By John Wallace, PT, MS, FAPTA, chief compliance officer, WebPT.
Being efficient doesn’t mean cutting every cost. In rehab therapy, it means knowing where lean systems are enough and where targeted investments pay off. Many practice owners take pride in their resourcefulness, but avoiding necessary spend can be just as damaging as overspending. True efficiency requires discernment, not deprivation.
Invest in Prevention, Not Just Cleanup
Many compliance challenges are preventable and often come down to education. Annual CPT coding refreshers, documentation training, and payer-specific updates help teams avoid the most common reasons for denials. Fortunately, these resources are widely available and affordable.
Associations like APTA, AOTA, and ASHA offer low- or no-cost defensible documentation checklists. Some EMRs also include built-in CPT code training modules that therapists can complete on demand. Even one annual training session can prevent dozens of costly mistakes and appeals.
A practice that spends wisely on education avoids far more costly cleanups later.
Know the Limits of Internal Fixes
Internal reviews, peer audits, and checklists can resolve most routine issues. But when audit denial rates spike, especially over the 50% mark, it’s time to rethink the DIY approach.
If you’ve already submitted records and received a wave of denials, don’t rush into appeals without backup. Bring in someone who can review your submissions, flag weak points, and ensure the full documentation story is being told. Even one overlooked missing element can tank an otherwise appropriate episode of care.
Waiting too long to get help can turn a manageable problem into a financial crisis.
Reevaluate Your Payer Strategy
Some of the most expensive mistakes rehab practices make don’t come from what’s in the documentation but from who they sign contracts with. It’s common for new owners to accept every payer agreement offered, thinking more plans means more patients. But each payer adds administrative overhead. If the reimbursement doesn’t offset the documentation burden, denials, and audit risks, that contract might be a liability, not an asset.
There are large commercial payers known for aggressive takeback audits. Talk to peers, evaluate patterns, and think critically about which payers are worth the work.
Out-of-network models, while not for everyone, offer more control and less regulatory friction. They require more patient communication and claim support but can protect clinical autonomy and reimbursement consistency in the long term.
When You Do Need Help, Get the Right Kind
Not every challenge requires outside support, but some absolutely do. If a payer is demanding a multi-year takeback or you’re staring down potential legal action, you need a healthcare attorney, not the business lawyer who helped set up your LLC. These legal experts specialize in payer appeals and regulatory defense, often working alongside compliance consultants to prepare defensible documentation reviews.
Start your search through professional associations, peer groups, or online rehab therapy communities. Platforms like Facebook and LinkedIn host active forums where practice owners regularly recommend experienced consultants and attorneys.
It’s not about bringing in an expensive expert for every small hiccup. It’s about knowing who to call when the stakes get high and acting early enough to protect your practice.
Efficiency with Intention
Running a low-cost practice doesn’t mean cutting corners or taking on every responsibility yourself. The most resilient clinics are the strategic ones, whose leaders are intentional with their budgets, prioritize staff training, protect themselves from risk, and avoid contracts that aren’t in their best interests.
Lean doesn’t mean minimal. It means strategic. Knowing when to pull in help or walk away from risk is one of the smartest moves a practice owner can make.
Merger and acquisition (M&A) activity continues at a rapid pace, posing a risk to data integrity. As impacted hospitals and health systems seek to consolidate their operations and technologies, duplicate and crossover records surge. While these errors present immediate challenges, the longer-term concern lies in maintaining the accuracy and integrity of patient data across newly merged systems.
Rachel Podczervinski
We sat down with Harris Data Integrity Solutions’ executive vice president, Rachel Podczervinski, MS, RHIA, and director of industry relations, Julie A. Pursley, MSHI, RHIA, CHDA, FAHIMA, for an in-depth exploration of the obstacles confronting those tasked with maintaining the accuracy of patient data in a rapidly consolidating healthcare environment.
Electronic Health Reporter (EHR):What are the key components of and best practices for data conversion planning during M&A processes, particularly concerning the Master Patient/Person Index?
A critical component is the meticulous analysis and documentation of an MPI’s “current state” and the envisioned “future state.” This involves a thorough review of database structures for both existing and forthcoming systems, as well as the assessment of current and future medical record numbers (MRNs).
Julie A. Pursley
Additionally, engaging key stakeholders is vital for developing a comprehensive strategy that addresses the diverse needs of the organization. Selecting the right tools for duplicate and crossover remediation helps ensure accuracy and integrity throughout the MPI management process. Clear MPI data extract specifications are essential for capturing all available identifiers for each patient from the system. Finally, conducting a frequency analysis on key demographic data fields can uncover patterns and outliers, reveal the structure of MRNs across facilities, and highlight any structural adjustments needed for the new system.
For testing and validation, verify the accuracy of the extract by cross-referencing patient information and conducting targeted spot checks. Ensure that accounts marked for retirement are excluded from the extract to prevent duplicates from being created during subsequent analysis. This reduces the workload for health information teams and maintains data integrity throughout the extraction process.
