October 2024—Instrument assessments for cyber safety are in need of a fast track—or another solution to the delays they’re creating, say some Compass Group laboratory leaders. They met online on Sept. 3 with CAP TODAY publisher Bob McGonnagle, with whom they also talked about mergers and acquisitions and Epic Beaker transitions.
The Compass Group is an organization of not-for-profit IDN system laboratory leaders who collaborate to identify and share best practices and strategies.
We’re seeing a lot of cyberattacks in health care. Frank Beylo, how are things at Inova and with cybersecurity?
Frank Beylo, BS, MT(ASCP), director, operations and technology, Inova Health Systems, Falls Church, Va.: Our cybersecurity process is extensive. We’re continuing to run into challenges, especially with vendors needing remote support. Inova is requiring standardizing with regard to how our vendors access our network, which is through the application BeyondTrust. The days of having direct VPN connections to servers have been gone for a while. That’s causing challenges with vendors, current and future, that cannot or choose not to use BeyondTrust. That then creates a risk that has to be understood and mitigated in some way, and then a decision has to be made on whether or not to proceed. Our cybersecurity team does their best to assess the risk, but they do not approve or disapprove the choice. That is up to the business unit. They will provide a recommendation, and then our executive leadership, along with department leadership, will sign off on that risk.
Our biggest challenge now is to try to stay clinically true to what’s best for patient care while at the same time meeting Inova’s cybersecurity requirements and mitigating the risk as much as possible.
It sounds like there’s a bit of arm wrestling going on.
Frank Beylo (Inova): Over the years Inova has developed a robust IT governance committee to oversee the implementation of our technology initiatives. The committee meets regularly and we go through these projects and vote to move forward or request additional information that may be needed to understand the project. We have representatives from many areas who can lend their voice and experience to these decisions.
We try to start the approval process as early as possible because the tug-of-war, if you will, is, do I get approval for capital first or for cybersecurity first? We don’t want to feel as if we’re wasting resources approving one or the other first only for the project to be unapproved to move forward, so we do the best we can to minimize that, given both processes are vital to onboarding the technology.
What health system executive puts their neck on the line, risking local headlines on the evening news for having crashed the Inova health care system?
Frank Beylo (Inova): It is true that most system executives may not be willing to do that or have the full understanding of the risk and/or impact if not approved; however, we have a good collaborative approach so that the decision is not made simply by one person and the business leadership are all in agreement. Although the risk assessment may be signed by a designated executive leader, we are all in the decision together.
For the first time in my 28 years at Inova, I feel our IT leadership has a better understanding of how important it is to onboard the best in technology for patient care and that is the focus versus recommending we don’t move forward with a technology that is risky. To me that’s very important. Now there’s a little more wiggle room when it comes to moving forward. We need to ensure we understand the risks and the mitigation of those risks.
It must invariably lead to a consolidation among vendors.
Frank Beylo (Inova): Yes. We are fortunate because over the years we have standardized most of our platforms in the laboratory. There are a few one-offs; however, now that we are fully converted to Epic Beaker, we can look at those as we are looking to move our technology to cloud based.
Currently I’m seeing challenges not necessarily with equipment platforms but with middleware changes and upgrades by vendors. One example is that our hematology vendor, Sysmex, is sunsetting its WAM middleware at the end of 2025, so we are currently addressing the impact of that transition and the challenges it may pose. The other challenge that came with our transition to Epic Beaker is we introduced another level of middleware. Prior to Epic Beaker, we had a direct connect from Data Innovations Instrument Manager middleware to our LIS. Now that we have converted, we still have that connection from our equipment to DI middleware, but now that connects to our enterprise instance of DI middleware. So we are struggling not only to determine where the issue may lie, but which team will be involved in the resolution. I’m hoping to smooth this out in the near future to having one process. The last thing I want to create is an “It’s not my issue; it’s the vendor or the other middleware” situation, which will only lead to a prolonged resolution. With all that said, the transition to Beaker has been a positive experience and will only get better as our team members use the application more and realize what it can do.
Ericka Olgaard, tell us about cybersecurity at the University of Florida.
Ericka Olgaard, DO, MBA, clinical associate professor and vice chair for system integration, Department of Pathology, Immunology and Laboratory Medicine, University of Florida College of Medicine: We also have Epic and our university wants to take a unified approach to all the clinics and hospitals in our system, so the lab isn’t doing anything different than what the university is for all its health care.
As you look at certain vendors, do you have some of the same issues? Is the vendor on point for what it is that cybersecurity at University of Florida wants to see?
Dr. Olgaard (University of Florida): Yes. Everyone has different ideals about what that should look like. We in laboratory try hard to show them the areas we need. If we need a vendor for a specific test, we need to make sure we have all those layers on top of that with our middleware—we also have Data Innovations and Epic Beaker—to be able to test for our patients and have firewalls built in to keep patient information safe.
Chris Scanlan, what are your thoughts on cybersecurity? Do the communications between your lab and reference labs need a thorough checking for cybersecurity issues as well?
