In late October 2020, the University of Vermont Health Network was hit by a ransomware attack. The system couldn’t access electronic health records for nearly a month. Every computer at UVM Medical Center was infected with malware. Hospitals in the network delayed chemotherapy and mammogram appointments, just as COVID-19 cases in the United States started to tick upward in what would become an enormous winter wave.
Intuitively, cyberattacks on hospitals seem like they’d be dangerous for patients. Shutting down computer systems shuts off access to patient scans, can lock physicians out of tools they need to provide care, and creates backlogs in the operating systems. But despite years of attacks, there’s very little data on whether those disruptions actually caused harm.
The specific circumstances of the COVID-19 pandemic, though, gave experts an opening to see what the UVM attack meant for patient care. Because hospital systems were already strained caring for COVID-19 patients, any additional stressors — like a ransomware attack — could be seen more clearly. So, when a team at the United States’ Cybersecurity and Infrastructure Security Agency (CISA) scrutinized the data, they were able to show that patients did worse in hospitals navigating a cyberware attack than in hospitals that didn’t.
“We should stop pretending that there is no harm to human life from cyber attacks”
The findings, which are still unpublished, should help push back on any groups hesitant to say that cyberattacks are dangerous for patients, says Josh Corman, a senior adviser to CISA, the federal agency that advises on government and private sector cybersecurity issues. “We should stop pretending that there is no harm to human life from cyber attacks,” he says.
Data in the field is so thin that experts turn to marathons to make the argument that cyberattacks will harm patients. They often point to one particular bit of research: a 2017 paper in the New England Journal of Medicine that looked at emergency care during marathons in the United States. The study found people who had heart attacks during a marathon were at higher risk of death within a month than people who had heart attacks on other days, likely because it took longer for them to get the care they needed.
It’s not a perfect analogy, but like marathons (which close roads and cause delays for ambulances), ransomware attacks can force hospitals to divert ambulances or delay treatments. It’s one of the clearer pieces of evidence available. It has been hard to get a good picture of the same phenomenon during ransomware attacks because the numbers tend to be so small, says Mark Jarrett, chief quality officer at Northwell Health in New York. “You really need an approach that looks at data across the country, so you can get a large enough denominator that you’ll be able to get a numerator that really means something,” he says.
Hospitals also tend to be tight-lipped about ransomware attacks. They sometimes go days before announcing that systems are down because of a cyberattack, and often don’t share many details about the impact an attack is actually having on day-to-day operations. It would likely be a challenge to convince an organization to agree to any investigation into the impact of an attack on its patient care, says Sung Choi, assistant professor at the University of Central Florida department of health management and informatics who studies healthcare cybersecurity.
“They’re very careful about releasing data on mortality, because that links directly to the reputation of the hospital”
“They’re very careful about releasing data on mortality, because that links directly to the reputation of the hospital,” he says.
There hasn’t even been a close analysis of the potential health harms from the 2017 WannaCry cyberattack, which downed computers across the United Kingdom’s National Health Service and threw the system into chaos, Corman says. Just looking at stroke patients should give a sense of what the harm might have been, he says — if people having a stroke don’t make it to a health facility that can handle the emergency quickly, they’re more likely to have a bad outcome. During a few days of the WannaCry attack, there were no stroke centers open in London. “The official line is that no one died. It strains credulity,” he says. “There’s such a palpable, visceral reluctance to admit that we’ve lost lives because of cybersecurity.”
Connecting the dots
The pandemic gave Corman and his team at CISA an opening to get a clearer picture of the harm caused by ransomware attacks. The work started with its analysis of excess death during the pandemic. Excess deaths, which count the number of deaths above normal during a given time of the year, help outline the true toll of an event like a COVID-19 outbreak — it helps show COVID-19 deaths that may have not been counted in the official toll, and how many people may have died because of disruptions in their care during the chaos of the pandemic.
The team was interested in trying to figure out ways to predict when there might be excess deaths regionally or nationally. Normally, when hospitals get overburdened because of a local emergency, they’re able to divert ambulances, reschedule surgeries, and lean on the other healthcare resources in the community. There’s slack in the system to make that possible. Eventually, they might reach a point where they weren’t able to provide adequate care to the people they were treating, but it would take a long time to reach that point.
But during COVID-19 outbreaks, every hospital was under stress. “No one could absorb anything,” Corman says. “Regions could shift through this more quickly.” They’d reach a point where there were too many patients to handle faster than normal.
In their analysis, the CISA team figured out that once an area had a certain percentage of intensive care unit beds filled, they were more likely to start to see excess deaths two, four, and six weeks later. It was an inflection point — a strong indicator that the area was approaching a capacity issue that would tip over into higher death rates, Corman says.
“It was a natural experiment in the state”
With that metric in mind, the CISA team looked at the excess death data in the state of Vermont during the UVM ransomware attack. “It was a natural experiment in the state,” Corman says. They found that during the same time period, with the pandemic going on in the background, hospitals affected by the ransomware attack reached that inflection point earlier than unaffected hospitals and remained there longer. “You’re reaching that danger zone where you’re going to see excess deaths two, four, and six weeks later more quickly,” he says. “Water is wet, fire is hot, and we can now tell that cyber disruption introduces degraded or delayed patient care.”
Data scientists working on the project also think Vermont was the best-case scenario, Corman says — in other states with poorer overall health, the effect might be more dramatic.
The UVM Medical Center did not respond to a request for comment.
The pandemic created an environment where the CISA team was able to see the impact of ransomware more easily — excess deaths were already so high that the trends and patterns were easy to pick out. The same patterns, though, likely hold true outside of the pandemic, Corman says. A ransomware attack puts stress on a hospital system, delaying care, which could lead to bad outcomes. The impact may be less dramatic when there isn’t another emergency, but experts could use the same framework to scrutinize ransomware attacks at any time.
a quantitative picture of how ransomware affects patient health could help spur organizations dragging their heels on cybersecurity into action
The CISA analysis is still ongoing and circulating through the federal government, and Corman isn’t sure when the final conclusions will be published. But having a quantitative picture of how ransomware affects patient health could help spur organizations dragging their heels on cybersecurity into action, Northwell Health’s Jarrett says. “Patient safety should always be driven by data, so having the data will make a big difference.”
Data from CISA could be a good first step. Jarrett hopes there could also be analysis of harm to patients who don’t necessarily die, but who have worse health outcomes because of delays in their care. “Not everyone dies, thankfully,” he says. But a heart attack patient who isn’t seen quickly enough could have permanent damage. “Your health going forward is not going to be the same level.”
Any hospital facing down a ransomware attack should do their own analysis of what went wrong and what the implications were for patients, Jarrett says. “Clinicians in general tend to think of this as an information technology issue, and it really isn’t. It’s a patient safety issue.”