Develop strategies to manage duplicate records, safeguarding data accuracy and integrity. Establish clear protocols and guidelines for resolving duplicates and reconciling crossovers. Finally, define a threshold for acceptable error rates and allow sufficient time to rectify errors before that threshold is reached.
Several best practices can be used to ensure seamless integration:
Prioritization – evaluate match criteria, such as weights, to allocate resources efficiently for duplicate pair resolution.
Algorithm optimization – collaborate with the technical team to better understand how potential duplicates are identified and explore opportunities to refine reports.
Audit MPI data – assess the MPI’s current health to identify areas for improvement, whether through retraining, enhanced processes, or enterprise-wide standards.
Identify external resources – many tools can help design improvement strategies, including resources from AHIMA component associations, Project US@ and its companion guide, AHIMA’s naming policy, etc.
Involve the registration team – establish feedback loops and improve training materials to reinforce their critical role in MPI management and organizational success.
M&A activity inherently increases the risk of disrupting the integrity of patient data as organizations merge disparate systems. Strategic planning and best practices that focus on aligning people, processes, and technology can mitigate these risks and help navigate the intricacies of pre- and post-merger MPI management with confidence and effectiveness.
EHR: Why are the Caring Algorithm and the Humans-in-the-Loop model essential aspects of a patient data integrity strategy, particularly during M&A activity?
Caring Algorithms adhere to an AI governance framework that prioritizes safeguards and promotes ethical usage while accurately identifying individuals and supporting fair and unbiased identity decisions across diverse patient populations. Importantly, Caring Algorithms incorporate a human-in-the-loop review mechanism for those matches where the algorithm is not 100% certain. Doing so acknowledges both the limitations of automated algorithms and the potential for automation to impact safety and care coordination by introducing gaps in patient identification.
Ideally, the human-in-the-loop review leverages a variety of tools beyond the matching algorithm to validate discrepancies. These include rules targeting specific matching elements, data standardization tools, and third-party resources that supply historical demographics such as names, addresses, and phone numbers from credit institutions and public utilities.
Harris Data Integrity Solutions (HDI) recently analyzed 137,080 pairs (two patient records) of potential duplicates. What we found highlights how initial decisions made by third-party data can change when a human-in-the-loop review is incorporated into the workflow.
HDI changed the third-party remediation decision in 9.1% of the pairs.
Of “yes” decisions, 7.2% required changes, as did 2% of “no” decisions.
Not changing the third-party decision would have created 512 (0.4%) overlays.
Changes from “no” to “yes” involved 2,490 pairs (1.8%).
These findings clearly indicate that the presence of both Caring Algorithms and a human-in-the-loop oversight mechanism is vital to restoring and retaining data integrity before, during, and after a merger.
EHR: What role do information technology professionals play in properly leveraging AI to resolve duplicate records during M&A activities and mitigate its impact on data integrity?
Automation can reduce the need for human intervention, but it cannot completely replace it. Without clear boundaries, governance, and safeguards, AI’s limitations can create gaps that require human review and intervention. While humans are responsible for many—but not all—patient identification errors, they are essential to identifying, verifying, and correcting them.
AI-enabled technologies such as EMPIs with advanced algorithms, biometrics, MLMs, and predictive analytics with augmented data are powerful but imperfect. They may overlook inconsistencies and cannot make contextual judgments and decisions based on nuanced considerations. These require judgment and decision-making, creativity, innovation, and agility, as well as emotional intelligence and empathy—decidedly human qualities that are critical to handling the complexity of patient data.
EHR: How do health information professionals contribute to navigating complexities such as person matching, error management, and collaboration with registration partners during M&A?
A critical role of health information professionals is managing the accuracy and accessibility of patient data across multiple systems, making them vital to successfully navigating the complexities of maintaining data integrity during M&A. Accurate patient identification ensures that health data seamlessly follows the patient across the continuum of care post-merger. Health information professionals are responsible for establishing standardized data capture practices and training staff to ensure that these standards are consistently maintained.
They also safeguard the ongoing integrity of the EMPI, enabling seamless information sharing across systems, a capability that is especially critical for large, multi-facility health systems. As consolidation accelerates across the healthcare industry, health information professionals will continue playing a central role in maintaining data integrity and ensuring that accurate patient information is available whenever and wherever it’s needed across the continuum of care.
EHR: Where is the industry with patient matching IDs? Any movement? Any hope?
While there is no federal movement toward implementing a unique patient identifier (UPI) in the U.S., Congress has introduced bipartisan legislation with the Patient Matching and Transparency in Certified Health IT (MATCH IT) Act of 2025. This bill aims to improve patient safety and privacy by decreasing patient misidentification while promoting interoperability.
AHIMA updated and launched the Naming Policy Framework 2023: Enhancing Person Matching With Essential Demographic Data Elements to help capture standardized data and assist in identifying patients in health IT systems. A national workgroup reconvened this year to update the resource, providing a one-of-a-kind standard in the industry due to the lack of a national patient identification and matching strategy.
