Clinical laboratories and pathology groups should be on the alert to this new digital threat; telehealth sessions and video conferencing calls particularly vulnerable to acoustic AI attacks
Banks may be the first to get hit by a new form of hacking because of all the money they hold in deposit accounts, but experts say healthcare providers—including medical laboratories—are comparably lucrative targets because of the value of patient data. The point of this hacking spear is artificial intelligence (AI) with increased capabilities to penetrate digital defenses.
AI is developing rapidly. Are healthcare organizations keeping up? The hackers sure are. An article from GoBankingRates titled, “How Hackers Are Using AI to Steal Your Bank Account Password,” reveals startling new AI capabilities that could enable bad actors to compromise information technology (IT) security and steal from customers’ accounts.
Though the article covers how the AI could conduct cyberattacks on bank information, similar techniques can be employed to gain access to patients’ protected health information (PHI) and clinical laboratory databases as well, putting all healthcare consumers at risk.
The new AI cyberattack employs an acoustic Side Channel Attack (SCA). An SCA is an attack enabled by leakage of information from a physical computer system. The “acoustic” SCA listens to keystrokes through a computer’s microphone to guess a password with 95% accuracy.
“With recent developments in deep learning, the ubiquity of microphones and the rise in online services via personal devices, acoustic side channel attacks present a greater threat to keyboards than ever,” wrote UK study authors Joshua Harrison, MEng, Durham University; Ehsan Toreini, University of Surrey; and Maryam Mehrnezhad, PhD, University of London.
Hackers could be recording keystrokes during video conferencing calls as well, where an accuracy of 93% is achievable, the authors added.
This nefarious technological advance could spell trouble for healthcare security. Using acoustic SCA attacks, busy healthcare facilities, clinical laboratories, and telehealth appointments could all be potentially compromised.
“The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output,” wrote Joshua Harrison, MEng (above), and his team in their IEEE Xplore paper. “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s sound.” Since computer keyboards and microphones in healthcare settings like hospitals and clinical laboratories are completely ubiquitous, the risk that this AI technology will be used to invade and steal patients’ protected health information is high. (Photo copyright: CNBC.)
Why Do Hackers Target Healthcare?
Ransomware attacks in healthcare are costly and dangerous. According to InstaMed, a healthcare payments and billing company owned by J.P. Morgan, healthcare data breaches increased to 29.5% in 2021 costing over $9 million. And beyond the financial implications, these attacks put sensitive patient data at risk.
Healthcare can be seen as one of the most desirable markets for hackers seeking sensitive information. As InstaMed points out, credit card hacks are usually quickly figured out and stopped. However, “medical records can contain multiple pieces of personally identifiable information. Additionally, breaches that expose this type of data typically take longer to uncover and are harder for an organization to determine in magnitude.”
With AI advancing at such a high rate, healthcare organizations may be unable to adapt older network systems quickly—leaving them vulnerable.
“Legacy devices have been an issue for a while now,” Alexandra Murdoch, medical data analyst at GlobalData PLC, told Medical Device Network, “Usually big medical devices, such as imaging equipment or MRI machines are really expensive and so hospitals do not replace them often. So as a result, we have in the network these old devices that can’t really be updated, and because they can’t be updated, they can’t be protected.”
But telehealth, according to the UK researchers, may also be one way hackers get past safeguards and into critical hospital systems.
“When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms,” the UK researchers wrote in IEEE Xplore.
“[AI] has worrying implications for the medical industry, as more and more appointments go virtual, the implications of deepfakes is a bit concerning if you only interact with a doctor over a Teams or a Zoom call,” David Higgins, Senior Director at information security company CyberArk, told Medical Device Network.
Higgins elaborated on why healthcare is a highly targeted industry for hackers.
“For a credit card record, you are looking at a cost of one to two dollars, but for a medical record, you are talking much more information because the gain for the purposes of social engineering becomes very lucrative. It’s so much easier to launch a ransomware attack, you don’t even need to be a coder, you can just buy ransomware off of the dark web and use it.”
