Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Inability to access clinical laboratory test results forced hospitals to suspend critical procedures and surgeries causing major disruptions to healthcare
Cyberattacks continue to shut down the ability of hospitals to process orders for clinical laboratory tests, medical imaging, and prescriptions. One such cyberattack recently took place against Ascension, the largest nonprofit Catholic health system in the United States. It took more than a month for the health network’s electronic health record (EHR) system to be fully restored, according to a cybersecurity event press release.
Immediately following the event, Ascension announced it had hired a third party company to resolve the fallout from the cyberattack.
“On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event. … Access to some systems have been interrupted … We have engaged Mandiant, a third party expert, to assist in the investigation and remediation process, and we have notified the appropriate authorities,” a press release states.
Based in Reston, Va., Mandiant is an American cybersecurity firm and a subsidiary of Google.
Cyberattacks are happening more frequently and medical professionals need to be aware that patient care can be severely disrupted by such attacks. The Ascension attack locked its employees out of the healthcare provider’s computer databases, rendering medical personnel unable to track and coordinate patient care. The health network’s EHR, phones, and databases used to order certain clinical laboratory tests, imaging services, procedures, and medications were all affected.
Hospital employees, including two doctors and a registered nurse, spoke anonymously to the Detroit Free Press regarding the issues at their facilities resulting from the cyberattack.
“It’s so, so dangerous,” said the nurse, describing the immediate aftermath of the cyberattack. “We are waiting four hours for head CT [computed tomography scan] results on somebody having a stroke or a brain bleed. We are just waiting. I don’t know why they haven’t at least paused the ambulances and accepting transfers because we physically … don’t have the capacity to care for them right now.”
“In some cases, what are supposed to be unique medical record numbers assigned to patients when they register in the emergency department at Ascension St. John [Detroit, Mich.] have been given to more than one patient at a time,” Detroit Free Press reported. “Because of that, the nurse told the Free Press she couldn’t be confident that a patient’s blood test results actually were his own.”
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” Jeff Tully, MD (above), Associate Clinical Professor, Anesthesiology, and co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego, told NPR. “These types of cybersecurity incidents should be thought of as a matter of when and not if,” he added. Inability to verify clinical laboratory test results or access patients’ electronic medical records endangers patients and undermines the confidence of critical healthcare workers. (Photo copyright: UC San Diego.)
Losing Track of Patients and Their Records
According to the HIPAA Journal’sH1, 2024 Healthcare Data Breach Report, “In H1 [first half of the fiscal year], 2024, 387 data breaches of 500 or more [healthcare] records were reported to OCR, which represents an 8.4% increase from H1, 2023, and a 9.3% increase from H1, 2022.”
After the Ascension cyberattack, the healthcare organization’s computer systems were inoperable, and its pharmacy services were temporarily closed. Medical orders for clinical laboratory testing, imaging tests, and prescriptions had to be handwritten on paper and faxed to appropriate departments, which led to long wait times for patients.
There were cases where singular medical record numbers were assigned to multiple patients. Staff resorted to Google documents, paper charting, and text messaging to communicate with one another. But they still lost track of some patients.
“For a lot of our nurses, they’ve never paper charted at all,” said Connie Smith, a charge capture coordinator and head of the Wisconsin Federation of Nurses and Health Professionals, in a ThinkStack blog post. “We were using forms that we pulled out of drawers that hadn’t seen the light of day in a long, long time.”
“They are texting me to find out where the patient went,” a St. John Hospital Emergency Room physician anonymously told the Free Press immediately following the Ascension cyberattack. “They don’t even know where the patient is going or if they’ve been admitted. People are getting lost.
“The pharmacy is getting requests for patient medications, and they have no idea where the patient is in the hospital,” the doctor continued. “Some of the attending physicians are putting in orders for medications, somewhat dangerous medications, and we have no idea if the medications are actually being administered. It’s a scary thing when your medical license is tied to this. If medication mistakes become lawsuits, they will follow us throughout our entire careers and that is not fair to us. It’s not fair to patients.”
According to online updates provided by Ascension, the cyberattack began when an employee downloaded a malicious file thinking it was a legitimate document. That allowed hackers to access seven of Ascension’s 25,000 servers. The resulting cyberattack stifled operations across the organization’s facilities and among its healthcare providers for weeks.
A June 12 update read, “we are pleased to announce that electronic health record (EHR) access has been restored across our ministries. This means that clinical workflow in our hospitals and clinics will function similarly to the way it did prior to the ransomware attack.” The updates did not mention how the attack was resolved or if a ransom was paid to restore the hospitals’ systems.
Preparing for System Disruptions
According to its website, St. Louis-based Ascension has 134,000 associates, 35,000 affiliated providers, and 140 hospitals serving communities in 18 states and the District of Columbia.