Other initiatives are also advancing patient identification. Patient ID Now released a framework for a national strategy for effective patient identification and matching and continues working to remove legislative barriers that hinder the exploration of a unique patient identifier. Additionally, Project US@ published a technical specification for collecting patient addresses, supported by a companion guide from AHIMA that provides operational guidance and best practices.
EHR: What are some of the things that inspire you most about where the industry is going long term, based on what you’re seeing through your work?
We are inspired every day by the opportunity to work alongside exceptional health information professionals, including those on the HDI team and within client organizations and professional associations. Their dedication to safeguarding data integrity directly influences the quality of care delivered to our patients, our loved ones, and ourselves.
By Ashish Singh, Regional Sales Leader, Healthcare Technology, Asia Pacific and Middle East, Rauland.
Across Asia Pacific and the Middle East, hospital digital strategy has been dominated by EHR upgrades, infrastructure refresh cycles, and pilot projects in AI and analytics. Investment capital is chasing complexity.
Yet the fastest, cheapest, and most direct ROI opportunity is hiding in plain sight—and systematically ignored. Clinical communication maturity.
This is not just another technology category. It is the operational substrate on which every other digital investment depends. Without it, EMR data remains retrospective rather than proactive. Without it, AI becomes a dashboard rather than an intervention. Without it, every dollar spent on digital transformation burns at the bedside.
The Hardware Procurement Trap
Most hospitals in ASEAN and GCC countries still evaluate nurse call systems as a hardware procurement decision—not a clinical workflow investment. The system is assessed the same way as a telephone or intercom: Will it ring? Will it light up? Can we hear it? This mindset is a major reason why ROI on digital transformation in our region remains inconsistent.
The data is unambiguous. Research shows that up to 45% of nursing time can be consumed by non-value-added coordination tasks—tasks that could be automated or streamlined if clinical communication platforms were structured as workflow engines instead of hardware endpoints. In one acute care study (Galinato et al., 2015), delays in acknowledgement varied more than three minutes between severity categories, and these delays were linked directly to the communication method used and whether the signal triggered a standardized workflow.
Yet in ASEAN and Middle East hospitals today, we have a strange paradox: modern nurse call equipment is being installed, but workflow outcomes are rarely measured. There is detailed peer-reviewed work globally on response time patterns, escalation trigger behavior, alert fatigue, and the relationship between signal design and time to action. In our region, we rarely collect or report these metrics. Hardware arrives. Workflows remain unchanged.
The Real Problem Is Not Technology—It’s Maturity
The performance gap is not a technology gap. It is a maturity gap. If we adopt a maturity framework, the issue becomes immediately visible—and actionable.
Level 1: Alarm Systems. Hospitals treat nurse call as an alarm—a ring, a light, a sound. The goal is simply to hear and respond. Almost all ASEAN district hospitals and many private hospitals operate here.
Level 2: Structured Request Systems. Communication becomes coded and contextual: pain assistance, toileting needs, medication requests. This begins to change behavior because the signal carries actionable information.
Level 3: Workflow Engines. The signal triggers routing, escalation, and analytics. Response times improve, nurse time is released, and the business case for digital transformation becomes financially visible. This is where measurable ROI happens.
Here is the uncomfortable truth: Most hospitals in our region believe they are at Level 2 or 3 because the equipment they purchased has modern capabilities. But capability is not maturity. Deployment and measurement is maturity. We are not measuring the outcomes that matter.
The Fastest ROI Route Runs Through Communication
Clinical communication sits at the exact point where nurse time waste is created or eliminated. Every nurse leader knows this. Yet hospital boards continue to funnel digital budgets into the biggest, most complicated projects on the roadmap while overlooking the intervention that could return measurable capacity in a single quarter.
Consider the comparison. EHR upgrades take 12 to 36 months and require clinical adoption campaigns, integration cycles, and vendor dependency. AI pilots take months to years, require data pipelines, regulatory alignment, and uncertain scaling. Clinical communication maturity can return measurable impact in one quarter because it attacks the single most universal bottleneck: delay.
In most hospitals across Asia and the Middle East today, nurses are waiting for acknowledgement, waiting for routing, waiting for escalation. The hospital does not need machine learning to solve this problem. It needs structured signal-to-structured-action architecture and KPI discipline.
The irony is profound. The Asia Pacific nurse call system market is projected to exceed $900 million by 2032. Procurement is happening at scale. Devices are entering wards. If just 10% of that capital deployed into hardware were matched with structured clinical workflow redesign, the impact on response time and escalation accuracy would significantly exceed most AI pilots currently underway in the region.
Three Metrics That Reveal Everything
There is a simple starting point that requires no new technology purchase. Measure three basic communication outcomes:
Time to Acknowledge – How long until a signal is seen?
Time to Respond – How long until a team member reaches the bedside?
Time to Resolve – How long until the request is completed?
