Ransomware and other cyberattacks against hospitals “should be treated as disasters,” given the increased patient-care disruptions faced by nearby healthcare providers in the aftermath of an attack, according to a new study published in JAMA Network Open.
The findings suggest a need to improve coordinated planning and response efforts between regional care providers.
“Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” the research showed. The attacks and associated disruptions "should be considered a regional disaster."
The study was led by healthcare subject matter experts from the University of California San Diego Health: Drs. Jeff Tully, Theodore Chan and Christian Dameff. Dameff and Tully are well-known for leading the charge on medical device security, while Dameff has testified to Congress about patient-safety risks posed by hospital cyberattacks on adjacent providers.
UCSD is local to Scripps Health, and when a cyberattack on Scripps brought the health system down for a month in May 2021, area hospitals were left overcrowded and unable to keep pace with the influx of patients diverted from Scripps, Dameff told the House Energy & Commerce Committee in July 2021.
“Our ability to diagnose a patient is tied to the technology that we use every day as clinicians: we are so dependent,” said Dameff, at the time. “You can imagine during a large ransomware attack, wherein these technical systems are no longer available, that we can’t do our jobs as clinicians.”
The new JAMA study examines the fallout from a hospital cyberattack and outages using data gleaned over the course of the month from the nearby hospitals unaffected by the cyberattack, but overwhelmed with the surge in patient care visits.
Scripps is not specifically mentioned in the study’s findings, but referenced in the citations. The dates of the study also align with the Scripps cyberattack.
The researchers compared the four-week period prior to the attack to the four-week period of downtime at two academic urban emergency departments located near the impacted health system and evaluated 19,857 emergency department visits at the unaffected hospital.
Of those visits, 6,114 were before the attack, 7,039 were seen during the attack and recovery phase, and 6,704 occurred in the post-attack phase.
During the examined time period, San Diego County EMS reported ambulance diversion traffic at a median of 27 cumulative hours per day in the 4 weeks prior to the attack compared with 47 cumulative hours per day during the attack, and 31 cumulative hours per day after the attack.
The data showed “significant increases in patient census, ambulance arrivals, waiting room times, patients left without being seen, total patient length of stay, county-wide emergency medical services diversion, and acute stroke care metrics were seen in the unaffected emergency department… during the attack and postattack phases.”
In comparison with the pre-attack phase, there were “significant increases” in overall patient admissions to the emergency departments and individuals who left without being seen during the attack phase. They also found similar increases in median waiting room times during the attack phase than before the attack.
The wait time before the attack was 21 minutes compared with 31 minutes during the attack phase. There was also a rise in length of stay for admitted patients: 614 minutes compared with 822 minutes during the attack. No significant increases were found between the attack and post-attack phases.
Researchers confirm patient-morbidity risks posed by cyberattacks
The study showed a “significant increase in stroke code activations during the attack phase compared with the pre-attack phase, as well as confirmed strokes.”
In the four weeks before the attack, there were 59 ED stroke code activations. During the attack phase, that number nearly doubled to 103 activations. After the attack, the number again dropped to 65. There was also a significant rise in the number of confirmed stroke diagnoses: 22 before the attack phase and 47 during the attack. After the incident, ED stroke diagnoses returned to 28.
“We saw increases in stroke code alerts, stroke diagnoses, and acute treatments with tPA [tissue plasminogen activator] and endovascular treatments during the cyberattack and recovery,” researchers wrote. “The increased stroke alerts were not correlated with longer times to stroke imaging (CT scan), tPA administration, or time to groin puncture for endovascular treatment.”
The findings provide much-needed data on patient safety and care morbidity impacts brought on by cyberattacks. Multiple studies have suggested similar impacts, while surveys and providers themselves have made the suggestion. But data remains limited on the specific care disruptions brought on by cyberattacks deployed against connected providers.
Dr. Saif Abed, director of cybersecurity advisory services for AbedGraham Group, has routinely spoken to SC Media about the misplaced focus on patient mortality risks after ransomware or cyberattacks. The real issue after an incident is the impact to morbidity, or “suboptimal clinical outcomes.”
The JAMA report confirms those morbidity risks with the heightened impact on acute stroke patients at hospitals adjacent to a health system disrupted by a cyberattack.
“Indirect impediments to care have been associated with patient outcomes in the setting of other time-sensitive conditions, including acute myocardial infarction or cardiac arrest,” researchers wrote. “It may be reasonable to consider the impact of cybersecurity disruption within such an outcomes-oriented context.”
The hope is that this data will prompt change. Hospitals should work to develop emergency operations plans specific to cyberattacks to minimize recovery times. Those plans should include engaging with “regional partners to proactively plan for and drill for cyberattacks,” they wrote. This should reduce regional impacts in the event of a ransomware attack.
Hospitals should also consider the use of real-time information sharing on cyber threat actors and current tactics, which should also reduce the risk posed by connected partners. These plans should include possible risks to patient populations, particularly high risk patients.
Providers must prioritize “measures to rapidly facilitate transfers among hospitals. Prolonged regional effects may necessitate consideration of reducing elective surgical cases and other extraordinary measures,” researchers concluded. “Increasing cyberattack prevention efforts and operational resiliency across all health care systems should be a high national priority.”
Since ransomware attacks began pummeling the sector in 2016, healthcare leaders have stressed that providers are only as strong as the weakest link. As such, securing the health sector will require improved threat sharing and coordination between regional partners.
