‘A regional disaster’: Cyberattacks on health care facilities have ripple effects, study says

by Ines Kagubare - 06/28/23 2:36 PM ET

In this photo provided by Duke Health, surgeons Dr. Jacob Schroder, left, and Dr. Zachary Fitch perform a heart transplant at Duke University Hospital in Durham, N.C., in October 2022. Most transplanted hearts are from donors who are brain dead, but research published by Duke Health on Wednesday, June 7, 2023, shows a different approach can be just as successful and boost the number of available organs. It's called donation after circulatory death, a method long used to recover kidneys and other organs but not more fragile hearts. (Shawn Rocco/Duke Health via AP) — In this photo provided by Duke Health, surgeons Dr. Jacob Schroder, left, and Dr. Zachary Fitch perform a heart transplant at Duke University Hospital in Durham, N.C., in October 2022. Most transplanted hearts are from donors who are brain dead, but research published by Duke Health on Wednesday, June 7, 2023, shows a different approach can be just as successful and boost the number of available organs. It’s called donation after circulatory death, a method long used to recover kidneys and other organs but not more fragile hearts. (Shawn Rocco/Duke Health via AP)

Cyberattacks that target one hospital could also have ripple effects and indirectly impact nearby health care facilities, according to a recent study published in the Journal of the American Medical Association.

The study found that hospitals near a health care facility that was impacted by a ransomware attack may experience an influx of patients and lack resources that could affect time-sensitive matters.

Other disruptions may include an increase in ambulance arrivals, waiting room times, patients left without being seen and patient length of stay.

The authors of the study concluded that the hospital disruptions tied to a cyberattack “should be considered a regional disaster.”

“This study suggests that health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters, necessitating coordinated planning and response efforts,” the authors said.

Signs are posted on the Exterior of Auckland City Hospital, May 13, 2017. New Zealand, Thursday, June 22, 2023, has been debating a thorny healthcare issue — whether ethnicity should be considered in deciding when patients get surgery. (Doug Sherring/New Zealand Herald via AP) — Signs are posted on the Exterior of Auckland City Hospital in 2017 in New Zealand. (Doug Sherring/New Zealand Herald via AP)

The rise of health care cyberattacks

Ransomware attacks targeting the health care sector have increased in frequency and sophistication over the past decade, the study found, including during the COVID-19 pandemic when “serious ransomware infections loaded additional stress on [Health Delivery Organizations].”

Congress has also been sounding the alarm over the increase in cyberthreats targeting the health care sector.

Over the past year, lawmakers have introduced policies, legislation and recommendations aimed at targeting and mitigating the impact of cyberattacks in the healthcare industry.

“The American public has witnessed increasingly brazen and disruptive attacks on its health care sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death,” Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee, noted in a report published last fall.

In the report, Warner recommended that the federal government improve the country’s cybersecurity risk prevention in the health care sector, help the private sector mitigate cyberthreats and assist health care providers in responding to and recovering from cyberattacks.

Sens. Jacky Rosen (D-Nev.) and Bill Cassidy (R-La.) introduced a bill last year that would require the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services and improve cybersecurity standards in the health care and public health sectors.

The health care sector has been particularly vulnerable to ransomware attacks because it stores sensitive data and handles patients’ safety and health, experts previously told The Hill.