Almost a quarter of healthcare organizations that were hit with a ransomware attack in the last two years said they had increases in patient death rates in the aftermath, according to a new report sponsored by cybersecurity company Censinet. The finding adds to a growing pile of data showing that cyberattacks aren’t just causing financial or logistical problems — they could be major health risks, as well.
“There’s enough impact from ransomware on patient care that it’s undeniable” says Ed Gaudet, CEO and founder at Censinet. “We should not be afraid to look at this data, and to keep pushing on this question.”
The analysis, conducted by a research institute called the Ponemon Institute, collected survey responses from nearly 600 healthcare organizations across the United States ranging from regional health systems to medical device manufacturers. Just over 40 percent said that they had a ransomware attack in the last two years — cyberattacks that freeze up computer systems and demand payment to unlock them. Those attacks disrupted the facilities’ ability to care for patients. Around 70 percent of the groups facing ransomware attacks said that those disruptions led to longer hospital stays for patients and delayed tests or procedures. In addition, 36 percent said that they saw more complications from medical procedures, and 22 percent said they had increased death rates.
Those numbers come with some big caveats: they’re from a relatively small subset of healthcare organizations, and there’s no double-check on what the organizations reported. The survey didn’t ask organizations why or how they came to those conclusions — they didn’t say how they measured changes in death rates, for example. Without more details about those methods, it’s important to interpret the findings cautiously, Gaudet says. It’s probably too soon to say confidently that ransomware directly caused bad outcomes at those frequencies. “We have to be careful as an industry not to overreact,” he says. But it’s still something the industry should pay attention to and care about. “Even if it’s just one percent or half a percent, we should care about this data.”
Overall, over half of the healthcare groups responding to the survey said that they weren’t confident their organizations could handle the risks of ransomware attacks.
People working in healthcare have historically been reluctant to say ransomware harms patients. There have been very few efforts to quantify the relationship between cyberattacks and patient health, and hospitals tend to be reluctant to share much information about their experiences because of potential impacts on the hospital’s reputation. “I think as an industry, this is a question we almost don’t want to know the answer to,” Gaudet says. “Because if it’s true, then man, we really have our work cut out for us.”
Cyberattacks on healthcare facilities have increased over the past year, which brings new urgency to the question. And there have been recent pushes to take closer looks at the issue: one new analysis by the United States’ Cybersecurity and Infrastructure Security Agency (CISA), for example, showed hospitals in Vermont affected by ransomware attacks during the COVID-19 pandemic reached capacity levels linked with excess deaths more quickly than hospitals not dealing with cyberattacks.
“I think this is reaching a level of criticality that is getting the attention of CEOs and board rooms,” Gaudet says. “Data like this is going to start factoring into how people think about areas of focus and investment. If ransomware is truly becoming a patient safety issue, they’re going to have to address it.”
Correction September 28th, 3:10PM ET: The original piece characterized CISA’s research as identifying excess deaths in Vermont. The research identified metrics correlated with excess deaths. We regret the error.