“Despite the challenges posed by the recent ransomware incident, patient safety continues to be our utmost priority. Our dedicated doctors, nurses, and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper based systems during the ongoing disruption to normal systems,” Ascension noted in a Michigan Cybersecurity Event Update.
Clinical laboratory managers and anatomic pathology practice administrators may want to learn from Ascension’s experience and make advanced preparations that will secure patient information and enable their lab to continue functioning during a cyberattack. The Ascension cyberattack illustrates how easily computer systems containing critical information can be hacked and affect patient care.
Technology like Apple’s VR/AR headsets may prove useful to clinical laboratories in accessioning and in pathology labs during biopsy grossing
In what has been billed as a first, medical teams in the US and UK used Apple’s Extended Reality (XR) Vision Pro headset system to assist in surgical procedures. The surgeons themselves did not wear the $3,500 headset. Instead, surgical nurses used the device for touch-free access to a software application that assisted them in setting up, organizing, and performing the operations. For pathologists and clinical laboratories, in the histology laboratory, such an arrangement involving XR headsets could be used when a biopsy is at the grossing station as well.
The headset software the team used during surgery was developed by eXpanded eXistence, Inc. (eXeX), a Florida-based company whose primary product is an iOS (Apple mobile operating system) application that provides similar functions for mobile devices. eXeX adapted the iOS app to work on Apple’s Extended Reality headset.
Extended Reality is an umbrella term for augmented reality (AR) and virtual reality (VR). Apple refers to the technology as “spatial” computing.
Within the clinical laboratory, XR headsets could be used in the accessioning process as the accessioner works through the steps to confirm all required information accompanies the test requisition and that the patient’s specimen is processed/aliquoted appropriately.
“The eXeX platform, enhanced by artificial intelligence, is designed not as a medical device but as an organizational and logistics tool. It aims to streamline the management of tens of thousands of items, including equipment, tools, technologies, consumables, implants, and surgical products,” said neurosurgeon Robert Masson, MD, eXeX’s founder and CEO, in a February news release.
Masson first deployed the software in his own surgical practice. Then in March, eXeX announced that a surgical team at Cromwell Hospital in London used the system in two microsurgical spine procedures, according to a March new release.
That news garnered media coverage in the UK as well as in US-based publications that follow Apple.
“We are in a new era of surgery, and for the first time, our surgical teams have the brilliance of visual holographic guidance and maps, improving visuospatial and temporal orientation for each surgical team and for each surgery in all specialties,” said neurosurgeon Robert Masson, MD (above), eXeX’s founder and CEO, in a press release. Clinical laboratories may one day use XR headsets in the histology lab at the grossing station. (Photo copyright: Masson Spine Institute.)
Surgical Process Not Glamorous, But Important
Despite being on a cutting-edge XR platform, the eXeX software addresses “the least glamorous part” of the surgical process, Masson told Gizmodo.
“People assume that surgical healthcare has got to be sophisticated and modern,” he said. “The reality is the way we organize it is probably the most archaic of all the major industries on the planet. It’s all memorization and guesswork with scribbles on pieces of paper.”
The advantage of an XR headset is that it allows use of the eXeX software in a sterile environment, he added. “The ability to interact with digital screens and holograms and lists and maps and products unlocks all kinds of possibilities. Suddenly, you’ve got an interactive digital tool that you can use without violating the sanctity of sterility.”
Does he foresee a future when the surgeons themselves use XR headsets in the operating room? Not necessarily, Masson told Gizmodo.
“There’s always a tendency to say, ‘look at this amazing tech, let’s put a screw in with it,’” he said. “Well, we’re already putting screws in without the headset, so it doesn’t really solve a problem. People tend to think of floating spines, floating heights, you know, an overlay that tells you where to put a catheter in the liver. Honestly, it’s all unnecessary because we already do that pretty well. What we don’t do really well is stay organized.”
Other XR Apps for Healthcare
In a news release, Apple showcased other healthcare apps for its Vision Pro platform.
Epic Systems, an electronic health record (EHR) system developer, has an app called Epic Spatial Computing Concept that allows clinicians “to easily complete charting, review labs, communicate using secure chat, and complete in-basket workflows through intuitive gestures, like simply tapping their fingers to select, flicking their wrist to scroll, or using a virtual keyboard or dictation to type,” Apple stated in the news release.
Stryker, manufacturer of Mako surgical robotic arms for joint-replacement procedures, has an Apple iOS app called myMako that “allows surgeons to visualize and review patients’ Mako surgical plans at any time in a brilliant, immersive visual experience,” Apple said.
Cinematic Reality, from Siemens Healthineers, is an Apple iOS app that “allows surgeons, medical students, and patients to view immersive, interactive holograms of the human body captured through medical scans in their real-world environment,” Apple said.
