that there will be consequences for non-compliance.
The PRA’s report provides hospitals and clinical laboratories with a reminder that consumer watchdogs are also monitoring compliance.
“Our comprehensive study of 2,000 hospitals indicates nearly two-thirds (65.5%) of hospitals reviewed continue failing to fully comply with the rule, yet the Centers for Medicare and Medicaid Services (CMS) has only fined fourteen hospitals for noncompliance out of the thousands found to not be meeting all of the rule’s requirements. When hospitals don’t post their prices, they can charge whatever they want,” wrote PRA Founder and Chairman Cynthia Fisher (above) in a letter to President Biden. Hospital medical laboratories are also required to post their prices for tests. (Photo copyright: PatientRightsAdvocate.org.)
To compile their report, PRA analysts examined the websites of 2,000 US hospitals between September 3, 2023, and January 13, 2023, and found that 1,311, or 65.5%, were not in full compliance, mostly due to “missing or significantly incomplete pricing data,” the report states.
More than 6,000 licensed hospitals operate in the US, the report notes. The group said it focused on hospitals owned by the largest US health systems.
Among the notable findings:
The 2023 report found that 98% of Kaiser Permanente’s 42 hospitals were in full compliance with the rule, but in the 2024 study, none were compliant because the hospitals began posting multiple files instead of a single file.
In total, 103 hospitals rated as noncompliant in the previous report were found to be compliant in the new analysis. Conversely, 135 hospitals previously rated as compliant were listed as noncompliant in the 2024 report.
The report lauded three hospitals for posting “exemplary files” that were “easily accessible, downloadable, machine-readable, and including all negotiated rates by payer and plan.” Those were Cape Cod Hospital in Hyannis, Mass.; Christus Santa Rosa Medical Center in San Antonio; and UW Health University Hospital in Madison, Wis.
In its discussion of the findings, PRA called on CMS to step up enforcement of the pricing transparency rule. The group also wants the government to close what it describes as the “estimator tool loophole,” which allows hospitals to list non-binding price estimates and price ranges instead of concrete prices.
“Price estimator tools do not achieve the goals of price transparency policy and fundamentally undermine the intent of the regulations,” the PRA’s report contends.
In response to the 2023 PRA report, AHA Group Vice President for Public Policy Molly Smith issued the following statement, “Once again, Patient Rights Advocate has put out a report that blatantly misconstrues, ignores, and mischaracterizes hospitals’ compliance with federal price transparency regulations. The AHA has repeatedly debunked point-by-point Patient Rights Advocate’s intentionally misleading ‘reports’ on price transparency.”
Citing CMS data, Smith said that as of 2022, 70% of US hospitals had complied with two key federal rules:
One requiring hospitals to post machine-readable files with pricing information.
The other mandating a list of prices for at least 300 “shoppable” services.
More than 80% of hospitals had complied with at least one of the rules, she contended in an AHA press release.
Speaking to the New Orleans Times-Picayune, PRA Founder and Chairman Cynthia Fisher said her group performs a more in-depth study of pricing data compared with CMS.
“They did not do a comprehensive review,” she told the publication. “We do a deep dive for full compliance.”
The PRA study came on the heels of a January report from Turquoise Health that offered a rosier assessment of hospital compliance, albeit with different criteria. According to the Turquoise report, as of Dec. 15, 2023:
90.7% of 6,357 US hospitals had posted machine-readable files,
83.1% posted information about negotiated rates, and
77.3% posted cash rates.
The Turquoise Health end-to-end price transparency platform uses a 5-point system to rate the quality of hospitals’ machine-readable files and said that more than 50% scored five stars. Clinical laboratory managers and pathologists may find it timely to review their lab organization’s compliance with this federal price transparency rule.
This comes on top of months of strikes by NZ medical laboratory workers seeking fair pay and safe working conditions
Te Whatu Ora (aka, Health New Zealand, the country’s publicly funded healthcare system) recently ordered health and safety checks at multiple clinical laboratories in 18 districts across the country. This action is the result of safety issues detected after procedural discrepancies were discovered in separate labs.
According to Radio New Zealand(RNZ), Health New Zealand found “significant risks” at some medical laboratories and that “staff at one in Auckland were exposed to toxic fumes, at others two [people] caught typhoid, and delays jeopardized patients’ care.”
“Two lab workers were hospitalized this year after having caught typhoid from samples, one at a private lab in Auckland, and a second at Canterbury Health Laboratories, CHL,” RNZ reported.
