Cyberattacks can extend length of stay, delay procedures, survey says

Ransomware attacks have the potential to increase patients' length of stay and delay care, according to a new poll of information technology and security professionals at healthcare organizations.

There hasn't been much research to date that's quantified the link between cyberattacks and patient safety, despite recognition that it's a problem. Beyond cutting off access to medical data, cyberattacks like ransomware can pose issues if hospitals are forced to delay or divert patient care—leading the American Hospital Association to call it a "threat-to-life crime."

Slightly more than half—56%—of IT and security professionals said cyberattacks have affected patient care at their organization, according to a survey Ponemon Institute published Wednesday.

Ponemon Institute, a research group that conducted the survey, polled nearly 600 IT and security professionals from integrated delivery networks, regional health systems and other healthcare organizations. The survey was commissioned by Censinet, a healthcare cybersecurity company focused on third-party risk management.

"The impact to patient care is grave, and it's getting worse," said Aaron Miri, senior vice president and chief digital and information officer at Jacksonville, Florida-based Baptist Health and a member of Censinet's advisory board.

Miri highlighted the potential for medical devices, which are increasingly connected to the internet or to internal hospital networks, to be hacked or get disrupted during the course of a ransomware attack, which could be dangerous for patients.

Seventy percent of survey respondents who said cyberattacks have affected patient care said such attacks resulted in longer lengths of stay.

Cyberattacks have resulted in delays in procedures and tests (69%), patients being diverted or transferred to other facilities (63%), an increase in complications from medical procedures (37%) and an increase in mortality rate (23%), according to the survey. Respondents were allowed to select more than one answer.

"Cybersecurity is, and should be, considered as a patient safety issue," said Juuso Leinonen, principal project engineer in ECRI's device evaluation group. ECRI named cybersecurity threats the top technology hazard for patient safety in 2018. "This is primarily through disruption to care delivery or delayed patient care."

A ransomware attack that brings down a hospital's network, for example, disrupts care by cutting off access to data from various information systems and forcing clinicians onto paper records.

Scripps Health in May experienced a massive ransomware attack that led the San Diego health system to take a portion of its network offline, disrupting access to the electronic health record system and other applications for roughly a month. It also caused confusion for some patients, who weren't sure whether scheduled procedures and visits would be postponed.

Ransomware—a type of malware that encrypts a victim's computer files and only releases them in exchange for payment—has become a growing area of concern across multiple industries, including healthcare.

In the wake of the attack at Scripps, the Federal Bureau of Investigation issued an alert warning that ransomware attacks against healthcare organizations "can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information."

It's particularly challenging for hospitals to continue treating patients if their EHR is taken down in a ransomware attack, as clinicians must move to downtime procedures and paper records. That not only can take longer and cut off access to medical histories and allergies, but also just require a change in process clinicians aren't used to.

"When the systems are down, we can still take care of patients," said John Delano, vice president of ministry and support services at Irving, Texas-based Christus Health and healthcare security strategist at cybersecurity consulting firm Critical Insight—but it brings challenges. Many EHRs also have features that flag things like drug interactions, which won't be available during system downtime.

That's why it's important to have an incident response plan that workers have prepared for and are familiar with, Delano said.

"Healthcare organizations have to remain vigilant," he said. "It's not going to slow down."

In November of last year, Vermont's National Guard was called in to help the University of Vermont Health Network respond to an attack that had disrupted services. And a year ago in September 2020, Universal Health Services disclosed what appeared to be one of the largest reported healthcare cyberattacks.

Forty-three percent of respondents in Ponemon Institute's survey said their organization had experienced at least one ransomware attack in the past two years. One-third of those respondents said their organization had experienced multiple ransomware attacks, according to the survey.

Hackers varied in how much they demanded for a ransom payment.

One-quarter of respondents said hackers demanded less than $10,000 to decrypt their files, followed by 21% who said they demanded between $10,000 and $25,000, according to the survey. At the most expensive end, 2% of respondents said hackers had demanded a ransom of between $5 million and $10 million.

The Biden administration and Congress have homed in on addressing an increased level ransomware attacks, as cybercriminals recently have targeted hospitals, government agencies and schools.

Some cybersecurity experts have called on the federal government to provide more coordinated support to healthcare organizations dealing with ransomware attacks, including support from the FBI, Homeland Security Department and Health and Human Services Department.

Miri recommended the Food and Drug Administration develop a cybersecurity framework that medical device manufacturers are held to. He also suggested the federal government provide safe harbors for healthcare organizations reporting cybersecurity problems with devices or vendors.

Healthcare organizations "need to know that (they) can talk about these things," Miri said. "That's the only way that we can get better."