Regional chaos caused by ransomware attacks on hospitals: Study calls for coordinated response

By Pooja Toshniwal PahariaMay 9 2023Reviewed by Benedette Cuffari, M.Sc.

In a recent study published in JAMA Network Open, researchers study an institution's emergency department (ED) patient count and stroke treatment parameters during a month-long attack by ransomware on a geographically adjacent but separate healthcare delivery organization (HDO).

Study: Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. Image Credit: Thapana_Studio / Shutterstock.com

Background

For organizational workflows and patient care, HDOs increasingly rely on web-based computer systems and medical equipment. Protected health-related and financial data make HDOs appealing targets for cybersecurity breaches. In fact, cyberattacks against HDOs are becoming more sophisticated and frequent, despite the increase in awareness and focused organizational cybersecurity efforts.

Ransomware, a subset of harmful software known as malware, is being used in an increasing number of cyberattacks on HDOs. Ransomware programs aim to infect a network to encrypt data and functionality unless a financial fee is paid.

Although ransomware intrusions have been connected to severe operational interruptions, evidence of regional associations between cyberattacks and surrounding hospitals is scarce.

About the study

In the present retrospective cohort study, during the period of a ransomware infection at four acute care HDOs, researchers investigate the accompanying regional healthcare interruptions impacting operational and patient volume data at an adjacent and uninfected HDO. The attack infected over 1,300 acute inpatient beds and 19 outpatient care facilities, compromising 150,000 patient records.

The study compared pediatric and adult patient volume, regional emergency medical services (EMS) diversion data, and ED stroke-related healthcare metrics for two United States urban academia-type EDs in the 28 days before the ransomware cyberattack on  1st May 2021, during the cyberattack period and recovery stage between 1st May 2021, and 28th May 2021, and 28 days following the cyberattack and system recovery between 29th May 2021, and 25th June 2021. Combined, the two EDs had a mean yearly census of over 70,000 healthcare visits and represented 11% of acute inpatient care discharges in San Diego.

The HDO infected with the ransomware constituted 25% of inpatient care discharges in the region. The team evaluated the association between the disruptions incurred by the infected HDOs and operational disruptions at other hospitals in the same regional healthcare system. The study's exposure was a one-month-long ransomware infection at four adjacent hospitals.

The primary study outcomes were ED encounters, regional EMS diversion, stroke care metrics, and temporal throughput. Data on demographic variables, including race, ethnicity, sex, and age, as well as recurrence, census, stroke, and throughput data, were obtained from the electronic medical records, whereas diversion data were provided by San Diego County EMS.

The team excluded individuals who left before triage or were immediately referred to another health department for burns, labor, and delivery, or trauma prior to emergency physician assessments. In addition, patients placed in ED observation were excluded unless they subsequently received hospital care services.

Results

A total of 19,857 ED encounters were evaluated in the study. In the uninfected ED, there were 6,114 patients with a mean age of 50 years. About 48% of these patients were female, 27% Hispanic, 11% non-Hispanic Blacks, and 44% non-Hispanic Whites during the pre-attack period.

During the attack and recovery periods, there were 7,039 patients with a mean age of 50 years. About 48% of these patients were female, 26% Hispanic, 11% non-Hispanic Black, and 45% non-Hispanic White. In the post-attack period, there were 6,704 patients with a mean age of 49 years. About 50% of these patients were female, 26% Hispanic, 11% non-Hispanic Black, and 45% non-Hispanic White.

In comparison to the pre-attack period, during the cyberattack period, significant elevations in the mean values for regular ED encounter volumes (218 versus 251), EMS arrivals (1,741 versus 2,354), admissions (1,614 versus 1,722), individuals who left without being examined (158 versus 360), and those who left with healthcare advice (107 versus 161) were observed.

In addition, there were significantly related elevations during the cyberattack period as compared to the pre-attack period. These increases were identified in the median values for time spent in waiting rooms (21 minutes versus 31 minutes) and the total length of stay (LOS) in EDs for admitted individuals (614 minutes versus 822 minutes).

Additionally, there was a statistically significant rise in stroke code activations during the attack period compared to the pre-attack period at 59 and 102, respectively, and 22 and 47 confirmed strokes, respectively.

In the post-attack period, only EMS arrivals, individuals leaving against medical advice, ED stroke code activations, and confirmed strokes returned to pre-attack rates. In the greater San Diego County area, a 74% increase in median total daily ED diversion time was noted as compared to the pre-attack and attack periods of 27 and 47 hours, respectively.

Conclusions

Ransomware-infected hospitals located near HDOs may experience a rise in patient ED encounter volumes and resource limitations, which can compromise time-sensitive care for illnesses such as acute stroke. Thus, coordinated regional cybersecurity planning, similar to what has been done for natural disasters, that involves a multidisciplinary team of clinicians and technologists.

As compared to the pre-attack period, during the cyberattack, there were 15%, 35%, 6.7%, 128%, and 50% increases in mean daily ED volumes, ambulance arrivals, admissions, ED visits where patients leaving without examination, and ED visits where patients left against medical advice, respectively.

Likewise, there were 48%, 34%, and 6% increases in the median values for time spent in waiting rooms, total LOS for admitted patients, and total LOS for discharged patients, respectively, at two normally functioning healthcare facilities adjacent to four hospitals under a ransomware attack during the attack period as compared to the pre-attack period.