How the Scripps Health cyberattack affected other hospitals

Scripps Health suffered a costly ransomware attack in 2021, but the impact went well beyond the health system in San Diego.

Christian Dameff, medical director of cybersecurity at the University of California San Diego, is the lead author of the study. (Photo: UC-San Diego)

The attack on Scripps disrupted operations at nearby hospitals in San Diego, according to a study published this week by Jama Network Open. The authors note that to their knowledge, no previous studies have documented the impact of cyberattacks on adjacent hospitals that weren’t affected by malware.

Researchers from the University of California San Diego found that the adjacent hospitals saw higher traffic in their emergency departments, an uptick in stroke patients that had to be transferred from hospitals hit with ransomware, and a sharp increase in the number of patients who left the emergency department without being seen.

“This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke,” the authors wrote.

• Read more: Cybersecurity in health systems hampered by lack of talent

The Scripps Health ransomware attack affected operations for four weeks, including the loss of electronic health records, imaging systems and telehealth services. In the study, researchers examined traffic at adjacent hospitals before, during and after the attack.

Compared to the period before the attack, adjacent hospitals witnessed a 15% increase in emergency department volume on a daily basis, and a 35% rise in ambulance arrivals each day. Waiting room times rose 47% (from 21 to 31 minutes) and the number of patients who left without being seen rose 128% (from 158 to 360).

Since some of the hospitals affected by the ransomware attack serve as stroke centers, patients who suffered strokes or had similar symptoms had to be transported to other facilities.

One adjacent health system with two hospitals saw a substantial increase in the number of patients who suffered strokes. The system saw a 113.6% increase in strokes (from 22 to 47) and a 74.6% rise in stroke code activations (from 59 to 103), compared to the time before the ransomware attack. The researchers did not find a significant difference in acute stroke treatment times.

Still, the authors noted that stroke care requires “a readily available multidisciplinary team working in close coordination.”

Hospitals should develop emergency operations plans to deal with cyberattacks, including engaging with other health systems in the region, the authors wrote. Those plans should include risks to patients with stroke or heart attack and the ability to quickly transfer patients to other facilities. In the event of attacks resulting in lengthy disruptions, health systems would need to consider reducing or postponing elective surgeries, the authors suggest.

The researchers also point to the need to boost cybersecurity defenses in healthcare.

“Increasing cyberattack prevention efforts and operational resiliency across all health care systems should be a high national priority,” the authors wrote.

• Read more: Cybersecurity in healthcare: Even with progress, many vulnerabilities remain

Many hospitals and health systems have been hit by ransomware attacks in recent years. Earlier this year, the Ponemon Institute surveyed healthcare IT professionals and found that more than half (53%) said a ransomware attack disrupted patient care.

Christian Dameff, the lead author of the study and the medical director of cybersecurity at the University of California San Diego, has warned about the dangers of cyberattacks to hospitals, including the health risks to patients.

“I am rather convinced there are more patient safety issues,” Dameff told Chief Healthcare Executive® in an April 2022 interview. “They’re not coming to light.” He also discussed the growing threat of cybersecurity to patient safety in a discussion at the 2022 HIMSS Conference.

Scripps Health said in financial statements that the ransomware attack cost the system nearly $113 million, The San Diego Tribune-Union reported. Scripps Health agreed late last year to pay $3.5 million to victims of the ransomware attack, CBS 8 San Diego reported.

Healthcare cybersecurity analysts say they have seen a drop in ransomware attacks at hospitals in recent months. Hospitals have improved their cybersecurity efforts, but experts caution that ransomware groups could be developing different ways to attack. And analysts have said many hospitals need to improve their cybersecurity defenses.

Experts warn ransomware groups will likely develop AI-powered cyberattacks in the near future, but they note that AI tools offer some protection for health systems.

The authors of the new study call for additional research on the effects of cyberattacks on patient safety and the quality of care.

“These findings support the need for coordinated regional cyber disaster planning, further study on the potential patient care effects of cyberattacks, and continued work to build technical health care systems resilient to cyberattacks such as ransomware,” the authors wrote.

When interviewed by Chief Healthcare Executive last spring, Dameff acknowledged the difficulty in promoting more dialogue about cyberattacks and patient care, including legal liabilities. Still, he said such discussions are necessary to learn from previous attacks and apply those lessons to protect patients.

“When a cyberattack happens, most hospitals don’t want to talk about it," Dameff said. "I’d love to change that dynamic."