Electronic Health Reporter

By Portia Cole, emergent threat researcher, Avertium.

Labeling ransomware attacks as a matter of life and death may seem exaggerated, but in the realm of healthcare, it has proven to be a harsh truth. In recent years, cases of patients whose death have been linked to ransomware attacks have started to emerge. With recent trends indicating a surge in attacks on the industry, it is possible the human toll could only grow.

That toll does not take a single shape. If past cyberattacks are any indication, ransomware attacks can lead to compromised care or no care at all, and studies have found even neighboring facilities can be negatively impacted. Here is an overview of what healthcare organizations and their patients have suffered thus far, and what your organization can do to protect itself.

Cyberattacks with huge costs

In what has been called the “first alleged ransomware death,” an Alabama woman arrived at Springhill Medical Center in July 2019 to give birth, unaware that the hospital had fallen victim to a ransomware attack the week prior. It had yet to be resolved, and as a result, the equipment that monitors vital signs wasn’t transmitting information to the nurses’ desks, leaving staff unaware that the baby was in distress.

The infant was born with the umbilical cord wrapped around her neck and suffered severe brain damage; she died nine months later. The delivering doctor expressed that had she been shown the monitor’s readings, she would have opted for a cesarean section; in a text to a nurse manager about the unfolding situation, she wrote, “This was preventable.” The mother filed a malpractice lawsuit.

A 2021 ransomware attack led to a different kind of death—the death of a hospital. St. Margaret’s Health in Spring Valley, Illinois, was the victim of a ransomware attack. After the attack, the hospital was unable to submit claims to Medicare/Medicaid or insurers for months, contributing to a financial crisis. The hospital announced it would close its doors in June 2023.

Disrupted care and the impact of neighboring emergency departments

Despite the absence of precise statistics linking fatalities to cyberattacks, it is evident that hospital breaches have reached alarming levels, significantly disrupting patient care. In 2022, an incident targeting CommonSpirit Health, the second-largest non-profit health system in the U.S., resulted in the compromise of sensitive information belonging to more than 600,000 patients. This included electronic medical records, allegedly leading to an incident in which a three-year-old was mistakenly administered a medication dosage five times higher than necessary.

The CyberPeace Institute sought to narrow the knowledge gap around healthcare and cybersecurity incidents with its Cyber Incident Tracer. It was able to put some numbers to the threat based on 231 incidents that were logged in 2021.

It found the healthcare organizations that were attacked experienced 23 days of operational impact on average (ranging from hours on the low end to a maximum 115 days). Systems went offline in about 55% of cases, and data was breached or exposed in 76% of the incidents.

The interruption in care was measurable: In 16% of incidents patients had to be redirected, and in 19% of cases, appointments ended up being canceled.

Redirection may have proved fatal in at least one case, in which an attack caused the IT systems of Düsseldorf University Clinic in Germany to fail. According to the hospital, investigators determined that the root cause of the issue was due to an attacker targeting a vulnerability in “widely used commercial add-on software,” which the hospital did not specify. Consequently, the hospital’s systems experienced a gradual crash, and emergency patients had to be redirected to other medical facilities. One of these patients was a woman in need of urgent medical attention; she had to be transferred to another city about 20 miles away for treatment but died before she was able to receive care.

A study published in May 2023 made the case that when one hospital suffers a cyberattack, a “regional disaster” may occur. Researchers looked at urban emergency departments located adjacent to a health care delivery organization that suffered a month-long ransomware attack. They evaluated 19,857 emergency department visits at the unaffected emergency departments: 6,114 in the four weeks before the attack, 7,039 during the attack and recovery phase, and 6,704 in the four weeks following the attack phase.

During the attack and postattack phases, “significant increases in patient census, ambulance arrivals, waiting room times, patients left without being seen, total patient length of stay, county-wide emergency medical services diversion, and acute stroke care metrics were seen in the unaffected facility,” the authors wrote.

Defense

Proactive measures, including regular system updates, network segmentation, employee training, and incident response planning are vital in preventing ransomware attacks that could have life-or-death consequences for patients. Prioritizing cybersecurity best practices is a fundamental step toward preserving patient well-being and maintaining the highest standards of care.

Following best practices helps safeguard sensitive patient information, maintain operational continuity, protect the organization’s reputation, and ultimately ensure the delivery of safe and high-quality healthcare services. To increase cyber resilience in ransomware response, consider the following:

• Evaluate the strategic ransomware preparedness of endpoints by identifying essential controls, such as anti-virus/anti-malware, endpoint protection, and endpoint detection and response solutions, as well as device management tools.
• Enable ransomware cyber hygiene measures across endpoints by implementing application resilience policies that ensure that critical security applications and device management tools are installed and functioning as intended.
• Evaluate the security posture of devices by continuously detecting and reporting on the status of anti-malware, detection, and response software installed on endpoint assets.
• Accelerate the recovery process by collecting accurate insights, executing customized workflows, and automating commands for device recovery. This can be achieved by leveraging a library of custom scripts to facilitate tasks such as identifying infected and encrypted machines, quarantining endpoints by disabling networking or unlocking specific device ports or supporting device re-imaging.
• Identify sensitive data by scanning devices for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property. This process enables organizations to locate at-risk devices and ensure that proper backup measures are in place using existing tools.
• Implement a data protection program that includes policies, classification, encryption/DLP, and proactive monitoring across all sensitive data.