Christopher Scanlan, director of laboratory services, BayCare Health System, Clearwater, Fla.: Yes. For about five years we’ve had an information security agreement that all new contracts and vendors go through. Four or five years ago we were able to come to an agreement pretty easily. In the past two years there’s been more pushback from vendors for some of the liability we’re asking them to take on in the event they experience a cyberattack.
For reference labs, we run our interfaces through the Cerner Reference Lab Network. We were greatly affected by the OneBlood cyberattack. We’ve put our eyes back on operating our laboratories so we can produce results in the event of a cyberattack. That was a painful experience but it will help set us up for success in the future.
Johan Otter, talk to us about cybersecurity from your perspective at Scripps.
Johan Otter, DPT, assistant VP, Scripps Health, San Diego: We had a cyber event at Scripps about two years ago. We were completely disabled for a month. We were on Epic as well. That meant all orders had to be manual; all results had to be delivered manually or via fax or backup computers. That was an incredible learning curve. We learned that you need to be able to back up your data as much as possible. We now have computers set aside, disconnected from any other service, that we can plug in and use as a backup data center.
Before we went live again, lab went first, which was one of the smartest things we did. And we didn’t tell anyone. We were ready and had processed everything that was sitting in Epic, because it became a data dump. Otherwise we would have crashed our system again. We were able to process everything two days before everyone else went live. We started with a clean slate and then new orders could get in.
Once you’ve gone through an event like this, you become a target again. We got bizarre calls to our service center from people trying to get information and figure out who the people in charge are. So we’ve had to do a lot of education, what you can and can’t share, and it comes down to not a whole lot.
Pete Dysert, what’s on your mind—cybersecurity, laboratory-developed tests, mergers and acquisitions? Any good news?
Peter Dysert, MD, chief, Department of Pathology, Baylor Scott & White Health, Dallas: We’re staring down an Epic Beaker entire enterprise lab conversion this month. They’re doing all the outpatient clinics at the same time as the 50-plus hospitals in our system. So we’re all a little nervous.
As laboratorians, we’ve kind of set ourselves up for M&As. We’ve given the impression to our well-intended administrative colleagues that the professional aspects of running a clinical lab are no longer that relevant. The standardization and everything else has given them reason to view what we provide as simply a commodity and commercial vendors an entrée. The view is that the quality is good enough and, most important, the expertise of laboratory professionals isn’t relevant anymore. It doesn’t surprise me that M&As have traction within health care systems.
Frank Beylo, after having recently gone through an Epic Beaker upgrade, do you have advice on how to have or prepare for a successful Epic installation?
Frank Beylo (Inova): Training is huge and you can never do enough of it. The more you can do before go-live, the better. The Epic team training was not as focused as we would have liked as it pertained to our workflows, so the training team was limited in how they could address our needs. They provided very basic information on the system and how to get around; however, we needed more. We knew going into this it would be challenging, but we didn’t realize how confusing this became for our staff who knew the workflow but were hearing something else. We ended up doing dedicated, around-the-clock Microsoft Teams recorded sessions for every area we felt needed more focus. We also set up simulation rooms for pathology so they could follow the expected workflow from start to finish using the equipment and modules they needed. It would have been a much different outcome had we not done that with our teams.
Dr. Dysert (Baylor Scott & White): I agree. I served as a chief medical information officer for 10 years, and what we do as laboratorians is a manufacturing paradigm. The concept of software dependency and workflow is not the same in the EHR world from a clinical perspective as it is from a lab perspective. Epic’s training is largely geared to orient people to function as individual users, to navigate the menus, but their approach to implementation doesn’t emphasize enough the workflow simulations we depend on every day.
Wally Henricks, where can lab executives and pathologists go to have a more rounded program that addresses some of these things in a didactic sense? Is the Association for Pathology Informatics a good place? What do you recommend?
Walter Henricks, MD, vice chair, Department of Pathology and Laboratory Medicine, and laboratory director, Cleveland Clinic: I agree about the importance of Epic and Beaker training. Not just lab—it’s important for nurses who draw blood specimens because it gums up the whole workflow if specimens aren’t submitted correctly. These fundamentals hurt us until we got that on track, because if specimens are not submitted correctly, they can’t be processed. And it’s important to know where to go if you’re trying to look for a bottleneck in the process.
Laboratory leadership courses on how to be a lab director are positive because that’s what matters in terms of what you have to pay attention to and what’s most important about informatics and information management for laboratories. And you have to know what people are doing to stay compliant or stay best practices. The CAP’s Laboratory Medical Direction program is good. Otherwise, networking is a great way, and that’s where API meetings come in.
There is also a course called PIER, Pathology Informatics Essentials for Residents, created by the CAP, Association of Pathology Chairs, and Association for Pathology Informatics. The curriculum and resources are valuable.
Has anyone here been to an Epic user group meeting in Verona, Wisconsin?
Dr. Olgaard (University of Florida): I have not but I’ve sent people. I’ve heard it’s a wonderful time and there’s a ton of information.
