"Cybersecurity is, and should be, considered as a patient safety issue," said Juuso Leinonen, principal project engineer in ECRI's device evaluation group. ECRI named cybersecurity threats the top technology hazard for patient safety in 2018. "This is primarily through disruption to care delivery or delayed patient care."
A ransomware attack that brings down a hospital's network, for example, disrupts care by cutting off access to data from various information systems and forcing clinicians onto paper records.
Scripps Health in May experienced a massive ransomware attack that led the San Diego health system to take a portion of its network offline, disrupting access to the electronic health record system and other applications for roughly a month. It also caused confusion for some patients, who weren't sure whether scheduled procedures and visits would be postponed.
Ransomware—a type of malware that encrypts a victim's computer files and only releases them in exchange for payment—has become a growing area of concern across multiple industries, including healthcare.
In the wake of the attack at Scripps, the Federal Bureau of Investigation issued an alert warning that ransomware attacks against healthcare organizations "can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information."
It's particularly challenging for hospitals to continue treating patients if their EHR is taken down in a ransomware attack, as clinicians must move to downtime procedures and paper records. That not only can take longer and cut off access to medical histories and allergies, but also just require a change in process clinicians aren't used to.
"When the systems are down, we can still take care of patients," said John Delano, vice president of ministry and support services at Irving, Texas-based Christus Health and healthcare security strategist at cybersecurity consulting firm Critical Insight—but it brings challenges. Many EHRs also have features that flag things like drug interactions, which won't be available during system downtime.
That's why it's important to have an incident response plan that workers have prepared for and are familiar with, Delano said.
"Healthcare organizations have to remain vigilant," he said. "It's not going to slow down."
In November of last year, Vermont's National Guard was called in to help the University of Vermont Health Network respond to an attack that had disrupted services. And a year ago in September 2020, Universal Health Services disclosed what appeared to be one of the largest reported healthcare cyberattacks.
Forty-three percent of respondents in Ponemon Institute's survey said their organization had experienced at least one ransomware attack in the past two years. One-third of those respondents said their organization had experienced multiple ransomware attacks, according to the survey.
Hackers varied in how much they demanded for a ransom payment.
One-quarter of respondents said hackers demanded less than $10,000 to decrypt their files, followed by 21% who said they demanded between $10,000 and $25,000, according to the survey. At the most expensive end, 2% of respondents said hackers had demanded a ransom of between $5 million and $10 million.
The Biden administration and Congress have homed in on addressing an increased level ransomware attacks, as cybercriminals recently have targeted hospitals, government agencies and schools.
Some cybersecurity experts have called on the federal government to provide more coordinated support to healthcare organizations dealing with ransomware attacks, including support from the FBI, Homeland Security Department and Health and Human Services Department.
Miri recommended the Food and Drug Administration develop a cybersecurity framework that medical device manufacturers are held to. He also suggested the federal government provide safe harbors for healthcare organizations reporting cybersecurity problems with devices or vendors.
Healthcare organizations "need to know that (they) can talk about these things," Miri said. "That's the only way that we can get better."