French hospital CHSF has been struck by ransomware, leading to care diversion processes and raising concerns over patient safety and morbidity risks. (Photo credit: "French flags" by quinn.anya is licensed under CC BY-SA 2.0.

A cyberattack deployed on the French hospital Center Hospitalier Sud Francilien (CHSF) on Sunday, Aug. 21 has grabbed headlines, as the ransomware threat actors have issued a $10 million demand to unlock the impacted servers.

But what’s more concerning is that patients are being diverted to nearby care facilities as the hospital works to unlock its systems. As reports and previous SC Media coverage have long-noted, care diversion leads to serious impacts on patient care and leads to morbidity risks.

CHSF hospital officials say the cyberattack struck the network at 1 a.m., which triggered its “white plan,” as it rendered the network, business software, storage systems, medical imaging, and the information system for patient admissions “inaccessible for the time being.”

To guarantee care quality, any patient who requires “access to the technical platform” is “directed to the network of public hospitals in Ile-de-France in conjunction with the Regional Health Agency and with the assistance of SAMU-SMUR 91” or another establishment.

Patients who arrive at the emergency room “are assessed and then possibly referred to the CHSF Maison Médicale de Garde.” The hospital has deployed its crisis unit to ensure necessary measures for caring for individuals currently hospitalized at CHSF.

“While the ransom value is grabbing the headlines, it’s actually patient safety that’s been compromised at scale that should be the focal point,” Saif Abed, MD, director of cybersecurity for the AbedGraham Group told SC Media.

“Clinicians are severely hampered in their ability to assess patients and any patient, which is a significant number, that requires medical imaging must be transferred elsewhere. This is suboptimal and is delaying clinical management and decision making which could compromise outcomes,” he continued.

CHSF is indeed prioritizing the safety conditions of all outpatient care, through consultations and care provided at the day hospital. But its notice stressed that the “exceptional situation” may impact activity in its operating room due to the lack of access to its technical platform. 

As such, the hospital is working to address patient concerns individually and following up with plans to ensure the continuity of care “with the help of hospitals in the region.” 

Business continuity plans are key to maintaining patient care amid cyber-related and other outages. But when care is diverted, it becomes a critical patient safety risk due to the likelihood of morbidity impacts. Abed has previously described this term as “suboptimal outcomes.” While there has been one or two rumored incidents involving possible patient deaths, the real concern for hospitals should be “morbidity impact rather than mortality,” given the magnitude of these instances.

As for the ongoing CHSF attack, Abed concluded in a note to SC Media: “Once again we are reminded that investing in cybersecurity and especially clinical incident response planning/emergency preparedness will be essential for patient safety.”