As Chief Healthcare Executive continues our series on cybersecurity in healthcare, we look at the risk a breach poses to patients. Experts say hospitals must plan for providing care after an attack.
Cyberattacks pose a serious risk to patients, and hospitals need to develop plans to protect their patients when a breach occurs, experts say.
Christian Dameff, an emergency physician and assistant professor of emergency medicine at University of California San Diego, has studied cybersecurity extensively. He says health systems need to be talking more about the impacts of cyberattacks on patients and more research is needed.
“I am rather convinced there are more patient safety issues,” Dameff said. “They’re not coming to light.”
He’s not the only one that’s concerned.
Lee Kim, the director of privacy and security at the Health Information and Management Systems Society, said cyberattacks threaten patient safety.
“There are some worse patient outcomes as a result of breaches,” she said.
Limited studies reveal the strain on health systems. A 2017 cyberattack of England’s National Health Service prompted reduced admissions, scrapped surgeries and thousands of outpatient cancellations, according to a 2019 Nature study.
The U.S. Cybersecurity & Infrastructure Security Agency released a study in 2021 linking cyberattacks to increased hospital strain. While the CISA report said there are no deaths directly attributable to a cyberattack, a breach leads to reduced capacity, along with delayed treatments and procedures, all contributing to worsened outcomes.
John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk and a former top FBI executive, said there’s too much focus on “where the body is” when it comes to patient safety and healthcare breaches.
“Any cyberattack which disrupts or delays patient care risks patient safety,” Riggi said.
Under criminal law, authorities don’t have to prove physical harm, but a credible threat to life.
If hospitals can’t access electronic records and are delaying operations or diverting ambulances, that’s a credible threat, Riggi said. “You increase the risk clearly of a negative medical outcome or death,” he said.
Srinivas Loke, senior director of product management at Ordr, a cybersecurity firm, bluntly summarized the risks of ransomware attacks to health systems at the HIMSS Global Health Conference last month.
“It’s going to cause deaths,” Loke said.
Roughly 1 in 5 healthcare IT professionals (21%) reported disruptions of service affecting clinical care in the past year, according to the 2021 HIMSS cybersecurity survey.
Attacks affect multiple hospitals
Dameff talked about the risks to patient safety at the HIMSS conference. He also spoke about the issue in a recent phone interview with Chief Healthcare Executive.
While he said he understands healthcare systems are reluctant to talk about cyberattacks for liability reasons, Dameff said he wished there was more discussion about the potential impacts to patients so hospitals can learn from each other.
“When a cyberattack happens, most hospitals don’t want to talk about it. I’d love to change that dynamic,” Dameff said.
“I would love for more open communication about this topic with leaders,” he said. “We can be learning from each other’s experiences, learning about what went wrong at other institutions.”
Cybersecurity attacks don’t just affect individual hospitals. With more consolidation in healthcare, an attack at one system can affect several hospitals. A ransomware attack at Scripps Health affected operations at five hospitals in the San Diego area for about a month.
“Ransomware attacks over the last several years are becoming more sophisticated,” Dameff said. “They’re impacting multiple hospitals at once.”
An attack at one hospital can affect other nearby healthcare providers, even if they aren’t part of the same network. If a hospital has a breach and has to divert ambulances or delay procedures, other hospitals in the area could see an influx of patients, stretching their capacity. “The effects could be seen in an entire region,” he said.
It’s critical for more research to be done on how hospitals can respond to cyberattacks, because ransomware attacks appear to be lasting longer, Dameff said. It’s also why hospitals need to have strong defenses and well-articulated response plans if they suffer a breach.
“Now we’re hearing about ransomware attacks lasting a month,” Dameff said. “Even a few days may be disruptive. What would a month do to a healthcare organization?”
Providing care after a breach
Hospitals have to think beyond potentially postponing surgeries or re-routing ambulances to other healthcare facilities.
The electronic health record is the backbone of healthcare. What happens if hospitals can’t access those health records for even a short amount of time?
Dameff pointed to patient populations that aren’t necessarily assumed to be affected by technology, such as those on dialysis. “What’s your plan for offering dialysis to hundreds of patients three days a week? That’s what we have to figure out ahead of time,” Dameff said. Cancer patients receiving chemotherapy would also be affected by a breach.
Hospitals also need to figure out how to reach out to thousands of patients in a cyberattack, especially if phone systems are affected.
“At the end of the day, it’s about building cyber resilience,” Dameff said. “What type of patient care can you go manual for a month and do it safely?”
Hospital systems, particularly smaller hospitals or systems, should encourage close cooperation between the emergency management teams and the information technology leadership. The leaders of those two teams “need to become good friends,” Dameff said.
They need to work on plans on how to limit downtime if there is a breach. He said much of the challenge isn’t on technology but rather good business continuity planning.
Hospitals also need to train staff repeatedly on being wary of email phishing and attachments, which are some of the common delivery mechanisms for ransomware. Dameff asked, “Are you doing training with the onboard of your clinical staff on how to avoid cyberattacks?”
At some point, the federal government is going to have to provide more funding to help hospitals improve their cybersecurity, particularly smaller systems or hospitals without the resources, experts say.
“We have cyber haves and have nots,” Dameff said.
As it stands, a hospital or health system in one community may possess very robust defenses, but another hospital across town may be vulnerable. If the vulnerable hospital is breached, it will have an impact on surrounding facilities. “What happens on your network can impact me,” Dameff said.
A national cyberharm registry would be of immense value to healthcare research. Cyberattacks affect people in ways that often aren’t immediately understood. When the Colonial Pipeline was hit by a ransomware attack in 2021, some people weren’t able to heat their homes, Dameff said.
The federal government is pushing for more interoperability in the healthcare industry. Federal officials want providers and insurers to exchange data more freely, so patients can access information more easily.
Dameff says he’s part of a generation of doctors that has never used paper records. Even as he pushes for greater investments in cybersecurity, he said, “I’m a big supporter of information sharing.”
If doctors and hospitals can access patient histories more easily, it’s going to lead to better healthcare, he said.
“I want vulnerabilities or risks to be identified so patients feel comfortable using the technologies,” Dameff said.
Coming tomorrow: A cybersecurity expert offers perspective for hospitals