Cyberattacks on hospitals 'should be considered a regional disaster,' researchers find

Editor's note: After repeated requests for comment, Scripps Hospital responded after the publication of the story. The story has been updated to include the hospital's comments.

It was early May in 2021 when patients flooded the emergency room at the University of California San Diego Health Center.

"We were bringing in backup staff, our wait times had gone haywire, the whole system was overloaded," said Dr. Christopher Longhurst, UC San Diego's chief medical officer and digital officer. "We felt it."

But the crunch wasn't the result of a massive accident or the latest wave of patients infected by a new coronavirus variant. The influx was the direct result of a ransomware attack, a costly and unfortunately now common form of cybercrime in which hackers lock down their victims' files and demand a ransom, often millions of dollars, to unlock them.

In reality, UC San Diego wasn't the target. Their systems were intact. Instead, hackers had breached the hospital down the street, Scripps Health. The culprits not only took over the hospital's digital records system and its entire computer network, but stole millions of patients' confidential data. Scripps struggled for weeks to get back online, and is still dealing with the aftermath, having paid $3.5 million in a legal settlement earlier this year with patients whose data was exposed. NPR repeatedly reached out to Scripps Hospital in the reporting of this piece. Subsequent to the publication of this story, Scripps contacted NPR, stating that the hospital purposefully took its network down after the breach to prevent further damage, bringing it back online in stages.

Cyberattacks on hospitals 'should be considered a regional disaster,' a study finds

Previously, there's been very little concrete data or analysis breaking down the direct impacts of a cyberattack on a hospital, let alone an entire region of healthcare providers. Most evidence of harm, including deaths, remains anecdotal and has been the subject of lawsuits, including one case in Alabama in 2019 where a family sued the hospital when their baby died during a ransomware attack.

There are reasons for the dearth of data. There are liability concerns, privacy laws, fear for reputational damage and technical challenges. The Scripps attack was highly publicized, and the CEO Chris Van Gorder came forward to write an op-ed about lessons learned from the attack in the San Diego Tribune several months later. However, there are still limitations on how much Scripps can share. And victims of major ransomware attacks, hospitals and other entities are still extremely hesitant to come forward.

That's where UC San Diego comes in.

In 2019, UC San Diego appointed the first medical director of cybersecurity, Dr. Christian Dameff. Dameff, who is also an emergency department doctor, joined a team of physicians and cybersecurity experts to study the impact of a ransomware attack on a neighboring hospital, using their experience in 2021. (The paper's authors don't identify Scripps Hospital as the victim of the nearby ransomware attack, in order to keep attention on their results, though contextual clues like the time period and location make it clear.) They published the results of their research in the peer-reviewed Journal of the American Medical Association in May.

The team of researchers at UC San Diego documented a massive influx of patients to the emergency room in the weeks following the breach. Compared to the weeks prior to the attack, there were over 600 additional patients waiting in the emergency room, while the number of patients leaving without being seen by a doctor more than doubled. There were more than double the number of confirmed strokes during the same time period, as well as nearby double the number of emergency stroke code activations, according to the paper.

The authors concluded that their findings proved that hospitals within close proximity to a victim of a ransomware attack experience serious resource constraints, "affecting time-sensitive care for conditions such as an acute stroke."

Cyberattacks on hospitals "should be considered a regional disaster," the authors wrote.

When asked whether the results were surprising, Longhurst, UC San Diego's chief medical officer and digital officer, said the data actually confirmed what his team experienced during that time period. "We lived through it," he said.

'Ripples in the pond after the stone falls'

It's not just about directly linking deaths with ransomware attacks. Those cases have been well-covered in the news, and there's power in painting a personal portrait of the individual consequences of these attacks, said Longhurst. But having additional metrics that illustrate the other kinds of negative outcomes associated with even a nearby cyberattack is valuable. The data points to where resources might get constrained and how patients might suffer in the short and long-term.

"In some ways what we're looking for are the ripples in the pond after the stone falls," said Dr. Jeff Tully, another co-author of the study.

Tully explained that part of the reason there isn't more granular data on individual patients who are impacted by a ransomware attack at a hospital is because the systems used to track patient care themselves can be damaged or disrupted by the attack.

"A lot of times we just have to focus on the best kind of surrogate or second-hand metrics that we have," he said. For example, there is well documented research demonstrating that stroke patients who don't receive immediate care are at higher risk for bad outcomes like loss of speech, Tully said. "We're trying to identify areas in which it looks like our normal patient care workflows don't process as efficiently as possible."

