Cyberattacks of hospitals lead to busier emergency departments elsewhere

When hospitals and health systems suffer ransomware attacks, the impact isn’t limited to the organization suffering the breach, cybersecurity experts say.

A new study offers more insight into how other cyberattacks at hospitals can affect patient care at nearby hospitals that weren't attacked.

Now, researchers have published a new study demonstrating the ripple effects of cyberattacks on hospitals.

Researchers have found that hospitals see fewer patients in the weeks after a cyberattack. But even hospitals that aren’t attacked by ransomware groups can pay a price, as they see busier emergency rooms because a nearby provider has been breached. Researchers published their findings in a short paper in JAMA May 29.

The findings come as the Ascension health system continues to recover from a ransomware attack discovered earlier this month. Some Ascension hospitals have diverted ambulances to other facilities to ensure they get proper care. This week, Ascension said on its website that some hospitals in Indiana and Tennessee were still diverting some emergency patients.

• Read more: Healthcare lags other sectors in cybersecurity

In their newly published study, researchers Rahi Abouk of William Paterson University and David Powell of RAND looked at cyberattacks of California hospitals between 2014 and 2020 and their impact on hospitals that weren’t breached.

They examined eight ransomware attacks that led to disruptions in 15 hospitals. They also looked at emergency department activity in nearby hospitals that weren’t attacked.

Among the hospitals that weren’t attacked, researchers found increases in emergency department visits up to four weeks after the incident. While emergency departments were busier, the researchers wrote, “No statistically significant changes were observed in inpatient admissions in nearby hospitals.”

• Read more: Cybersecurity and hospitals: Big risks come from third parties

The hospitals that were attacked saw fewer patients in the days and weeks after the breach. In the first week after the attack, emergency department visits and inpatient admissions both fell by a little more than 8%. Two weeks after the attack, those hospitals saw emergency department visits and inpatient admissions drop by more than 16%.

It took eight weeks for the decreases in admissions and emergency department visits to bounce back to pre-attack levels, according to the study.

"This study found a temporary decrease in ED visits and inpatient admissions in hospitals targeted by ransomware attacks and a temporary increase in ED visits in unattacked nearby hospitals in California, suggesting that the consequences of such attacks are broader than the targeted hospitals," the researchers wrote.

The new study comes about a year after the publication of research examining the impact of the costly Scripps Health ransomware attack in 2021, and the ripple effect on nearby hospitals. Researchers found significant increases in traffic to the emergency department of adjacent hospitals that weren’t attacked, and they also saw more patients leaving the emergency department without being seen.

Christian Dameff and Jeff Tully, co-directors of the Center for Healthcare Cybersecurity at University of California San Diego Health, talked about their research and the “blast radius” of cyberattacks at the HIMSS Global Health Conference & Exhibition in March.

“We saw far more patients than we normally do,” Dameff, an emergency physician, said at the conference. “We were flooded. We were inundated with patients.”

Researchers also found more stroke patients were transferred from Scripps to other facilities.

“People don't stop having strokes just because of a ransomware attack,” Dameff said. “Those patients came to us.”

Even as they reviewed their sobering findings, Dameff and Tully lamented the lack of research on the impact of cyberattacks on hospitals and on patient care. “We're in the bloodletting days of healthcare cybersecurity,” Tully said.

It’s not hard to fathom why there hasn’t been much research. Healthcare organizations are leery of talking about the impact on patients from ransomware attacks. And as Dameff and Tully noted, cyberattacks often knock electronic health records offline, adding another hurdle to research.

At the HIMSS conference, Dameff and Tully implored a packed conference room to add to the knowledge base of research on cybersecurity and the impact on hospitals and patients.

The new study published this week offers more data and insights on cyberattacks and the potential to disrupt care, impacting other hospitals and providers that weren’t attacked.

Hospitals and the healthcare industry are aiming to draw greater attention to cyberattacks as a threat to patient safety. ECRI, a nonprofit organization focused on patient safety, identified ransomware attacks on hospitals as one of the leading threats to patients in 2024.

• Read more: Health leaders ask Congress for help with cybersecurity