These three numbers will immediately reveal whether your nurse call system is a hardware endpoint or a workflow platform. They will also reveal where bottlenecks exist without requiring a full-scale technology overhaul. In fact, most hospitals can begin this measurement within 30 days using existing infrastructure.
The measurement itself becomes the catalyst for workflow redesign. Once hospital leadership sees that average time-to-respond exceeds seven minutes for non-urgent requests, or that critical alerts take more than three minutes to acknowledge, behavior changes. Budget committees start asking different questions. Procurement shifts from price-per-device to workflow outcomes per dollar invested.
Why This Matters Now for ASEAN and GCC Health Systems
Our region stands to gain the most from this shift. ASEAN and Middle East health systems are under intense pressure to scale care capacity without proportional increases in staffing. Clinical communication maturity is one of the few digital strategies that delivers measurable benefit without long-cycle transformation projects.
We also have a strategic advantage: we are not burdened by decades of legacy thinking. Mature Western health systems often struggle to change established workflows precisely because they have been doing them the same way for 20 years. In ASEAN and GCC countries, digital infrastructure is being built now. We can embed workflow maturity from the beginning rather than retrofitting it later.
Yet currently, almost no country in ASEAN or the GCC publishes routine nurse call workflow performance indicators. No system in our region publishes quarterly response time targets. Very few private hospital groups publicly report time-to-escalation metrics for critical alerts. This measurement gap is why digital health ROI remains theoretical rather than operational.
The Path Forward: From Concept to Operating Reality
Investments in EMR, analytics, and AI are necessary—but they are not sufficient. Clinical communication is the operational substrate that makes every other investment usable at the bedside. When that substrate is weak, every dollar of digital spend above it generates friction. When it is strong, even legacy EMR workflows become more productive.
The next generation of digital hospital leaders will not be measured by the size of their data lakes or the sophistication of their AI models. They will be measured by how much bedside time they release back into the clinical day. The highest-performing health systems in the next decade will be defined not by how much automation they deploy, but by how much time they protect.
Until we lift clinical communication from hardware procurement into workflow strategy, we will continue to burn capital on technology that never translates to bedside impact. The maturity model is not academic—it is the difference between digital transformation as a concept and digital transformation as an operating reality.
Clinical communication maturity is the next frontier. The data is clear. The gap is clear. The opportunity is real. Our region can move faster than others precisely because we are building infrastructure now, not replacing it. The question is whether we will seize this advantage or repeat the mistakes of more mature markets by chasing complexity while ignoring the fundamentals.
What Hospital Leaders Can Do Starting Tomorrow
For Chief Nursing Officers: Begin tracking time-to-acknowledge, time-to-respond, and time-to-resolve for one nursing unit this month. Use existing infrastructure—most modern nurse call systems can export this data. Report findings to executive leadership with projected time savings.
For Chief Information Officers: Audit your current nurse call system’s workflow capabilities versus how it is actually deployed. Identify the gap between capability and utilization. Propose a 90-day pilot to instrument workflow metrics in collaboration with nursing leadership.
For Procurement Teams: Shift RFP evaluation criteria from hardware specifications to workflow outcomes. Require vendors to demonstrate not just device capabilities, but measurable improvements in response times and workflow efficiency with reference sites providing data.
For Hospital Boards and CEOs: Request quarterly reporting on clinical communication performance alongside traditional quality and safety metrics. Make workflow maturity a standing agenda item in digital transformation steering committees. Allocate budget for workflow redesign equal to 10% of hardware procurement spend.
By Dr. Susan Grant, DNP, RN, NEA-BC, FAAN, Chief Clinical Officer, symplr.
As artificial intelligence (AI) becomes more prevalent across the healthcare ecosystem, safety must remain at the center of everything we do. Nurses are not only at the heart of patient care but are also vital influencers for the successful and safe adoption of AI. When thoughtfully developed, AI can simplify workflows, give clinicians more time to connect with patients, and ultimately improve well-being and patient outcomes. However, if safety is not prioritized and if AI is layered on top of broken workflows, its full potential will never be realized.
Bridging the Generational AI Trust Gap
Generational differences are creating an “AI trust gap” within health systems. Digital-native nurses, who have always known a world rich in technology, are more likely to trust AI. In fact, 41% of Gen Zers say they trust AI more than humans at work. In contrast, more experienced nurses, many of whom have weathered the rocky rollouts of earlier technologies like electronic health records (EHRs), may be wary, especially if past implementations disregarded established workflows or disrupted care delivery.
Nurses are experts in their workflows. Their involvement is essential to ensure that AI solutions are designed to support, not complicate, core responsibilities like scheduling, timecard validation, and clinical documentation. AI can only reduce the administrative burden on nurses—and deliver true safety—if it is built with their expertise in mind. Attempting to graft AI onto inefficient or broken workflows will not succeed; real advancement happens only when nurses are at the table shaping how these technologies fit into practice.
