Understanding the ‘blast radius’ of cyberattacks of hospitals | HIMSS 2024

Even hospitals that aren’t the targets of a cyberattack can suffer the ramifications.

Christian Dameff, left, and Jeff Tully, co-directors of the Center for Healthcare Cybersecurity at University of California San Diego Health, speak at the HIMSS Global Health Conference & Exhibition.

Christian Dameff and Jeff Tully, co-directors of the Center for Healthcare Cybersecurity at University of California San Diego Health, offered a sobering look at the wide-ranging implications of a cyberattack during a discussion at the HIMSS Global Health Conference & Exhibition Monday.

They talked about the “blast radius” of an attack in San Diego County, which was published on Jama Network Open last spring.

Scripps Health suffered a ransomware attack in 2021 that garnered national attention. Dameff, Tully and other researchers took a closer look at the ripple effects of the Scripps’ cyberattack on other hospitals in San Diego County that weren’t breached.

Other nearby hospitals in San Diego ended up with packed emergency departments, said Dameff, an emergency physician.

“We saw far more patients than we normally do,” Dameff said. “We were flooded. We were inundated with patients.”

• Read more: Change Healthcare cyberattack: UnitedHealth offers timeline, providers say financial woes continue

The other hospitals in San Diego County weren’t victims of the cyberattack, but they ended up seeing more ambulance visits, and patients had longer wait times in the emergency department, Dameff said. And there was an increase in patients leaving without treatment.

“We had more patients left without being seen, never get seen by a doctor,” Dameff said. “That's dangerous, right? You thought there was an emergency, you come to our emergency department. And it was too long of a wait, so you left.”

• Read more: Change Healthcare cyberattack called ‘most significant’ in U.S. history

The other San Diego hospitals also treated more stroke patients during the ransomware attack, their study found. In the four weeks before the attack, they treated 60 stroke patients, but due to transfers during the ransomware attack, the other hospitals treated 103 stroke patients in four weeks.

“People don't stop having strokes just because of a ransomware attack,” Dameff said. “Those patients came to us because we were on diversion.”

Dameff said there was no compromise of care even with the influx of stroke patients, but he added, “I've never seen our stroke teams more thinly stretched.”

• Read more: More than 100 million Americans affected by healthcare cyberattacks in 2023

Dameff also highlighted the lengthy stretch when hospitals that were hit by the ransomware attack diverted ambulances to other facilities. At the peak day, San Diego tallied more than190 cumulative hours of diversion to other hospitals, the researchers found.

“To put that in context, that is the most amount of diversion that San Diego County has ever seen in its history,” Dameff said. “More than COVID, more than any other wildfire disaster, anything in the history of San Diego County. This ransomware attack put more hospitals on diversion longer than any other event in San Diego history.”

Even with those findings, Dameff and Tully note that there’s scant research on the impact of cyberattacks on hospitals and on patient care. Tully likened the current state of cybersecurity healthcare research to earlier days in medicine, when leeches and mercury were considered effective treatments.

“We're in the bloodletting days of healthcare cybersecurity,” Tully said.

They outlined some of the difficulties in studying cybersecurity. Other researchers are leery of openly sharing about events that are costly and the subject of litigation, as well as damaging to their reputation.

“The biggest thing we see is the fact that ransomware attacks on healthcare organizations are by their nature now very embarrassing,” Dameff said. “They carry with them a ton of legal liability for the hospitals.”

There’s also a practical problem to studying cyberattacks in healthcare. Patient records are typically stored in electronic medical records, which are compromised in cyberattacks.

“When you think about it like that, that's kind of a perfect storm for us not to have a lot of detail on this,” Dameff said.

Tully said the researchers hope to gather more insights from the examination of the “blast radius” of cyberattacks.

“There are signs out there if you know where to look for them, that a network outage is affecting a hospital,” Tully said. “And if we have access to those signs, and if we didn't rely on a hospital giving them to us and we’re able to sort of passively obtain them, we might be able to spot these types of incidents a little sooner.”

Plus, it could also help other hospitals respond to a cyberattack, he added.

“We need to be able to understand what's happening at one hospital in order to plan for the aftershock and the other institutions,” Tully said.

While Dameff noted the significant impact of a ransomware attack in San Diego County, he warned that such an attack on a rural hospital could be devastating, if that was the only acute care facility in a given region.

Dameff and Tully concluded by urging those in attendance to help add to the limited body of cybersecurity research in healthcare.

“It's really hard to study this stuff,” Dameff said. “We need your help. You want to contribute to this, help one another.”