A Health New Zealand internal document states there will need to be a “comprehensive” fix to deal with risks present in the island nation’s medical laboratory industry. The assessment states that the organization needs “a more detailed picture of the occupational health and health and safety risks present in our laboratories,” RNZ reported.
“The overall state of the laboratories and the practices they have in place pose an inherited risk from the former DHBs [district health boards] and will likely need a comprehensive approach to addressing significant and/or ongoing risks,” Health New Zealand said in the internal document. “There is growing demand on our laboratories in terms of the volume of the work, which can put pressure on processes, and work is often undertaken in facilities that, over time, may have become not fit for purpose.”
This story as an example of how clinical laboratory staff can be exposed to disease and toxic chemicals when procedures are not diligently followed. It is a reminder to all lab managers that diligence in following protective protocols is imperative.
“Te Whatu Ora is committed to identifying, tracking and mitigating all potential risks and issues within our service until they are fully resolved and no longer identifiable as an issue/risk,” Rachel Haggerty (above), Director, Strategy, Planning and Purchasing, Hospital and Specialist Services, for Health New Zealand told NZ Doctor. Clinical laboratory workers in New Zealand have been striking for fair pay and safe working environments for months. Now, they risk becoming infected by deadly pathogens and chemicals as well. (Photo copyright: NZ Doctor.)
Lab Worker Strikes and Staff Shortages
Community Anatomic Pathology Services in Auckland lost its histology accreditation last year because it was discovered that lab workers were exposed to toxic chemical levels at the facility. In addition, patients were forced to wait weeks for test results from that lab.
The laboratory was also penalized back in 2017 for how substances were handled when formaldehyde levels in excess of the recommended limits were detected.
Bryan Raill, a medical scientist at the Counties Manukau District Health Board, said the laboratory workers union in New Zealand believes staff shortages and lab conditions are contributing to the lab woes. Raill is also president of the medical laboratory workers division of APEX, a specialist union representing more than 4,000 allied, scientific, and technical health professionals throughout New Zealand.
“It’s not only your physical environment, being safe there, but you have to be safe in terms of what you do,” Raill told RNZ.
Raill said the two typhoid infections were a red flag and that Te Whatu Ora needs to do more.
“They’re stepping out of the inertia they’ve been bound, so this is a good thing, but it needs to be a wider thing,” he said.
“They should look at the other health and safety aspect of the workload and the work environment that staff are working under,” Raill explained in an iHeart podcast. “The person who caught typhoid in Christchurch spent four days in ICU, and there had been a workplace exposure to another pathogen two years earlier and the recommendations that came out of that hadn’t been followed. For example, [the lab workers] were not vaccinated against typhoid.”
IT Implementation Delays also to Blame
Along with strikes and staff shortages, clinical laboratories in New Zealand are also dealing with information technology (IT) issues. Technical problems have delayed some needed lab upgrades by more than a year.
In addition, “The impacts of new test, surgeries, and medicines/treatments on pathology services have also historically not been understood well nor accounted for and we are considering a number of options, as outlined in the risk register, to manage this,” said Rachel Haggerty, Director, Strategy, Planning and Purchasing, Hospital and Specialist Services, for Te Whatu Ora.
Future efforts will deal with training of lab personnel and focus on ventilation and hazardous substance management.
Dark Daily has reported extensively on the ongoing problems within New Zealand clinical laboratory industry.
Clinical laboratory personnel can be exposed to dangerous diseases and toxic chemicals when procedures are not diligently followed. This latest situation in New Zealand serves as a reminder that following protective protocols is imperative in labs worldwide to protect workers and patients.
Some hospital organizations are pushing back, stating that the new regulations are ‘too rigid’ and interfere with doctors’ treatment of patients
In August, the Biden administration finalized provisions for hospitals to meet specific treatment metrics for all patients with suspected sepsis. Hospitals that fail to meet these requirements risk the potential loss of millions of dollars in Medicare reimbursements annually. This new federal rule did not go over well with some in the hospital industry.
Sepsis kills about 350,000 people every year. One in three people who contract the deadly blood infection in hospitals die, according to the Centers for Disease Control and Prevention (CDC). Thus, the federal government has once again implemented a final rule that requires hospitals, clinical laboratories, and medical providers to take immediate actions to diagnose and treat sepsis patients.
