Health system leaders know the financial risks of cyberattacks, as shown by the Change Healthcare attack. Now, they are seeing cybersecurity is essential to protecting patients.
The Change Healthcare cyberattack has shown that such attacks can be costly to hospitals and other providers, but they also pose a grave risk to patient care.
About 3 in 4 hospitals (74%) said the Change Healthcare ransomware attack has interfered with patient care, according to a survey released last week by the American Hospital Association. Some hospitals point to delays in patient care due to disruptions in securing approval from insurers. In announcing an investigation of the attack, federal officials cited “a direct threat to critically needed patient care.”
Even before the Change Healthcare attack, cybersecurity leaders have been pushing the hospital industry to view ransomware attacks as direct threats to patient safety. Healthcare leaders are gaining a greater understanding that cyberattacks can lead to delays in care.
Jeff Tully, co-director of the Center for Healthcare Cybersecurity at University of California San Diego Health, talked about the ripple effects of cyberattacks on neighboring hospitals during a presentation at the HIMSS Global Health Conference & Exhibition.
“Everybody in this room pretty much takes for granted that cybersecurity is patient safety,” Tully said.
Growing understanding
Other healthcare leaders at the HIMSS Conference say that hospitals have a deeper understanding of cybersecurity and the threat of ransomware attacks to patient safety.
Blaine Hebert, vice president and chief information security officer of Yuma Regional Medical Center, said he has seen more discussion about cybersecurity in terms of protecting patients. “I think that has shifted,” Hebert told Chief Healthcare Executive® at the HIMSS conference.
“People are becoming more familiar with what it is and how its impact negatively impacting healthcare,” he said.
Lee Kim, senior principal of cybersecurity and privacy for HIMSS, said she sees a more awareness of the risks to the health of patients.
“Patient safety is a real concern and we're finally understanding that in terms of cybersecurity,” Kim said.
Cyberattacks have resulted in health systems having to move from their electronic health records, which include all their data on patients, to using paper. CommonSpirit Health had to take its records offline at some hospitals during a 2022 cyberattack.
Some hospitals have had to send patients to other facilities due to attacks. Ardent Health Services, the for-profit hospital system, had to temporarily divert ambulances for a few days and delay some elective surgical procedures due to a cyberattack last November.
Steve Cagle, CEO of Clearwater, a cybersecurity firm, said a few years ago, some healthcare leaders weren’t recognizing that cyberattacks could harm patients. But Cagle said it’s hard to argue that patients aren’t impacted by cyberattacks.
“Cybersecurity is patient safety,” Cagle said. “We've seen many examples, unfortunately, of hospitals having to either shut down their infrastructure or they've been taken down by ransomware. And when that happened, they’ve had to, in some cases, divert ambulances to other hospitals. So there's a delay in emergency care. Your test results are not available. Tests can't be conducted. Procedures have to be delayed.”
But Cagle also said he’s seeing healthcare leaders see the link to cybersecurity and the safety of patients. “I do think people are getting that, and that patients have to be the center of everything that we do,” Cagle said.
ECRI, a nonprofit organization focused on patient safety, identified ransomware attacks on hospitals as one of the leading threats to patients in 2024.
Marcus Schabacker, MD, president and CEO of ECRI, told Chief Healthcare Executive® in a January interview that there needs to be greater focus on cybersecurity from a patient safety perspective.
“There is a true patient risk as well, because if they shut down your internet, your WiFi, for example, you’re losing all your data on your patients if you are heavily connected, which most larger healthcare institutions are today,” he said.
The impact of attacks
When Scripps Health suffered a ransomware attack in 2021, stroke patients ended up being transferred to other hospitals in the San Diego area, researchers at the University of California San Diego found. The findings were published on Jama Network Open last spring.
Other nearby hospitals in San Diego saw an influx of patients in their emergency departments, said Christian Dameff, an emergency physician and co-director of the Center for Healthcare Cybersecurity at University of California San Diego Health. Patients had to wait longer for emergency care, and some ended up leaving without being seen.
“We saw far more patients than we normally do,” Dameff said at the HIMSS conference. “We were flooded.”
The other San Diego hospitals also treated more stroke patients during the ransomware attack, their study found. In the four weeks before the attack, they treated 60 stroke patients, but due to transfers during the ransomware attack, the other hospitals treated 103 stroke patients in four weeks.
“People don't stop having strokes just because of a ransomware attack,” Dameff said.
Similar attacks at rural hospitals, which may be the only hospital within hours in some areas, could be devastating, Dameff said. “Your patients are going to suffer because it means it's going to be hours or days before they get care,” he said. “And that's really bad for things like strokes, heart attacks, trauma.”
Saying there’s a dearth of data on the impact of cyberattacks on patients, Dameff and Tully called on other healthcare leaders to provide more data on the impact of attacks on patient care and services. They noted more data will also help shed important insights of the dangers of attacks to patient safety.
At Yuma Regional Medical Center, Hebert said he stresses to the members of the cybersecurity team that their role is to protect patient care.
“We are here to directly support our patients and the safety and well-being of our patients,” Hebert said. “And our organization showed that's paramount with regard to what we do each day, day in and day out. So I think that everything we do is patient-centric.”