Ransomware attacks on hospitals have direct consequences on hospital operations. Some facilities have been forced to divert ambulances, shut down computer systems and cut off access to EHRs.
What is less direct, is the effects of cyberattacks on patient outcomes, safety and whether they create increased mortality rates. As the harm of ransomware moves beyond reputational and encroaches on patient safety, Becker’s spoke with CIOs and patient safety groups to further examine the connection.
Direct connections between patient safety and ransomware attacks
A lawsuit alleges a July 2019 ransomware attack on Springhill Medical Center in Mobile, Ala., resulted in a baby’s death. Springhill had shut down its network for nearly eight days because of a ransomware attack.
In the lawsuit, the baby’s mother alleges her daughter was born at the hospital with her umbilical cord wrapped around her neck. The baby suffered severe brain damage because the umbilical cord became wrapped around her neck, and she died nine months later. The suit alleges the ransomware attack disrupted how the nurses could monitor the baby’s heart rate at the nurses’ station. The hospital has denied wrongdoing.
Reports from the Cybersecurity and Infrastructure Security Agency and Ponemon Institute have pointed to direct links between patient mortality and ransomware attacks. The CISA looked at the excess death data in Vermont during an October 2020 ransomware attack on the UVM Health Network in Burlington. The team found that during the same period, hospitals affected by ransomware reached the inflection point, which resulted in excess deaths, between two and six weeks faster than nearby hospitals that were not experiencing a ransomware attack.
Kate Pierce, CIO and chief information security officer at North Country Hospital in Newport, Vt., said ” in our rural facility, it is not a far stretch to see the connection from cyberattacks to patient deaths, as the next acute care facility is over 40 miles away. The additional time it would take a patient to arrive at an alternate site could definitely be the difference between life and death.”
A report by the Ponemon Institute surveyed 597 IT and IT security professionals in healthcare delivery organizations to analyze how COVID-19 and ransomware attacks have affected healthcare delivery. Twenty-two percent of respondents from healthcare organizations reported increased mortality rates resulting from ransomware attacks.
Hospitals’ increased reliance on technology
Ralph Johnson, vice president of IT at Leapfrog, said hospitals rely on computer systems to administer medicine, test results and more.
“Nurses have also come to rely on electronic medication verification systems to double-check the ‘ive rights’ when administering meds at the bedside,” Mr. Johnson said. “[It’s] a safety net that is not available during an outage.
“Medication reconciliation is always a challenge for providers, even with a fully functional EHR. When the medication list is offline and providers must rely only on the patient’s memory, there is the potential for harm. Providers have come to rely on computerized physician order entry systems to check for medication interactions that have the potential to cause harm. When that safety net of decision support is gone, there is a greater risk for medication errors, which are the most common form of error that happens in the hospital.”
Ms. Pierce said ransomware attacks being linked to patient deaths could become more common in hospitals because “healthcare’s dependence on electronic records has grown significantly in the past 10 years, and most hospitals find it difficult to function without this key component.”
Randy Davis, CIO and vice president of Sterling, Ill.-based CGH Medical Center, said instances of connections between cyberattacks and patient deaths will be rare.
“I personally still hold great faith in the nurses and physicians providing care,” Mr. Davis said. “To me, if our reliance on technology has grown to the point that it can overcome the expertise of nurses and physicians providing care without a functioning EHR, that’s not good. I believe more must have failed than an EHR for malware to cause a death,” he said, in reference to the lawsuit against Sandhill Medical Center.
The National Quality Forum told Becker’s advances in technology bring critical innovations as well as new risks.
“In addition to damaging the resiliency of healthcare infrastructure and operations, pernicious ransomware attacks are a devastating modern reality that also jeopardizes patient safety,” the organization said in an email statement. “We join the healthcare community in expressing our concern and the need to strengthen technology policy and practices that keep patients safe from all forms of harm.”
How hospitals and executives move forward
The detrimental effect that ransomware can have on patient outcomes is something that executives should keep an eye on, Ms. Pierce said.
“The correlation between cyberattacks and patient death rates should definitely be on executives’ radar,” Ms. Pierce said. “In healthcare, the quality of care that is provided to patients within organizations is the key component of their existence. These attacks are now reaching beyond financial and reputational harm, and affecting healthcare organization’s ability to save lives, which is an entirely different level of impact.”
Although Mr. Davis said direct links between data breaches and patients outcomes is rare, he said that cyberattacks spotlight one area where hospitals may need improvement.
“What it shines a light on is the still too often examples of inadequate investment hospitals have made in cybersecurity,” he said.
Tejal Gandhi, MD, chief safety and transformation officer at Press Ganey, which develops patient satisfaction surveys, said there are several clinical and digital practices hospitals can implement to help minimize potential harm.
Dr. Gandhi said hospital leaders should “Set safety standards and lead by example. Provide resources with messaging that reinforces how cybersecurity is directly tied to patient safety.”
Hospital leaders should also “create red rules for safety absolutes to communicate procedures that require verbatim, exact compliance.,” Dr. Gandhi said.