Clinician shortages persist, and technology can help bridge this gap—if and only if solutions enhance workflows and center safety. Otherwise, poorly executed technology implementations, including standalone or disconnected solutions, will reinforce distrust among those who have experienced the downsides before. Sustained change fatigue is real: nurses routinely face new processes, and without clear benefit and alignment with safe, effective care, they may resist further adjustments. Success depends on treating nurses as critical, knowledgeable stakeholders—never as bystanders.
Empowering Nurses to Lead with AI and Workflow Design
Effective AI adoption starts with engaging the entire team—clinicians, IT, and executive leadership—anchored by a relentless commitment to safety. Critically, nurses must be actively involved from the outset, both as co-designers of AI integrations and as decision-makers in shaping how these technologies impact and improve existing workflows. Their lived experience ensures that AI isn’t built atop broken systems, but instead, is integrated into processes that truly work.
Negative experiences with technology often stem from failing to address the practical realities of nursing workflows. When nurses are sidelined during design and implementation, technology rarely adds value or enhances safety. Encouraging open dialogue, inviting feedback, and making nurses foundational to the process turns technology into a powerful ally.
Fostering nurses’ knowledge and confidence by involving them in workflow and technology development not only makes AI more accessible, but it also empowers nurses to advocate for innovations that ease the frontline burden. When nurses help shape AI, they avoid feeling as though change is “done to them” and instead become champions of change that protects well-being and enables them to do what they do best—care for patients.
A Vision for Safe, AI-Supported Clinical Care
Throughout all AI initiatives, safety remains the central theme. When thoughtfully implemented with nurse input and aligned with sound workflows, AI can prevent burnout, create safer environments, and improve nurse well-being. This vision requires involvement from all levels of hospital staff, a continual focus on effective, safe workflows, and an ongoing willingness to listen and adapt.
By addressing generational trust dynamics and ensuring nurse agency in both workflow and AI development, health systems can build more connected teams and drive better results—for clinicians and, most importantly, for patients.
Parkview Health has been recognized for the 12th consecutive year on the Digital Health Most Wired Survey by the College of Healthcare Information Management Executives (CHIME), achieving the highest rating, Level 10, for both acute and ambulatory care categories. Parkview was the only health system in Indiana to reach Level 10 this year.
Parkview improved to Level 10 this year after receiving Level 9 ratings in 2023 and 2024. The health system previously received Level 10 ratings in 2019, 2021 and 2022.
“Technology is interwoven into every part of the healthcare experience,” said Jeff Coulter, chief information officer, Parkview Health. “Whether it’s our patient portals allowing individuals to schedule appointments or check their information, robust security and privacy tools, or the many resources available to physicians, nurses and caregivers to treat patients efficiently and effectively, Parkview is staying on the forefront of technology in healthcare. We’re proud to once again receive CHIME’s highest rating in this year’s Most Wired survey.”
The Digital Health Most Wired survey serves as a comprehensive evaluation and digital maturity report card for healthcare organizations across the globe. As success in digital transformation increasingly influences the quality and accessibility of care, this recognition program reflects the progress of leading healthcare providers as they reshape the future of healthcare. This achievement extends beyond information technology to every area of the enterprise, symbolizing a collective commitment to advancing health and care through strategic digital initiatives.
Among the more than 50,000 facilities represented, Parkview distinguished itself by ranking above peers in key focus areas including clinical quality and safety, analytics and data management, cybersecurity, population health, infrastructure, patient engagement and innovation. The survey evaluates the adoption maturity, outcomes and value of technology integration across healthcare organizations at all stages of digital maturity – from early-phase digitization to advanced transformation.
As healthcare organizations continue to face complex challenges in rising cybersecurity threats, evolving care models, workforce shortages, and budget constraints, the need to accelerate digital transformation has never been more urgent, according to CHIME. Over the next several decades, emerging technologies will revolutionize care delivery in fundamental ways.
Innovations powered by interoperable data, artificial intelligence and secure digital infrastructure are poised to redefine the digital health landscape. Navigating this evolution will require sustained commitment and a clear, strategic roadmap.
“Working one-on-one with patients will always be the foundation of great care, but technologyarms our caregivers with the tools to make safe, effective and efficient decisions,” said Dr. Mark Mabus, senior vice president for electronic health records and chief medical informatics officer, Parkview Health. “We are always aiming to make it easier and smoother both for patients to access their healthcare and for our care teams to deliver it. As technology continues to advance and evolve the healthcare industry, Parkview is equipped to evaluate and implement the products that bring real value to our patients and providers.”
VIPRE Security Group, a global leader and award-winning cybersecurity, privacy, and data protection company, has released its Q3 Email Threat Landscape Report.
Processing and analysing 1.8 million emails, this report highlights the most critical email security threat trends identified in Q3 2025, to help organizations strengthen their email defense strategies against the creative, sophisticated, and highly targeted tactics of threat actors, designed to circumvent traditional cybersecurity measures.
