Ransomware attacks have spillover effect

Healthcare organization ransomware attacks can have a significant negative impact on neighboring healthcare organizations, according to a study from JAMA Network. 

Researchers investigated the impact on patient care in adjacent healthcare facilities before and after the Scripps Health ransomware attack in 2021.  

During the attack and post-attack phases, significant increases were seen in patient census, ambulance arrivals, waiting room times, patients left without being seen, total patient length of stay, county-wide emergency medical services diversion, and acute stroke care metrics in the unaffected emergency department. 

“Cyberattacks on health care organizations are growing in frequency and sophistication, which can have real patient care impacts that extend far beyond a single affected hospital,” said Christian Dameff, MD, emergency physician and first author of the study, in a UC San Diego press release. 

On May 1, 2021, Scripps Health was attacked by ransomware that forced five of its acute care hospitals to shut down its electronic health record (EHR) systems, imaging, and telemedicine systems and cost them $122 million in lost revenue and recovery.  

Researchers examined the effect of a hospital’s month-long ransomware attack on two neighboring emergency departments’ patient volume and stroke care metrics. 

The study evaluated 19,857 emergency department visits at the unaffected emergency departments: 6,114 in the pre-attack phase, 7,039 in the attack and recovery phase, and 6,704 in the post-attack phase.  

The study found a 15% increase in mean emergency department volume and a 35.2% increase in mean admissions. Patients who left without being seen increased by 127.8%, and waiting room times increased by 47.6%. For patients who were admitted, their median length of stay increased by 33.9%.   

The study also showed that in the post–attack phase, these care metrics didn’t easily return to normal. Only the rates of Emergency Medical Services (EMS) arrivals, patients who decided to leave against medical advice, emergency department stroke code activations, and confirmed strokes returned to pre-attack rates.  

“Acute stroke care is an example of a time-sensitive, resource-intensive, technologically dependent and potentially lifesaving set of complex actions and decisions requiring a readily available multidisciplinary team working in close coordination,” the study authors said. 

 “There was no significant difference in door-to-CT scan or acute stroke treatment times. Indirect impediments to care have been associated with patient outcomes in the setting of other time-sensitive conditions, including acute myocardial infarction or cardiac arrest. It may be reasonable to consider the impact of cybersecurity disruption within such an outcomes-oriented context.” 

Researchers suggest that hospital ransomware and cyberattacks be treated like natural disasters. A coordinated recovery effort among regional healthcare facilities is the best possible approach to cyberattacks.  

“Recognizing that cybersecurity attacks can impact adjacent hospitals is a step towards realizing the need for regional cooperation just like a natural disaster or other major emergency,” said Christopher Longhurst, MD, chief digital officer at UC San Diego Health and senior author of the study.