You probably already know that ransomware is a type of malicious software that encrypts a victim's data, demanding a ransom to restore access. It's a problem that's getting worse all the time, and its impact on healthcare is particularly concerning.
Aside from the inconvenience created for everyone present when hospital systems go offline, the question we need to ask is whether ransomware can actually kill sick people. This might sound grim, but it's an important topic.
Just consider a recent cyberattack on Anna Jaques Hospital in Massachusetts. On Christmas Eve 2023, their electronic health records were knocked offline, forcing them to turn away ambulances. This isn't the first time something like this has happened. In 2020, a patient in Düsseldorf, Germany, died during an ambulance diversion caused by a ransomware attack against the local university hospital.
And, a ransomware-related death in the United States recently went to court.
A baby, Nicko Silar, was born in July 2019 at Springhill Memorial Hospital in Alabama, which was struggling with a ransomware attack at the time.
According to the lawsuit, the hospital's computer systems were offline due to the ransomware attack. Medical staff couldn't access patient records nor vital signs monitoring equipment. The baby's mother claimed that the hospital failed to alert her about the cyberattack and the attackers' demand for a ransom payment.
As a result of the attack, medical staff failed to notice that the baby's umbilical cord was wrapped around her neck, leading to a severe brain injury. The baby died nine months later due to the injury.
From the court filings, it's clear that health records at the hospital were inaccessible. A wireless tracking system for locating medical staff was offline. And, in the maternity ward, medical staff were unable to use the fetal heart monitors. That data are normally tracked on a large screen at the nurses' station and in the delivery room. Those monitors should have told the medical staff the baby was in a life-threatening situation.
In a text message conversation submitted to court as evidence, the attending doctor, Katelyn Parnell, told the nurse manager that she would have delivered Nicko via caesarean section if she had been able to see the heartbeat monitor's readout.
"I need u to help me understand why I was not notified," Parnell texted. Later, Parnell texted "This was preventable."
The lawsuit says that the hospital's negligence and failure to provide adequate care contributed to the baby's death. The hospital has denied any responsibility. The case has since been settled out of court for an undisclosed dollar amount.
But anecdotes aren't enough. We need solid data. Ideally, that data would come from high-quality research. Then we'd know if ransomware attacks on hospitals lead to patient deaths.
That's where the University of Minnesota's School of Public Health comes in. They did a study called "Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021." In the study, they linked ransomware attacks on hospitals with Medicare claims data.
Results of the study were published in the Journal of the American Medical Association (JAMA) Health Forum in December 2022. This allowed them to see what happened to patients during these attacks.
But first, researchers documented that between 2016 and 2021:
- There were 374 instances of ransomware attacks on healthcare delivery organizations that exposed the personal health information of nearly 42 million individuals.
- Ransomware attacks more than doubled on an annual basis, from 43 to 91 per year.
- The number of individuals whose personal health information was exposed increased from approximately 1.3 million in 2016 to more than 16.5 million in 2021.
- Disruptions in care for patients as a result of ransomware incidents occurred in 166, or 44%, of attacks.
- Among healthcare delivery facilities, clinics were the most frequent targets of ransomware attacks, followed by hospitals, ambulatory surgical centers, mental/behavioral health facilities, dental practices, and post-acute care organizations.
As to our question—does ransomware kill sick people?—here's what they found with respect to the overall impact on the hospital:
-
Patient volume drops
During the first week of a ransomware attack, hospitals see a 20% drop in patient volume. Emergency rooms see a 40% drop in revenue.
-
Care quality suffers
Without electronic health records, care teams might not know what medications patients are on or what they're allergic to. Imaging and testing services are often unavailable.
-
Delayed treatment
Lab results have to be hand-delivered, delaying treatment. Nurses can't monitor patients remotely, which can lead to missed critical changes in patient conditions.
-
Ambulance diversions
Hospitals activate ambulance diversion protocols, meaning patients with time-sensitive conditions like heart attacks and strokes spend precious time traveling to other facilities.
The most shocking finding? Ransomware attacks increase hospital mortality rates.
Normally, about three out of every 100 hospitalized Medicare patients die. During a ransomware attack, that number goes up to four out of 100. From 2016 to 2021, ransomware attacks killed between 42 and 67 Medicare patients.
And remember, this is just Medicare data. The true number of deaths is likely higher when you consider all patients.
The research doesn't stop at mortality. It also highlights the morbidity effects—how delays in care make existing conditions worse. Patients might recover more slowly or not fully recover at all. This adds to human suffering and increases healthcare costs.
So, what can be done?
In an attempt to better care for patients during a ransomware attack, some hospitals are creating specific incident response protocols to boost patient safety during cyber crises. For example, Children's National Hospital in Washington, DC, has a "Code Dark" for cyberattacks. The DARK in Code Dark stands for:
- Disconnect your workstation and internet connect devices.
- Await instructions from your IT department before reconnecting computers.
- Report to your managers for department specific downtime actions.
- Know and follow your department's emergency policies and procedures.
While these steps are good, they can't replace a robust capacity to protect medical assets and detect intrusions before they develop into widespread loss of control over clinical technology. In other words, we need to do everything we can to prevent these attacks in the first place. And if we can't prevent the attack, we need to be able to respond and recover quickly while limiting the damage.
This research shows that ransomware isn't just an IT issue; it's a public health issue. We need to manage the risk of ransomware to human life like we would any other serious, preventable illness.