Commercial clutter, the perfect cover for cyberthreats
Legitimate but “spammy” commercial messages dominated this quarter at 60%, up 34% year-on-year. Phishing messages rose to 23% from 20%, while scams dropped to 10% from 34%. This flood of routine commercial clutter is designed to desensitize even the most security-conscious users, making malicious emails blend seamlessly into the noise. When inboxes overflow with legitimate-looking messages, users become less vigilant about what they click on.
Overall, more than a third of all spam emails are maliciously designed to cause harm, encompassing phishing attempts, scams, and malware.
Cold outreach marketing and shotgun list bombing dominate commercial spam
Within the 60% commercial spam category, cold outreach marketing emails dominated with 72% of the cases. List bombing claimed another 16%, a tactic where attackers maliciously subscribe victims to hundreds or thousands of mailing lists, newsletters, or promotional sign-ups simultaneously, flooding their inboxes with unwanted content. This overwhelming deluge frustrates users but serves as the perfect smokescreen for concealing genuine threats among the chaos.
Newly registered domains on the rise for phishing, but open redirects preferred
Threat actors increasingly registered large numbers of domains to launch temporary phishing sites, quickly deactivating them upon discovery to evade detection and blacklisting. This trend stresses that traditional blacklisting of email domains and signature-based detection measures alone are inadequate.
However, despite the success of newly registered domains, compromised URLs or open redirects remain attackers’ preferred phishing vector, employed in 80% of campaigns. Newly registered domains account for only the remaining 20%, but is a trend to watch.
Outlook and Google mailboxes top targets for credential harvesting
Attackers are concentrating their efforts on the world’s two largest business and personal email platforms, Outlook and Google, which today form 90% of observed phishing attacks. This strategic focus is enabling threat actors to maximize efficiency by reducing the research and customization required for individual campaigns.
Fetch API emerges as preferred data exfiltration method
One-third of phishing attacks leveraged Fetch API, a sophisticated JavaScript interface for network requests, to exfiltrate stolen credentials. By comparison, fewer than 10% of attacks used POST requests – the traditional HTTP method for transmitting data to servers. This trend suggests attackers are adopting more advanced techniques that may evade conventional security detection mechanisms designed to monitor standard POST-based data transfers.
Apple TestFlight exploits to distribute malicious iOS apps
Sophisticated threat actors abused Apple’s TestFlight platform to deliver malware-laden iOS applications to targeted victims. Exploiting TestFlight’s legitimate beta testing framework allowed attackers to distribute pre-release test software via invite or public links, bypassing Apple’s standard App Store review processes and security controls, to deliver malicious payloads directly to users’ devices.
Geographic distribution is helping malware evade blocklists
Over 60% of spam emails originated from the United States, 9% from Hong Kong, showing a 5% growth in Q1 2025 and 8% in Q2 2025; 6% from Great Britain; and 25% collectively from other developed countries. This geographic dispersion across spam-sending markets makes IP-based geographic blocking impractical and inadvisable – a vulnerability that attackers deliberately exploit.
Attackers used a variety of creative techniques to evade detection and maximize spam delivery.
Most notably, compromised accounts (33%) demonstrate that attackers exploited trusted domains to bypass reputation checks and filters despite email authentication (SPF/DKIM) anomalies. 32% of campaigns exploited free popular services, such as Gmail, Yahoo, and Outlook, alongside lesser-known free relays including GMX, ProtonMail, Zoho, and Yandex.
Misusing the strong IP reputations of bulk mailing services like SendGrid, Mailgun, and Amazon SES, attackers weaponised them either through fake sign-ups or compromised customer accounts.
Usman Choudhary
“Today’s cybersecurity threats are succeeding through creative, pinpointed, and strategic sophistication,” Usman Choudhary, General Manager, VIPRE Security Group, says. “They’re manipulating trusted platforms, layering evasion tactics into seamless attack chains, and using commercial spam as cover for their operations. To counter this, organizations need to deploy equally adaptive and layered defenses. The question isn’t whether defenses work today, but rather will they adapt fast enough for tomorrow?”
To read the full report, click here: Email Threat Trends Report: Q3 2025
VIPRE leverages its vast understanding of email security to equip businesses with the information they need to protect themselves. This report is based on proprietary intelligence gleaned from round-the-clock assessment of the cybersecurity landscape.
MDaudit joins the American Health Information Management Association (AHIMA) in a dynamic film series that shines a light on the vital work of health information (HI) professionals at the intersection of care, technology, and policy.
Health Information: Making Every Patient’s Story Matter showcases how HI professionals safeguard sensitive data, improve patient outcomes, and shape smarter and more connected healthcare systems through a series of short films, expert interviews, and real-world case studies.
Revenue Integrity and Care Quality
Produced in partnership with strategic content creator Content With Purpose (CWP) and available to stream online, the series features two films from MDaudit. The first is a short documentary that examines how healthcare professionals at Reno, Nev.-based Renown Health, Nevada’s largest not-for-profit integrated healthcare network, utilize MDaudit’s billing compliance and revenue integrity platform to prevent fraud, waste, and abuse, ensuring appropriate reimbursement and improving care quality.