Steps Healthcare Organizations Should Take to Prevent Cyberattacks
Hackers will do whatever they can to get their hands on medical records because stealing them is so lucrative. And this may only be the beginning, Higgins noted.
“I don’t think we are going to see a slowdown in attacks. What we are starting to see is that techniques to make that initial intrusion are becoming more sophisticated and more targeted,” he told Medical Device Network. “Now with things like AI coming into the mix, it’s going to become much harder for the day-to-day individual to spot a malicious email. Generative AI is going to fuel more of that ransomware and sadly it’s going to make it easier for more people to get past that first intrusion stage.”
To combat these attacks patient data needs to be encrypted, devices updated, and medical staff well-trained to spot cyberattacks before they get out of hand. These SCA attacks on bank accounts could be easily transferable to attacks on healthcare organizations’ patient records.
Clinical laboratories, anatomic pathology groups, and other healthcare facilities would be wise to invest in cybersecurity, training for workers, and updated technology. The hackers are going to stay on top of the technology, healthcare leaders need to be one step ahead of them.
According to Damo Consulting’s 2019 Healthcare
IT Demand Survey, when it comes to spending money on information
technology (IT), healthcare executives believe AI and digital healthcare
technologies—though promising—need more development.
Damo’s report notes that 71% of healthcare providers
surveyed expect their IT budgets to grow by 20% in 2019. However, much of that
growth will be allocated to improving EHR functionality, Healthcare Purchasing News reported
in its analysis of Damo survey data.
As healthcare executives plan upgrades to their EHRs,
hospital-based medical laboratories will need to take steps to ensure
interoperability, while avoiding disruption to lab workflow during transition.
The survey also noted that some providers that are considering
investing in AI and digital health technology are struggling to understand the
market, the news release states.
“Digital and AI are emerging as critical areas for technology spend among healthcare enterprises in 2019. However, healthcare executives are realistic about their technology needs versus their need to improve care delivery. They find the currently available digital health solutions in the market are not very mature,” explained Paddy Padmanabhan (above), Chief Executive Officer of Damo Consulting, in a news release. (Photo copyright: The Authors Guild.)
Providers More
Positive Than Vendors on IT Spend
Damo Consulting is a Chicago-area based healthcare and
digital advisory firm. In November 2018, Damo surveyed 64 healthcare executives
(40 technology and service leaders, and 24 healthcare enterprise executives). Interestingly, healthcare providers were more
positive than the technology developers on IT spending plans, reported HITInfrastructure.com, which
detailed the following survey findings:
79% of healthcare executives anticipate high
growth in IT spending in 2019, but only 60% of tech company representatives
believe that is so.
75% of healthcare executives and 80% of vendor
representatives say change in healthcare IT makes buying decisions harder.
71% of healthcare executives and 55% of vendors say
federal government policies help IT spending.
50% of healthcare executives associate
immaturity with digital solution offerings.
42% of healthcare providers say they lack
resources to launch digital.
“While information technology vendors are aggressively
marketing ‘digital’ and ‘AI,’ healthcare executives note that the currently
available solutions in these areas are not very mature. These executives are
confused by the buzz around ‘AI’ and ‘digital,’ the changing landscape of who
is playing what role, and the blurred lines of capabilities and competition,” noted
Padmanabhan in the survey report.
The survey also notes that “Health systems are firmly
committed to their EHR vendors. Despite the many shortcomings, EHR systems
appear to be the primary choice for digital initiatives among health systems at
this stage.”
Some Healthcare
Providers Starting to Use AI
Even as EHRs receive the lion’s share of healthcare IT
spends, some providers are devoting significant resources to AI-related
projects and processes.
For example, clinical
pathologists may be intrigued by work being conducted at Cleveland Clinic’s Center for
Clinical Artificial Intelligence (CCAI), launched in March. The CCAI is using
AI and machine learning in pathology, genetics, and cancer research, with the
ultimate goal of improving patient outcomes, reported Becker’s Hospital Review.
