These ransomware attacks are wreaking havoc on our healthcare system

Healthcare delivery organizations lean on health information technology to get things done. Hospitals and other institutions thereby open themselves up to cybersecurity risks, including ransomware attacks. 

In modern practice, every physician is prone to cybersecurity threats. Learn just how destructive ransomware attacks can be. 

What is a ransomware attack?

Ransomware is a form of malicious software that obstructs users' access to their electronic systems unless a ransom is paid. Once paid, access is restored. Although this is only one form of healthcare data breach, according to an article in JAMA Health Forum, ransomware attacks are on the rise.^[] The threats are mostly external—in the form of hacking—with internal negligence or malfeasance, such as a misplaced laptop or inappropriately accessed data, less to blame.

The point of a ransomware attack, specifically, is to disrupt business operations—not steal data, like other healthcare breaches. By disrupting business operations, attackers assume that the healthcare organization will be more motivated to pay the ransom.

Although the exact numbers may be hard to pin down, ransomware attacks seem to be common, according to the 2020 HIMSS Cybersecurity Survey, which included input from 168 healthcare cybersecurity professionals.^[]

Overall, 70% of respondents reported that their organizations experienced a major security breach in the past 12 months, with 20% experiencing ransomware or other malware attacks. 

“Significant security incidents continue to plague healthcare organizations of all types and sizes. Often, securing information and infrastructure is quite complex. Preserving the confidentiality, integrity, and availability of information are equally important. This is, however, a difficult balancing act,” wrote HIMSS.

As the JAMA Health Forum authors note, a rise in ransomware attacks coincided with the COVID-19 pandemic. There is, however, no systematic accounting for the extent and impact of such attacks.

In their JAMA Health Forum article, the researchers report on a cohort study they conducted of 374 ransomware attacks. They found that the annual number of ransomware attacks on healthcare delivery organizations more than doubled between 2016 and 2021. These data breaches exposed the personal health data of about 42 million patients. The hardest hit were large, multi-facility organizations, involving larger amounts of personal health information exposed.

Damages due to ransomware attacks 

Based on individual testimonials, obtained for the JAMA Health Forum study, ransomware attacks can wreak havoc on a healthcare system. Computers and electronic health records are disabled or encrypted, which can force doctors to record with pen and paper; surgeries are delayed or canceled; and emergency departments must reroute ambulances. Sometimes the damage is irreparable, and practices have decided to fold instead of restoring systems. 

Of highest concern, ransomware attacks may jeopardize patient safety and outcomes. The first case of such a tragedy occurred when a baby died with severe brain damage shortly after delivery.^[] The Alabama hospital where this occurred was subject to a ransomware attack at the time and provided diminished care without first informing the family of the attack, according to the lawsuit filed by the baby’s mother. 

The repercussions of a ransomware attack at one hospital can mean fallout for surrounding hospitals. UCSD researchers conducted a cohort study of 2 academic urban emergency departments located next to a health care delivery organization that was besieged by a ransomware attack for one month.^[] The researchers analyzed various types of disruptions, including patient volume, waiting room times, and stroke care. 

During the attack phase and the postattack phase (i.e., 4 weeks after the attack), there were increases in patient census, ambulance arrivals, patients leaving without receiving care, waiting room times, patient length of stay, and diversion of county-wide emergency medical services in the unaffected ED. In particular, acute stroke care metrics were increased. 

In commenting on their results, the authors wrote that “health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters, necessitating coordinated planning and response efforts.”

Stroke care was an important outcome to study, the authors asserted, because acute stroke care involves a complex decision-making process that is time-sensitive, resource-intensive, technology driven, and potentially lifesaving. It depends on the availability of a multidisciplinary team working closely. In the study, several of the hospitals that were targeted by the ransomware attacks were stroke centers. Consequently, high-acuity patients needed to be transported to a diminished number of functioning stroke care centers in the region.

Ransomware attack prevention

The emerging threat of cybersecurity attacks has experts thinking about solutions, with prevention efforts targeted not only at the healthcare delivery organizations under attack, but also at surrounding ones as well.

The UCSD authors suggest the following actions to tackle the threat of ransomware:

• Making it a national priority to boost cyberattack prevention efforts and operational resiliency across all healthcare systems

• Collecting better data regarding the negative effects of cyberattacks on patient safety and the quality of healthcare

• Investing in cyberattack-specific emergency operation plans to minimize recovery times, as well as working with regional partners to proactively plan for cyberattacks

• Coordinating regional surge planning akin to that in place for natural disasters

• Forming interdisciplinary teams of technologists and clinicians to help predict where risk is greatest

The JAMA Health Forum authors add a recommendation for an increase in cybersecurity and vigilance regarding the threats of phishing, which cedes entry to cyberattacks.

Alternatively, the answer to the threat of cybersecurity may involve the ransoms themselves, according to the authors of the JAMA Health Forum cohort study.

“Additional legislative activity concerns the ransom itself, with proposals to mandate disclosure (of ransom demands, whether a payment was made, and for what amount) and potentially even banning the payment of ransoms,” the authors wrote.

In fact, they continued, “The FBI strongly recommends that businesses not acquiesce to ransom demands in the event of a ransomware [attack], since complying with ransom demands incentivizes ransomware actors to continue targeting health care organizations.” The authors cited one well-documented ransomware attack in which law enforcement deliberately withheld the decryption key for nearly 3 weeks while planning an operation to disrupt the ransomware actors involved.