The effort has elicited pushback from several healthcare organizations that say the measure is “too rigid” and “does not allow clinicians flexibility to determine how recommendations should apply to their specific patients,” according to Becker’s Hospital Review.
Perform blood tests within a specific period of time to look for biomarkers in patients that may indicate sepsis, and to
Administer antibiotics within three hours after a possible case is identified.
It also mandates that certain other tests are performed, and intravenous fluids administered, to prevent blood pressure from dipping to dangerously low levels.
“These are core things that everyone should do every time they see a septic patient,” said Steven Simpson, MD, Professor of medicine at the University of Kansas told Fierce Healthcare. Simpson is also the chairman of the Sepsis Alliance, an advocacy group that works to battle sepsis.
Simpson believes there is enough evidence to prove that the SEP-1 guidelines result in improved patient care and outcomes and should be enforced.
“It is quite clear that this works better than what was present before, which was nothing,” he said. “If the current sepsis mortality rate could be cut by even 5%, we could save a lot of lives. Before, even if you were reporting 0% compliance, you didn’t lose your money. Now you actually have to do it,” Simpson noted.
“We are encouraged by the increased attention to sepsis and support CMS’ creation of a sepsis mortality measure that will encourage hospitals to pay more attention to the full breadth of sepsis care,” Chanu Rhee, MD (above), Infectious Disease/Critical Care Physician and Associate Hospital Epidemiologist at Brigham and Women’s Hospital told Healthcare Finance. The new rule, however, requires doctors and medical laboratories to conduct tests and administer antibiotic treatment sooner than many healthcare providers deem wise. (Photo copyright: Brigham and Women’s Hospital.)
Healthcare Organizations Pushback against Final Rule
“By encouraging the use of broad spectrum antibiotics when more targeted ones will suffice, this measure promotes the overuse of the antibiotics that are our last line of defense against drug-resistant bacteria,” the AHA’s letter states.
In its recent coverage of the healthcare organizations’ pushback to CMS’ final rule, Healthcare Finance News explained, “The SEP-1 measure requires clinicians to provide a bundle of care to all patients with possible sepsis within three hours of recognition. … But the SEP-1 measure doesn’t take into account that many serious conditions present in a similar fashion to sepsis … Pushing clinicians to treat all these patients as if they have sepsis … leads to overuse of broad-spectrum antibiotics, which can be harmful to patients who are not infected, those who are infected with viruses rather than bacteria, and those who could safely be treated with narrower-spectrum antibiotics.”
CMS’ latest rule follows the same evolutionary path as previous federal guidelines. In August 2007, CMS announced that Medicare would no longer pay for additional costs associated with preventable errors, including situations known as Never Events. These are “adverse events that are serious, largely preventable, and of concern to both the public and healthcare providers for the purpose of public accountability,” according to the Leapfrog Group.
In 2014, the CDC suggested that all US hospitals have an antibiotic stewardship program (ASP) to measure and improve how antibiotics are prescribed by clinicians and utilized by patients.
Research Does Not Show Federal Sepsis Programs Work
He points to analysis which showed that though use of broad-spectrum antibiotics increased after the original 2015 SEP-1 regulations were introduced, there has been little change to patient outcomes.
“Unfortunately, we do not have good evidence that implementation of the sepsis policy has led to an improvement in sepsis mortality rates,” Rhee told Fierce Healthcare.
Rhee believes that the latest regulations are a step in the right direction, but that more needs to be done for sepsis care. “Retiring past measures and refining future ones will help stimulate new innovations in diagnosis and treatment and ultimately improve outcomes for the many patients affected by sepsis,” he told Healthcare Finance.
Sepsis is very difficult to diagnose quickly and accurately. Delaying treatment could result in serious consequences. But clinical laboratory blood tests for blood infections can take up to three days to produce a result. During that time, a patient could be receiving the wrong antibiotic for the infection, which could lead to worse problems.
The new federal regulation is designed to ensure that patients receive the best care possible when dealing with sepsis and to lower mortality rates in those patients. It remains to be seen if it will have the desired effect.
Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks
Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.
AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.
Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.
The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.
“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.
Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.
This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.
“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)
Why Do Hackers Target Healthcare?
Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.
Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”
With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.
“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”
But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.
“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.
“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.
Higgins elaborated on why healthcare is a highly targeted industry for hackers.
“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”
Steps Healthcare Organizations Should Take to Prevent Cyberattacks
Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.
“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”
To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.
Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.
