Slothful Sabotage: Analyzing the Impact of Ransomware on Hospital Systems

Cyberattacks have the ability to bring entire hospital systems to a complete halt, leading to potentially devastating financial and medical consequences.¹ Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, nearly all healthcare providers now solely use electronic health records (EHRs) to collate information from various entities such as the pharmacy, laboratory, radiology, and billing.¹ This reliance on technology for essentially every aspect of delivering medical care, however, leaves hospital systems vulnerable to periods of time when digital information becomes inaccessible (“digital downtime”). Since 2019, the FBI and INTERPOL have publicly vocalized this increasing threat to United States hospital systems.^3,4 During a digital downtime, healthcare providers face a number of issues preventing them from providing typical care to patients. Three critical barriers stemming from cyberattacks include the inability to access EHRs, communication failures, and procedural delays. Doctors may be unable to access a patient’s history, medications, or allergies and may be unable to communicate with other members of the patient care team including nurses, pharmacy, laboratory, and radiology.

This major decrease in hospital efficiency causes a unique type of surge crisis, resulting in reduced capacity. A surge crisis is typically defined as a sudden, unexpected increase in patient volume or a sudden decrease in the ability to take care of patients. Capacity may be defined as the ability to accommodate a given demand as determined by availability of resources.⁵ However, various definitions exist for both terms and there is no formal agreement regarding a specific trigger that may distinguish a situation from being a normal influx of patient care demands versus being a true surge crisis.⁶ Four resource variables that are essential to under-standing, measuring, and managing capacity during a surge crisis are Space, Staff, Supplies, and Special/Systems.^6,7 An incident does not need to overwhelm all four resource variables to be considered a surge crisis. Additionally, what may overwhelm one hospital may be very different from that which may overwhelm another (e.g. a Level 1 Trauma Center versus a Critical Access Hospital).

When planning for a surge crisis, it is beneficial to delineate the organization’s capacity into several categories along the same continuum to allow for a staged response relative to the severity of the situation. The stages of this capacity continuum are conventional capacity (providing usual care up to the maximum ability), contingency capacity (requiring additional resources to provide functionally equivalent care), and crisis capacity (no longer able to provide functionally equivalent care despite utilizing additional resources).⁷ Disasters typically lead to an increased number of patients showing up to medical facilities, which rapidly depletes space, supplies, and overwhelms staff. Surge crises stemming from digital downtime are unique, however, in that they do not typically lead to an increase in the number of patients or a depletion of medical supplies. Instead, systems and staff become less efficient due to a loss of technology despite availability of space and supplies.

The increasing number and severity of cyberattacks planned during the COVID-19 pandemic, a time when hospital systems are already vulnerable and operating at maximum capacity, demonstrates the persistent and malicious nature of such attacks and suggests that ransomware will continue to be a prominent threat in the future.⁸ It is imperative that hospitals recognize the potential threats and mitigate these risks by establishing clear and concise protocols for downtime operations in the form of emergency response plans. Ensuring there are both immediate and extended response plans as well as ensuring all staff members are trained will drastically reduce the potential for disaster and ensure that patient safety is above all protected and maintained.

References

1. Raphel, Kristin. Recommendations to Improve Effectiveness and Response During Digital Downtimes Stemming from Ransomware Attacks. 2022. Unpublished. EMSE 6325
2. Chen PH, Bodak R, Gandhi NS. Ransomware Recovery and Imaging Operations: Lessons Learned and Planning Considerations. J Digit Imaging. 2021;34(3):731-740. doi:10.1007/s10278-021-00466-x
3. Bischoff P, TECH WRITER PAAVE. Ransomware attacks on US healthcare organizations cost $20.8bn in 2020. Published February 11, 2020. Accessed July 10, 2021. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/
4. HIPAA Journal. Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion. Published March 11, 2021. Accessed July 10, 2021.
5. McCabe R, Schmit N, Christen P, D'Aeth JC, Løchen A, Rizmie D, Nayagam S, Miraldo M, Aylin P, Bottle A, Perez-Guzman PN, Ghani AC, Ferguson NM, White PJ, Hauck K. Adapting hospital capacity to meet changing demands during the COVID-19 pandemic. BMC Med. 2020 Oct 16;18(1):329. doi: 10.1186/s12916-020-01781-w. PMID: 33066777; PMCID: PMC7565725.
6. Hick JL, Barbera JA, Kelen GD. Refining surge capacity: conventional, contingency, and crisis capacity. Disaster Med Public Health Prep. 2009 Jun;3(2 Suppl):S59-67. doi: 10.1097/DMP.0b013e31819f1ae2. PMID: 19349869.
7. Hick JL, Hanfling D, Cantrill SV. Allocating scarce resources in dis-asters: emergency department principles. Ann Emerg Med. 2012 Mar;59(3):177-87. doi: 10.1016/j.annemergmed.2011.06.012. Epub 2011 Aug 19. PMID: 21855170. 
8. Murthy V, Kijewski M. The State of Medical Device Cybersecurity. INFRAGARD; 2019:30. https://www.infragardnational.org/wp-content/uploads/2019/07/InfraGard_Proofs_June_2019_ER.pdf#page=32.