“We’re not in it because AI is cool, but because we believe
it can advance medical research and collaboration between medicine and
industry—with a focus on the patient,” Aziz Nazha, MD, Clinical
Hematology and Oncology Specialist and Director of the CCAI, stated in an
article posted by the American Medical Association (AMA).
AI Predictions Lower
Readmissions and Improve Outcomes
Cleveland Clinic’s CCAI reportedly has gathered data from
1.6 million patients, which it uses to predict length-of-stays and reduce
inappropriate readmissions. “But a prediction itself is insufficient,” Nazha told
the AMA. “If we can intervene, we can change the prognosis and make things
better.”
The CCAI’s ultimate goal is to use predictive models to “develop
a new generation of physician-data scientists and medical researchers.” Toward
that end, Nazha notes how his team used AI to develop genomic biomarkers that identify
whether a certain chemotherapy drug—azacitidine (aka,
azacytidine and marketed as Vidaza)—will work for specific patients. This is a
key goal of precision
medicine.
CCAI also created an AI prediction model that outperforms
existing prognosis scoring systems for patients with Myelodysplastic
syndromes (MDS), a form of cancer in bone marrow.
Meanwhile, at Johns
Hopkins Hospital, AI applications track availability of beds and more. The
Judy Reitz Capacity Command Center, built in collaboration with GE Healthcare Partners, is a
5,200 square feet center outfitted with AI apps and staff to transfer patients
and help smooth coordination of services, according to a news release.
Forbes described the Reitz command
center as a “cognitive hospital” and reports that it has essentially enabled
Johns Hopkins to expand its capacity by 16 beds without undergoing bricks-and-mortar-style
construction.
In short, medical laboratory leaders may want to interact
with IT colleagues to ensure uninterrupted workflows as EHR functionality evolves.
Furthermore, AI developments suggest opportunities for clinical laboratories to
leverage patient data and assist in improving the diagnostic accuracy of providers
in ways that improve patient care.
New studies show number of Americans who are unwilling to reveal private health information is growing, hindering medical technology developers
Healthcare consumers appear not only to be raising their expectations of the quality of care they receive, but also in the privacy and security of their protected health information (PHI) as well. This is an important development for clinical laboratories and pathology groups, since they hold large quantities of patient test data.
News reports indicate that, due to the increase in patient distrust about privacy and security, developers of health information technology (HIT) products that collect and transmit patient data are struggling to insert their products into the broader healthcare market.
However, there is a positive side to this trend for medical laboratory professionals. Patients’ interest in tighter security and privacy protections provides pathology groups and clinical laboratory leaders with an invaluable opportunity to inform patients on their lab’s use of cybersecurity measures and to reiterate their commitment to protecting their patients’ data.
Clinical Laboratories Can Ease Patient Fears
It’s not enough that medical laboratories promote their services and efficiencies. They also must tout the capability of their laboratory information management systems (LIMS) to protect a patient’s PHI. That’s critical because recent studies indicate high proportions of healthcare consumers are becoming increasingly wary of how their healthcare data are protected.
The graphic above taken from a 2017 Accenture survey may indicate why healthcare consumer trust in an organization’s ability to secure protected health data (PHI) has eroded so deeply. (Graphic copyright: Accenture.)
Numerous reports of data hacking and security breaches have eroded healthcare consumers’ trust. Patients are more skeptical than ever about the benefits of HIT, such as:
The poll aimed at exploring consumers’ adoption and acceptance of HIT. It found:
87% of consumers are unwilling to divulge all their medical information (up from 66% in 2013);
70% of Americans distrust health technology (a significant increase from 10% in 2014);
And 57% of people who underwent actual encounters with providers’ technology (including ancillary providers, such as clinical laboratories) remain skeptical of HIT.
Even with all the bells and whistles, HIT cannot penetrate the healthcare system if people don’t adopt it, a Black Book news release pointed out.
89% of Patients Withhold Information During Office Visits
Respondents to Black Book’s poll reported being especially alarmed by their data being shared (without their acknowledgement or consent) beyond their hospital and physician. This includes:
Pharmacy prescriptions (90%);
Mental health notes (99%); and
Chronic conditions (81%).
