A recent study found the greater disruptions at nearby facilities grave enough to consider hospital ransomware attacks a "regional disaster," and the number of attacks are on track to increase in 2023, NPR reported June 25.
UC San Diego Health researchers analyzed an academic emergency room at a Scripps Health facility that fell victim to a month-long ransomware event in May 2021, as well as one located close by at a UC San Diego hospital, comparing the four-week time periods before, during and after the attack. Both ERs are in San Diego County.
They discovered that the UC San Diego ER had significant increases during the cyberattack in daily census, emergency medical services arrivals, patients leaving without being seen or against medical advice, median wait times, ER lengths of stay, stroke code activations, and confirmed strokes. The study was published May 8 in JAMA Network Open.
In the weeks following the breach, the number of patients waiting in the UC San Diego ER increased by 600, and the number of patients leaving without being seen increased by more than twice the normal amount, NPR reported. Additionally, there were more than twice as many confirmed strokes and almost twice as many emergency stroke code activations, according to the team of researchers at UCSD.
The number of hospital attacks had decreased in 2022 but are now on track to increase in 2023, in part due to an increased online availability of hacking tools to smaller groups, Allan Liska, a ransomware expert at the cybersecurity firm Recorded Future, told NPR.
Jeff Tully, MD, a co-author of the study and assistant clinical professor at UC San Diego, said there needs to be more data made available, so health systems within a region can begin conversations surrounding coordinated emergency response protocols to hospital cyberattacks, in the same way they exist for natural disasters or other major emergencies. MITRE, a nonprofit that conducts various research for the U.S. government, told NPR they are engaged in research to understand the interconnectedness of infrastructure systems to avoid another regional disaster like in San Diego.
Patient advocacy groups are also making sure that patients are part of the cybersecurity conversation, NPR reported. Andrea Downing, who runs a patient information security advocacy group, said physicians should be informing patients of cybersecurity risks before treatment, not after a security incident.