Ransomware attacks on healthcare organizations have cost the U.S. economy nearly $80 billion in downtime. There's another expense that doesn't come with a price tag: The sense of stress and helplessness outages cause.
As more details emerge about the operational effects of dayslong downtime by Change Healthcare after a cyberattack in February, the psychological effects of this ransomware incident and others like it are intensifying and increasingly worth noting. As numerous parts of the healthcare ecosystem are affected, each one turns to another for answers, but with limited results.
Change, part of UnitedHealth Group, is both a revenue cycle management services provider that handles 15 billion transactions per year and the nation's largest commercial prescription processor. The company disconnected its systems Feb. 22 after detecting an outside threat, disrupting health systems, hospitals and pharmacies nationwide and all military pharmacies worldwide.
Change confirmed Feb. 29 that it was hacked by a ransomware gang after the group claimed to have stolen massive amounts of data. BlackCat, a specific ransomware-as-a-service group, has claimed responsibility for the attack.
"My boss seems to think I can call someone to fix this," a Reddit user wrote about the Change Healthcare cyberattack on Feb. 28, the one-week mark since the incident was reported.
"Sure, just hop on the phone with Blackcat and tell them they're very naughty and they need to stop now," another user responded to the initial post.
The exchange carries on, with healthcare professionals swapping notes about their shared human experience of not knowing who to call or which entity is responsible for what solutions when a ransomware attack disables entire systems at a time. Nearly every stakeholder of the healthcare ecosystem is represented in these forums, many admitting their lack of answers or direction.
At least one healthcare association was quick to step in and redirect blame that might be misdirected as patients and personnel experienced delays or outages in routine healthcare tasks, like prescription refills. By Feb. 23, the American Pharmacists Association made a point to request forbearance from the public toward pharmacists.
"What we ask of you is patience — pharmacists are working overtime to continue their work, to treat patients, and to do this in as timely a fashion as possible," the association said. "We know this is a frustrating time for patients. It's also a challenging and frustrating time for pharmacists, as well, because anything that compromises their ability to provide care will always prove frustrating."
Other workers in various parts of the healthcare ecosystem made similar requests to their peers, albeit in forums less formal than news releases.
"As an EMR software specialist, just be nice if you call us. We get it. We too are frustrated," a Reddit user wrote Feb. 28. "I can't tell you how many people have called me and demanded we fix this and I can't seem to explain hard enough that this one is actually out of our control."
Helplessness or loss of control, especially at a collective level, can be psychologically and emotionally taxing. Recognizing a threat but not knowing what to do about it can increase one's stress, anxiety and fear. The lack of a known end point of a cyberattack like Change is experiencing can intensify psychological distress. Some independent therapists, for instance, have noted they have halted their insurance billing for a week due to the downtime and expressed fear about going longer without income.
These mental effects, while lesser-discussed, are exactly what cyberthreats intend to bring on. Cyberterrorists want to create mental and physical harm, and research has found that the psychological effects of cyber threats can rival those of traditional terrorism.
A 2016 study in the Bulletin of the Atomic Scientists compared stress responses to forms of terrorism to find that cyberterrorism — even incidents not causing people to suffer physical harm — elicits similar levels of panic, stress and insecurity. "One need not suffer direct harm to be terrorized; it is enough that one fear direct harm to suffer the ravages of contemporary terrorism, whether cyber terrorism or conventional terrorism," the authors concluded.
Change said it is working with cybersecurity firms and law enforcement to address the cyberattack. The BlackCat hacker gang has focused on healthcare since December, after the FBI infiltrated its operations.