New Era in Technology
For the past 20 years, manufacturing companies have installed systems at workstations with audio and video that show each step in a work process and with written checklists on the computer screen. This allows workers to check off each required step as proof that each required work element was performed.
This is similar to professional pilots who use checklists at every step in a flight process. One pilot will read the checklist items, the other will perform the step and confirm it was complete.
These procedures are generally completed on computer displays, but with the advent of XR headset technology, these types of procedures are evolving toward mobility.
To prepare for the emergence of XR-based healthcare apps, the US Food and Drug Administration (FDA) has organized a research team to devise best practices for testing these headset devices, CNBC reported.
It will be some time before XR headset technology finds its way into histology laboratories, clinical laboratories, and pathology practices, but since the rate of technology adoption accelerates exponentially, it might not take very long.
Infection control teams and clinical laboratory managers may want to look at this new product designed to improve the diagnosis and treatment of sepsis
Accurate and fast diagnosis of sepsis for patients arriving in emergency departments is the goal of a new product that was just cleared by the federal Food and Drug Administration (FDA). It is also the newest example of how artificial intelligence (AI) continues to find its way into pathology and clinical laboratory medicine.
Sepsis is one of the deadliest killers in US hospitals. That is why there is interest in the recent action by the FDA to grant marketing authorization for an AI-powered sepsis detection software through the agency’s De Novo Classification Request. The DNCR “provides a marketing pathway to classify novel medical devices for which general controls alone, or general and special controls, provide reasonable assurance of safety and effectiveness for the intended use, but for which there is no legally marketed predicate device,” the FDA’s website states.
Unlike a single analyte assay that is run in a clinical laboratory, Prenosis’ AI/ML software uses 22 diagnostic and predictive parameters, along with ML algorithms, to analyze data and produce a clinically actionable answer on sepsis.
It is important for clinical laboratory managers and pathologists to recognize that this diagnostic approach to sepsis brings together a number of data points commonly found in a patient’s electronic health record (EHR), some of which the lab generated and others the lab did not generate.
“Sepsis is a serious and sometimes deadly complication. Technologies developed to help prevent this condition have the potential to provide a significant benefit to patients,” said Jeff Shuren, MD, JD, Director of the FDA’s Center for Devices and Radiological Health, in a statement. “The FDA’s authorization of the Prenosis Sepsis ImmunoScore software establishes specific premarket and post-market requirements for this device type.” Clinical laboratory EHRs contain some of the data points Prenosis’ diagnostic software uses. (Photo copyright: US Food and Drug Administration.)
How it Works
To assist doctors diagnose sepsis, the ImmunoScore software is first integrated into the patient’s hospital EHR. From there, it leverages 22 parameters including:
White blood cell count to produce a score that informs caregivers of the patient’s risk for sepsis within 24 hours, MedTech Dive reported.
Instead of requiring a doctor or nurse to look at each parameter separately, the SaMD tool uses AI “to evaluate all those markers at once”, CNBC noted. It then produces a risk score and four discrete risk stratification categories (low, medium, high, and very high) which correlate to “a patient’s risk of deterioration” represented by:
By sharing these details—a number from one to 100 for each of the 22 diagnostic and predictive parameters—Sepsis ImmunoScore helps doctors determine which will likely contribute most to the patient’s risk for developing sepsis, MedTech Dive reported.
“A lot of clinicians don’t trust AI products for multiple reasons. We are trying very hard to counter that skepticism by making a tool that was validated by the FDA first, and then the second piece is we’re not trying to replace the clinician,” Bobby Reddy Jr., PhD, Prenosis co-founder and CEO, told MedTech Dive.
Big Biobank and Blood Sample Data
Prenosis, which says its goal is the “enabling [of] precision medicine in acute care” developed Sepsis ImmunoScore using the company’s own biobank and a dataset of more than 100,000 blood samples from more than 25,000 patients.
AI algorithms drew on this biological/clinical dataset—the largest in the world for acute care patients suspected of having serious infections, according to Prenosis—to “elucidate patterns in rapid immune response.”
“It does not work without data, and the data started at Carle,” said critical care specialist Karen White, MD, PhD, Carle Foundation Hospital, St. Louis, MO, in the news release. “The project involved a large number of physicians, research staff, and internal medicine residents at Carle who helped recruit patients, collect data, and samples,” she said.
Opportunity for Clinical Laboratories
Sepsis is a life-threatening condition based on an “extreme response to an infection” that affects nearly 1.7 million adults in the US each year and is responsible for 350,000 deaths, according to US Centers for Disease Control and Prevention (CDC) data.
A non-invasive diagnostic tool like Sepsis ImmunoScore will be a boon to emergency physicians and the patients they treat. Now that the FDA has authorized the SaMD diagnostic tool to go to market, it may not be long before physicians can use the information it produces to save lives.