Dr. Henricks (Cleveland Clinic): There is a pathologist presence there. We send people too; they have had a good experience.
Jessica DesLauriers, what’s top of mind for you at Avera?
Jessica DesLauriers, assistant vice president of laboratory services, Avera McKennan Hospital and University Health Center, Sioux Falls, SD: Avera recently announced our health system will be transitioning to Epic over the next two years.
We have formed a committee around laboratory-developed tests to keep up to date on LDT news and to have a plan of action going forward.
Frank Beylo (Inova): Since you’re in the early throes of the transition to Epic, I would recommend you get some backfill to help you when your team members need to be off the bench, to help with validation and testing, both dry and wet. The Epic planning team came to us and said they would need 20,000 hours of our team members’ time with the build and validation of Epic, yet we were not in a position to bring on any temporary help to backfill, which would have helped. It was crippling at times. Taking the SMEs [subject matter experts] off the bench is needed so they can commit to the validation phases needed. Any help you can get to alleviate that would be beneficial.
Moira Larsen, have you had cyber event experience and where are you with laboratory-developed tests?
Moira Larsen, MD, MBA, physician executive director, MedStar Medical Group Pathology, MedStar Health, Columbia, Md.: We were victims of a cybersecurity event long ago. After it happened, we ran drills in which we took instruments down and made sure people knew how to take them offline and get results. I’ve been pushing to get back in the habit of doing that. It’s not good enough to have procedures. You must practice them. You must know how you’re going to interact with other departments.
We continue to prep for LDTs and are putting reporting procedures in place. It came to light that you have to report your complaints and events to the FDA through an electronic medical device report that requires an interface that will have to go through security. We’re starting to have it in place. It’s not the same reporting tool as for the blood bank and blood bank biologic reportables.
Rochelle Odenbrett at Sanford, do you have any up-to-date news about the LDT question?
Rochelle Odenbrett, MT(ASCP), MBA, vice president of laboratories, Sanford Health, Sioux Falls, SD: We’re preparing, understanding that the reporting for an LDT complaint will look a little different than an internal patient safety event. We have to have different reporting structures in place, and our quality management system needs to be beefed up. For the most part, though, we’re playing the waiting game until we get through the election. We’ll prep for what we can without a huge investment in time, resources, or money.
Tell us about cybersecurity within the Sanford system.
Rochelle Odenbrett (Sanford): I’ve had a lot of communications with our IT team to understand how we can speed up the process of security risk assessments for all our equipment. It takes months to get through any risk assessment for new equipment coming into our system. The policy is to renew risk assessments every two years. For example, if we have a chemistry analyzer in place, it’s good to go for two years. If we order a new one, the same model, we still have to go through a risk assessment again. We’re trying to have higher-level conversations about analyzing the risk level to see if that’s where we want to put our resources, or if we want to look at other areas of the organization where it might make more sense. It’s challenging; it holds up our business. It shouldn’t impact patient care, but we’re finding it does. The organization has to recognize we can’t take 12 to 14 months to assess the security of a piece of equipment we need in our lab to insource testing or get to the next level of care.
Frank Beylo (Inova): I sit on our IT governance committee, and we did have discussions surrounding creating a fast-track process because we were running into the same issue. I’ve tried to commit to them to stick with like instrumentation that you can demonstrate has not changed to a degree since last implementation where it would need a full revalidation. If you do have some sort of governance committee or cybersecurity review team, I suggest you look into this option so that you can fast track like technologies already in place versus having to do a full-blown validation. Also remember that not all those making the decisions on the IT side are as familiar with laboratory operations and needs, so it is our responsibility to educate them in a way to help them realize the impact of those decisions.
Moira Larsen, you have many clinicians who are aware of new technologies and who are probably pounding on your door, saying, “We need this in your labs. We have young pathologists eager to use them and help us with them.” Does this create a paradox in terms of getting them specified and approved through cybersecurity?
Dr. Larsen (MedStar): It does. If we put a ROTEM in one heart hospital and now the other hospital wants a ROTEM, they’re trying to treat it like they’ve never seen the cybersecurity application before for this instrument. Besides doing a fast track, we’re trying to set up a way of acknowledging that there can be a systemwide assessment, and if the exact same generation of the exact same instrument has been approved once, it should be approved again.
Stan Schofield, do you have any comments about what you’ve heard here today?
Stan Schofield, VP and managing principal of the Compass Group (formerly of NorDx/MaineHealth): Several years ago, my health system spent $25 million in upgrading cybersecurity, and many things got cut out of budgets because of it. Now that’s more than doubled.
As far as going live with Epic, you can never have enough consultants or people working on the project and you’d better have strong, dedicated project management. Epic has an accelerated timeline on what it says it can do and the resources it takes, and Epic greatly understates what it takes. No matter what you do or how you prepare for it, Epic does not play well with non-Epic physician services, orders, or outreach connectivity. Even though you spend two years planning for it, it still doesn’t work well with non-Epic accounts and facilities. It takes strong project management and big budget increases to get enough personnel to do it.