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency in September 2021 published one of the only other papers partially focused on trying to quantify the impacts of a cyberattack in a healthcare setting. That study was aimed at documenting the challenges faced by the healthcare system during the coronavirus pandemic.

Two of the paper's authors were Josh Corman and Beau Woods, who have worked in healthcare cybersecurity for decades. Both were recruited to serve on a U.S. government COVID-19 vaccine cybersecurity task force.

"We watched the nation's ability to provide medical care suffer," explained Corman in an interview.

While they weren't able to directly correlate the cyberattack with an increase in deaths, the impact was clear, according to the paper.

Some of the metrics they studied included cancelled or delayed surgeries and cancer treatments, lack of COVID testing center availability, loss of communication between hospitals, and more.

"Beyond the obvious consequences of disruptions to diagnostic, testing and treatment equipment, even minor reductions in efficiency caused by cyber incidents compound to increase staff workload and degrade the system's ability to provide medical care," wrote the authors.

Tully of UC San Diego said the goal of the paper was to get more data out there, to inspire future similar research to corroborate results and to kickstart conversations within regions about how to develop emergency response protocols, treating cyberattacks like natural disasters.

Particularly in a scientific field, providing data to demonstrate the extent of a problem is an important way to convince higher-ups to put resources towards correcting the problem, experts said during interviews. That's also important in policy conversations. There are ongoing discussions in Washington, D.C., about the value of banning ransomware payments in an effort to discourage cybercriminals. But in an emergency at a hospital, losing access to patient data and medical technology even for a short period of time could be catastrophic.

There's also a hope that there's more openness going forward.

According to Tully, some organizations have already been very forthright about their experiences with similar attacks, including the University of Vermont Medical Center. But there are dozens of others that have completely locked down from public view.

Sharing information is especially important at a time when ransomware attacks against hospitals are on the rise again.

No more guardrails

According to Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future, the numbers of attacks against hospitals dipped slightly in 2022, but are so far on track to increase in 2023. Part of the reason for that, Liska explained, is that the ransomware ecosystem is changing. For years, small-time cybercriminals were paying ransomware gangs to access their attack methods and malware. Ransomware gangs have professionalized over the years, and had some measure of control over their affiliates. But now, many of those groups' hacking tools have been stolen and are easily accessible online. "Those guardrails, such as they were, are no longer in place," said Liska.

Stakeholders in the field are already pointing to areas where the type of research UC San Diego conducted could be expanded.

"Looking at the way some other units are affected, like how radiology systems ... if people get delays in diagnosis because they're not able to get a CT scan ... is your chemotherapy or your radiation being delayed? So I think if you look at different departments across a hospital, there might be similar numbers," said Penny Chase, a cybersecurity expert at MITRE during an interview with NPR.

MITRE is a nonprofit that conducts a lot of research for the U.S. government. Within MITRE, there is a lot of research being done on how critical infrastructure systems are connected, to better understand if a single point of failure could lead to a crippling regional disaster like in San Diego.

That includes entirely different sectors, like the water sector, one of the most vulnerable, per Chase.

"The work in the lab and other kinds of exercises we've been involved in are really trying to look at these across critical infrastructure sectors and see what the interdependencies are and what the upstream and downstream impacts are," she continued.

Talking to patients about cyber risks

One important thing to remember, however, is keeping patients included in the discussion. Andrea Downing, a breast cancer advocate and technical expert, founded an organization called the Light Collective. After major leaks of private data including the 2019 Cambridge Analytica scandal, Downing felt compelled to found an organization that would specifically advocate for secure technology that meets patients' needs.

Downing has met with Woods, Corman and others at the annual CyberMed Summit, most recently held this spring in Washington, D.C. The summit is designed to get all relevant stakeholders in a room discuss the most urgent needs in healthcare cybersecurity, from vulnerabilities in medical devices to privacy needs. One of the more memorable moments was a simulation in which Downing played the role of a patient who was getting a cardiac device implanted. She said it drove home the idea that physicians need to be talking to patients about informed consent and potential cyber risks immediately, rather than after disaster strikes.

Ransomware is a major fear within the patient advocacy groups Downing works with, she said. They're scared they won't have access to the care they need when they need it, but also that cyber criminals might steal and leak their private, sensitive medical data. Knowing there's a plan in place to respond when disaster inevitably strikes would be a step in the right direction.

"If we have an emergency or an acute event, we have to get into the ER. Time can really equal lives," said Downing.