Clinical laboratory managers inspired by the development of Sepsis ImmunoScore may want to look for similar ways they can take certain lab test results and combine them with other data in an EHR to create intelligence that physicians can use to better treat their patients. The way forward in laboratory medicine will be combining lab test results with other relevant sets of data to create clinically actionable intelligence for physicians, patients, and payers.
One goal of these new functions is to streamline physician workflows. However, these new EHRs may interface differently with clinical laboratory information systems
Artificial intelligence (AI) developers are making great contributions in clinical laboratory, pathology, radiology, and other areas of healthcare. Now, Electronic Health Record (EHR) developers are looking into ways to incorporate a new type of AI—called “Generative AI”—into their EHR products to assist physicians with time-consuming and repetitive administrative tasks and help them focus on patient-centered care.
Generative AI uses complex algorithms and statistical models to learn patterns from collected data. It then generates new content, including text, images, and audio/video information.
According to the federal Government Accountability Office (GAO), generative AI “has potential applications across a wide range of fields, including education, government, medicine, and law” and that “a research hospital is piloting a generative AI program to create responses to patient questions and reduce the administrative workload of healthcare providers.”
Reducing the workload on doctors and other medical personnel is a key goal of the EHR developers.
Generative AI uses deep learning neural networks modeled after the human brain comprised of layers of connected nodes that process data. It employs two neural networks: a generator [generative network] which creates new content, and a discriminator [discriminative network] which evaluates the quality of that content.
The collected information is entered into the network where each individual node processes the data and passes it on to the next layer. The last layer in the process produces the final output.
Many EHR companies are working toward adding generative AI into their platforms, including:
As our sister publication The Dark Report points out in its December 26 “Top 10 Biggest Lab Stories for 2023,” almost every product or service presented to a clinical laboratory or pathology group will soon include an AI-powered solution.
“We believe that generative AI has the potential of being a personal assistant for every doctor, and that’s what we’re working on,” Girish Navani (above), co-founder and CEO of eClinicalWorks, told EHRIntelligence. “It could save hours. You capture the essence of the entire conversation without touching a keyboard. It is transformational in how it works and how well it presents the information back to the provider.” Clinical laboratory information systems may also benefit from connecting with generative AI-based EHRs. (Photo copyright: eClinicalWorks.)
Generative AI Can Help with Physician Burnout
One of the beneficial features of generative AI is that it has the ability to “listen” to a doctor’s conversation with a patient while recording it and then produce clinical notes. The physician can then review, edit, and approve those notes to enter into the patient’s EHR record, thus streamlining administrative workflows.
“The clinician or support team essentially has to take all of the data points that they’ve got in their head and turn that into a narrative human response,” Phil Lindemann, Vice President of Data and Analytics at Epic, told EHRIntelligence. “Generative AI can draft a response that the clinician can then review, make changes as necessary, and then send to the patient.”
By streamlining and reducing workloads, EHRs that incorporate generative AI may help reduce physician burnout, which has been increasing since the COVID-19 pandemic.
“Language models have a huge potential in impacting almost every workflow,” Girish Navani, co-founder and CEO of eClinicalWorks, told EHRIntelligence. “Whether it’s reading information and summarizing it or creating the right type of contextual response, language models can help reduce cognitive load.”
Generative AI can also translate information into many different languages.
“Health systems spend a lot of time trying to make patient education and different things available in certain languages, but they’ll never have every language possible,” Lindemann said. “This technology can take human language, translate it at any reading level in any language, and have it understandable.”
MEDITECH is working on a generative AI project to simplify clinical documentation with an emphasis on hospital discharge summaries that can be very laborious and time-consuming for clinicians.
“Providers are asked to go in and review previous notes and results and try to bring that all together,” Helen Waters, Executive Vice President and COO of MEDITECH, told EHRIntelligence. “Generative AI can help auto-populate the discharge note by bringing in the discrete information that would be most relevant to substantiate that narrative and enable time savings for those clinicians.”
Many Applications for Generative AI in Healthcare
According to technology consulting and solutions firm XenonStack, generative AI has many potential applications in healthcare including:
The technology is currently in its early stages and does present challenges, such as lack of interpretability, the need for large datasets and more transparency, and ethical concerns, all of which will need to be addressed.
“We see it as a translation tool,” Lindemann told EHRIntelligence. “It’s not a panacea, but there’s going to be really valuable use cases, and the sooner the community can agree on that, the more useful the technology’s going to be.”
Since generative AI can be used to automate manual work processes, clinical laboratories and anatomic pathology groups should be alert to opportunities to interface their LISs with referring physicians’ EHRs. Such interfaces may enable the use of the generative AI functions to automate manual processes in both the doctors’ offices and the labs.
