This article is part of a partnership between First Opinion and Tradeoffs, a nonprofit news organization that investigates our confusing, expensive and often counterintuitive health care system. To learn more about how ransomware is harming hospitals and patients, listen to the in-depth breakdown of Tradeoffs and subscribe to never miss an episode.
ABOUTon a Thursday in early August, staff at Manchester Memorial Hospital in Connecticut realized they had been hit by a ransomware attack. What happened next is the stuff of nightmares. Manchester Memorial had to ask ambulances to take emergency patients elsewhere. They canceled elective surgeries and operated without access to basic imaging equipment such as X-rays and CT scans. Because their electronic health records were unavailable, clinical staff had to revert to pen and paper. It was almost six weeks before Manchester Memorial declared all services back online.
And they were not alone. The same ransomware attack disrupted operations at 16 hospitals and numerous other healthcare facilities within the Prospect Medical Holdings healthcare system. Risida, the ransomware actor who claimed responsibility, has listed 1.3 terabytes of stolen patient data for sale on the dark web, with an asking price of 50 bitcoins (roughly $1.3 million).
For many in healthcare, the transition from paper to electronic records is still fresh. How could cyber security be an area of weakness already?!? And yet, research shows healthcare professionals face a growing threat of cyberattacks like the one at Manchester Memorial Hospital.
Ransomware attacks, in which hackers disrupt business operations and/or encrypt sensitive data until the victim pays, are the most common cybersecurity threat facing healthcare professionals today. While this is inconvenient and damaging regardless of industry, in healthcare, cyber attacks disrupt the delivery of care and compromise patient safety. The question is exactly how much damage can they do? That’s what they were trying to find out.
Healthcare is a hacker’s playground for several reasons. First, it is a maze of electronic systems, many of which are necessary to provide care. This includes EHRs, imaging machines, scheduling and communication software, electronic monitoring equipment, telehealth platforms, and many others. Second, many users of these electronic systems are distracted, and therefore susceptible to hacker infiltration techniques. In other words, doctors, nurses and other clinicians are not focused on identifying phishing emails; they are trying to help sick patients! Third, health care can be a matter of life and death, especially in hospital settings. When a ransomware attack forces providers to choose between paying the ransom and providing inadequate care, the former may be a legitimate choice, even though it goes against every law enforcement recommendation.
Although ransomware attacks pose a real danger to patients, research has yet to quantify this threat. In our recently published working paper (summarized here), we provide some of the first evidence on this topic by documenting how devastating ransomware attacks are to hospital operations. We found that during the first week of a ransomware attack, patient numbers drop by approximately 20%. Income is reduced by that much or more, showing a 40% drop in emergencies. Hospitals are forced to treat fewer patients during ransomware attacks and provide less care (especially imaging and testing services) for the patients they treat. We see this in several hospital institutions: emergency, inpatient and outpatient.
It’s not hard to imagine how a ransomware attack turns into harm for patients. Without access to an EHR, the care team may not know what medications the patient is taking or what they are allergic to. Without imaging, clinicians are blind when making diagnoses. When lab results must be submitted manually (rather than uploaded to the patient chart), treatment is delayed. Without electronic monitoring equipment, medical staff may not be able to monitor patients without physically being in the room. If EMS must activate EMS diversion protocols, patients may spend valuable time traveling to an alternate facility before receiving care for time-sensitive conditions. This is of particular concern for emergencies such as heart attack and stroke, where time to treatment has well-documented implications for survival.
And yet, we are just only is beginning to understand how ransomware attacks affect patient health outcomes. Our research shows that ransomware attacks increase hospital mortality for patients admitted to attacked hospitals. To many this will seem like a statement of the obvious, but as health economists we believe that data speaks louder than anecdote or belief. In normal times, approximately 3 out of 100 hospitalized Medicare patients will die in the hospital. During ransomware attacks, that number rises to 4 in 100. From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients.
The true number of deaths caused by ransomware attacks is likely even higher when you include patients with other types of health insurance. The morbidity effects of ransomware attacks (ie, how delays in care worsen existing conditions) are still unknown.
When we want to understand the impact of ransomware attacks, we need to think beyond each individual hospital to the healthcare system as a whole. Ransomware attacks don’t just affect the hospital being attacked; they also affect other hospitals and patients nearby. Imagine a hospital that was forced to divert emergency services during a ransomware attack. Patients who would go to the attacked hospital must go elsewhere, potentially overwhelming nearby hospitals. A case study of a large, urban ransomware attack showed that nearby hospitals that weren’t attacked saw increases in emergency room patients, ambulance arrivals and wait times. Similarly, averaged across the hundreds of hospitals in our database, we find no area-wide change in ED volume despite large reductions in ED volume at attacked hospitals, suggesting that other facilities must pick up the slack.
This should change the way hospitals and policy makers think about the scope of this issue. While it is true that less than 5% of US hospitals experienced a ransomware attack from 2016 to 2021, this underestimates the problem. A better way to capture the true impact is to say that roughly 25% of all hospital markets have experienced a ransomware attack and its potential spillover effects.
As we begin to quantify the incidence and patient implications of ransomware attacks, two priorities emerge from our research. First, let’s prevent cyber attacks (ransomware and others) from happening. This means investing time, money and personal power in cyber security. Historically, hospital investments in cybersecurity have been meager. Recent evidence suggests that this is changing, although there is still considerable room for improvement when it comes to compliance with widely recognized cybersecurity practices in the healthcare industry. Policymakers interested in encouraging the adoption of evidence-based cybersecurity recommendations should carefully consider the combination of sticks (e.g., requirements for minimum investments in cybersecurity, such as those recently proposed by regulators in New York) and carrots (e.g., subsidies for small , rural and safety net hospitals).
Policymakers should also consider long-term changes, such as investments in the workforce and insurance market reforms. Hospitals (especially those in rural areas) report challenges in recruiting and retaining qualified cybersecurity professionals. The cost of cybersecurity insurance has risen dramatically in recent years, causing some hospitals to drop their policies (which have also become less generous at the same time). These patterns point to an opportunity to regulate the cybersecurity insurance market to prevent a death spiral of adverse selection from eventually unraveling the entire market.
Second, because it will likely never bring the number of cyberattacks to zero, it allows incident response protocols to be designed to ensure patient safety. The motivation for this priority comes directly from our research findings: more serious ransomware attacks (ie, those that force EMS to divert and cancel care) are more harmful to patients. If we can reduce the disruption caused by ransomware attacks, we can save lives. This requires careful planning, not only at the hospital level (as recently recommended by the Joint Commission), but also at the level of the local community and the overall health system. Incident command systems, commonly used during natural disasters and other emergencies, can provide a useful starting point for this type of coordination among actors.
Cyberattacks on hospitals and other healthcare providers seem unlikely to abate as long as they remain profitable for the hackers who carry them out. Identifying solutions is a challenge for healthcare administrators, regulators, and policy makers alike, but must be a top priority in light of the implications for patient safety. Our work is just the first step toward documenting the dollar cost and human lives of inaction on this issue.
Hannah Neprash is an assistant professor of health policy and management at the University of Minnesota School of Public Health. Claire McGlave is a doctoral student in health services research, policy, and administration at the University of Minnesota School of Public Health. Saieh Nikpai is an associate professor of health policy and management at the University of Minnesota School of Public Health.
#quantify #harmful #hospital #ransomware #attacks #patients #Heres
Image Source : www.statnews.com