Ritesh Ramesh
The second is an interview with MDaudit CEO Ritesh Ramesh, who shares insights into why some hospitals and health networks with strong profit margins can reinvest capital back into new and existing facilities to expand access and offer exceptional patient care despite surging denial rates.
These provider organizations tend to invest in advanced revenue cycle management (RCM) technologies, including AI and automation, to accelerate and improve the processing of health information, achieve revenue integrity, and optimize clinical and administrative operations. This, in turn, provides the financial sustainability necessary to expand provider organizations’ services and service footprint, including into traditionally underserved areas.
“The ability to avoid denials and optimize operations and reimbursements by implementing a pre-emptive continuous risk monitoring strategy within RCM is a significant advantage for high-performing healthcare organizations,” says Ramesh. “MDaudit plays an essential role in achieving proactive revenue integrity by helping healthcare organizations balance accurate revenue capture with risk mitigation, enabling confident reinvestment in the future of patient care.”
Revolutionizing Health Data
Filmed across North America, Health Information: Making Every Patient’s Story Matter highlights the innovation, expertise, and collaboration that drive excellence in the profession. It explores themes such as:
Data for Better Health – how patient data powers improved health outcomes and a deeper understanding of social determinants of health.
Emerging Technologies – the role of AI and digital tools in enabling accurate, secure, and accessible records.
Collaboration & Thought Leadership – how partnerships across governments, academia, and industry strengthen health systems.
Skills, Integrity & Certification – the value of credentials and professional standards in advancing healthcare transformation.
Together, these stories bring the HI profession to center stage, demonstrating how health information is revolutionizing the way data is created, exchanged, and utilized across healthcare. Explore the series here.
Artificial intelligence (AI) is evolving rapidly, reshaping the health IT landscape while state and federal governments race to put regulations in place to ensure it is safe, effective, and accessible. For these reasons, AI has emerged as a priority for the EHR Association. We sat down with EHR Association AI Task Force Chair Tina Joros, JD (Veradigm), and Vice Chair Stephen Speicher, MD (Flatiron Health), to discuss the direction of AI regulations, the anticipated impact on adoption and use, and what the EHR Association sees as its priorities moving forward.
Stephen Speicher, MD
EHR: What are the EHR Association’s priorities in the next 12-18 months, and is/how is AI changing them?
Regulatory requirements from both D.C. and state governments are a significant driver for the decisions made by the provider organizations that use our collective products, so a lot of the work the EHR Association does relates to public policy. We’re currently spending a fair amount of our time working on AI-related conversations, as they’re a high-priority topic, as well as tracking and responding to deregulatory adjustments being made by the Trump administration. Other key areas of focus are anticipated changes to the ASTP/ONC certification program, rules that increase the burdens on providers and vendors, and working to address areas of industry frustration, such as the prior authorization process.
EHR: How has the Association adapted since its establishment, and what areas of the health IT industry require immediate attention, if any?
The EHR Association is structured to adapt quickly to industry trends. Our Workgroups and Task Forces, all of which are led by volunteers, are evaluated periodically throughout the year to ensure we’re giving our members a chance to meet and discuss the most pressing topics on their minds. Most recently, that has meant the addition of new efforts specific to both consent management and AI, given the prevalence of those topics within the general health IT policy conversation taking place at both the federal and state levels.
Tina Joros
EHR: If you were to welcome young healthcare entrepreneurs to take on the sector’s most pressing challenges, what guidance would you offer them?
Health IT is a great sector for entrepreneurs to focus on. The work is always interesting because it evolves so quickly, both from a technological perspective and the fact that public policy impacting health IT is getting a lot of attention at the federal and state levels. There are a lot of paths to work in the industry, so it’s always helpful for both entrepreneurs and potential health IT company team members to have a clear understanding of the complexities of our nation’s healthcare system and how the business of healthcare works. Plus, they need a good grasp of the increasingly critical role of data in clinical and administrative processes in hospitals, physician practices, and other care settings.
EHR: What principles are critical to the safe and responsible development of AI in healthcare? How do they reflect the Association’s priorities and position on current AI governance issues?
One of the first things the AI Task Force did when it was formed was to identify certain principles that we believe are essential for ensuring the safe and high-quality development of AI-driven software tools in healthcare. These guiding principles should also be part of the conversation when developing state and federal policies and regulations regarding the use of AI in health IT.
Focus on high-risk AI applications by prioritizing governance of tools that impact critical clinical decisions or add significant privacy or security risk. Fewer restrictions on other use cases, such as administrative workflows, will help ensure rapid innovation and adoption. This risk-based approach should guide oversight and reference frameworks like the FDA risk analysis.
Align liability with the appropriate actor. Clinicians, not AI vendors, maintain direct responsibility for AI when it is used for patient care, when the latter provides clear documentation and training.
Require ongoing AI monitoringand regular updates to prevent outdated or biased inputs, as well as transparency in model updates and performance tracking.