Other key findings from the Black Book poll include the fact that:
89% of consumers withheld health information during their 2016 provider visits;
93% are concerned about security of their personal financial information;
69% say their primary care doctor does not have the technological expertise necessary for them to feel safe divulging extensive personal information.
Missing Data Compromises Care, Analytics
An article in Healthcare IT News reported that fear of breaches is translating to consumers’ reticence to share information. And, the Black Book survey states that data analytics and population health efforts by healthcare providers could be compromised due to consumer distrust, according to a FierceHealthcare article.
“Incomplete medical histories and undisclosed conditions, treatment, or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk-based analytics, care plans, modeling, payment reforms, and population health programming,” stated Doug Brown, President, Black Book, in the news release.
“This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability,” he concluded.
Patients/Doctors at Odds Over Use of Patient Data
According to the Black Book poll, 91% of people surveyed who use wearable medical tracking devices believe their physician’s EHR should be able to store any health-related data they wish. However, physicians responding to the provider section of the survey stated they have all the information they need. In fact, 94% of the doctors stated patient-generated data (generated by wearables) are “overwhelming, redundant, and unlikely to make a clinical difference.”
The disconnect has led to miscommunication and frustration in the doctor/patient relationship, noted a HealthITSecurity article.
People who struggle to find and understand medical information tend to also be wary of health technologies, such as wearables, patient portals, and mobile apps, noted a UT news release.
Conversely, Americans with a high degree of health literacy are more likely to use fitness trackers and online portals and view them as useful and trustworthy, UT researchers stated.
This study of nearly 5,000 Americans also explored patients’ perceptions of privacy and trust in institutions. Researchers found lower health literacy was associated with more distrust and less adoption of HIT tools.
“There is a pressing need to further the understanding of how health literacy is related to HIT app adoption and usage. This will ensure that all users receive the full health benefits from these technologies in a manner that protects health information privacy, and that users engage with organizations and providers they trust,” the researchers wrote.
Another Dark Daily e-briefing summarized accounts of ransomware and cyberattacks on hospitals and medical labs in 2016. Clinical laboratory leaders are reminded to work with provider teams and appropriate experts to determine the lab’s ability to prevent and withstand cyberattacks.
Labs may glean some ideas from these cybersecurity “2017 must-haves” shared (along with others) in a Healthcare IT News article:
Invest in a risk assessment that makes clear exactly what needs to be protected;
Recognize that beyond medical and billing information, high tech equipment (such as lab analyzers) need to be addressed in planning.
Medical laboratory leaders should not be shy about communicating their lab’s cybersecurity priority, investment, and actions taken to keep their patient’s PHI private and secure. That message could be just what skeptical consumers need to hear and could be well received by the lab’s patients.
Medical laboratories now taking the steps to deliver patient-centric lab testing services report solid successes in improving patient/physician satisfaction, increasing lab revenue, and gaining more network access
Evidence is accumulating that “patient-centric” medical laboratory testing services are poised to become one of the most important new paradigms to reshape the house of pathology and clinical laboratory medicine in decades. Better yet, patient-centric lab services will earn more revenue for those labs that move fastest to incorporate these capabilities into their service mix.
“The paradigm of patient-center lab testing services couldn’t come at a better time for the clinical laboratory industry. Most labs are reeling from what is now nearly a full decade of successive and painful reductions in lab test prices and lab budgets,” observed Robert Michel, Editor-in-Chief of The Dark Report, which is Dark Daily’s sister publication. “After years of aggressive cost-cutting, most labs are down to the bare essentials and staff is overworked. That is why there is an urgent need for an operational and clinical strategy that will earn more payment from payers. (more…)
IBM Health’s data combined with Truven’s patient records will create an enormous big-data collection representing 300 million patient lives
If any pathologist or clinical laboratory manager still doubts the importance of healthcare big data, the multi-billion-dollar acquisition of Truven Health Analytics by IBM should put those doubts to rest.