Support AI utilization by all healthcare organizations, regardless of size, by considering the varying technical capabilities of large hospitals vs. small clinics. This will make AI adoption feasible for all healthcare providers, ensuring equitable access to AI tools and avoiding the exacerbation of the already oversized digital divide in US healthcare.
Our goal with these principles is to strike a balance between innovation and patient safety, thereby ensuring that AI enhances healthcare without unnecessary regulatory burdens.
EHR: In its January 2025 letter to the US Senate HELP Committee, the EHR Association cited its preference for consolidating regulatory action at the federal level. Since then, a flurry of state-level activity has introduced new AI regulations, while federal regulatory agencies work on finding their footing under the Trump Administration. Has the EHR Association’s position on regulation changed as a result?
Our preference continues to be a federal approach to AI regulation, which would eliminate the growing complexity we face in complying with multiple and often conflicting state laws. Consolidating regulations at the Federal level would also ensure consistency across the healthcare ecosystem, which would reduce confusion for software developers and providers with locations in multiple states.
However, while our position hasn’t changed, the regulatory landscape has. In the months since submitting our letter to the HELP Committee, California, Colorado, Texas, and several other states have enacted laws regulating AI that take effect in 2026. Even if the appetite for legislative action was there, it’s unlikely the federal government could act quickly enough to put in place a regulatory framework that would preempt those state laws. Faced with that reality, we’re working on a dual track of supporting our member companies’ compliance efforts at the state level while continuing to push for a federal regulatory framework.
EHR: What benefits will be realized by focusing regulations on AI use cases with direct implications for high-risk clinical workflows?
Centering AI regulations on high-risk clinical workflows makes sense because they represent a higher possibility of patient harm, and that focus would simultaneously ensure room for innovation on lower-risk use cases. Our collective clients have many ideas as to how AI could help them address areas of frustration, and that’s where our member companies therefore want room to move from development to adoption more expediently, unencumbered by regulation—for example, administrative AI use cases like patient communication support, claims remittance and streamlining benefits verification, all of which our internal polling shows are in high demand by physicians and provider organizations.
A smart, efficient risk-based regulatory framework would be grounded in the understanding that not all AI use cases have a direct or consequential impact on patient care and safety. That differentiation, however, is not happening in many states that have passed or are contemplating AI regulations. They tend to categorize everything as high-risk, even when the AI tools have no direct impact on the delivery of care or the risk to patients is minimal.
The unintended consequence of this one-size-fits-all approach is that it stifles AI innovation and adoption. It’s why we believe the better approach is granular, differentiating between high- and low-risk workflows, and leveraging existing frameworks that stratify risk based on the probability of occurrence, severity, and positive impact or benefit. This also helps ease the reporting burden on all technologies incorporated into an EHR that may be used at the point of care.
EHR: Where should the ultimate liability for outcomes involving AI tools lie–with developers or end users–and why?
This is an interesting aspect of AI regulation that remains largely undefined. Until recently, there hasn’t been any discussion about liability in state rulemaking. For example, New York became one of the first states to address liability when a bill was introduced that holds everyone involved in creating an AI tool responsible, although it’s not specific to healthcare. California recently enacted legislation stating that a defendant—including developers, deployers, and users—cannot avoid liability by blaming AI for misinformation.
Given the criticality of “human-in-the-loop” approaches to technology use—the concept that providers are ultimately accountable for reviewing the recommendations of AI tools and making final decisions about patient care—our stance is that liability for patient care ultimately lies with clinicians, including when AI is used as a tool. Existing liability frameworks should be followed for instances of medical malpractice that may involve AI technologies.
EHR: Why must human-in-the-loop or human override safeguards be incorporated into AI use cases? What are the top considerations for ensuring those safeguards add value and mitigate risk?
The Association strongly advocates for technologies that incorporate or public policy that requires human-in-the-loop or human override capabilities, ensuring that an appropriately trained and knowledgeable person remains central to decisions involving patient care. This approach also ensures that clinicians use AI recommendations, insights, or other information only to inform their decisions, not to make them.
For truly high-risk use cases, we also support the configuration of human-in-the-loop or human override safeguards, along with other reasonable transparency requirements, when implementing and using AI tools. Finally, end users should be required to implement workflows that prioritize human-in-the-loop principles for using AI tools in patient care.
Interestingly, we are seeing some states address the idea of human oversight in proposed legislation. Texas recently passed a law that exempts healthcare practitioners from liability when using AI tools to assist with medical decision-making, provided the practitioner reviews all AI-generated records in accordance with standards set by the Texas Medical Board. It doesn’t offer blanket immunity, but it does emphasize accountability through oversight. California, Colorado, and Utah also have elements of human oversight built into some of their AI regulations.
Parkview Health has been recognized for the 12th consecutive year on the Digital Health Most Wired Survey by the College of Healthcare Information Management Executives (CHIME), achieving the highest rating, Level 10, for both acute and ambulatory care categories. Parkview was the only health system in Indiana to reach Level 10 this year.
